Bug 1894409 - let domain without cpu pinning run without the need of CAP_SYS_NICE [rhel-8.3.0.z]
Summary: let domain without cpu pinning run without the need of CAP_SYS_NICE [rhel-8.3...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux Advanced Virtualization
Classification: Red Hat
Component: libvirt
Version: 8.1
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: 8.3
Assignee: Martin Kletzander
QA Contact: Luyao Huang
URL:
Whiteboard:
Depends On: 1819801
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-11-04 08:13 UTC by Oneata Mircea Teodor
Modified: 2020-12-02 16:08 UTC (History)
16 users (show)

Fixed In Version: libvirt-6.6.0-7.1.el8
Doc Type: Bug Fix
Doc Text:
Cause: Original fix for this BZ (possibility of running with restricted CPU set and UID 0 and starting a domain without having the CAP_SYSNICE capability) did not account for the logic needed in order to set affinity with larger amount of CPUs. Consequence: That resulted in freeing a resource twice in case of pinning to a CPU without CAP_SYS_NICE capability resulting in a segfault and crash of the daemon. Fix: The logic was slightly reworked to avoid these cases. Result: Users and management applications can now restrict libvirt daemon operating CPU set, run it without CAP_SYS_NICE and safely start domains without a crash.
Clone Of: 1819801
Environment:
Last Closed: 2020-12-02 16:07:50 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Comment 7 Luyao Huang 2020-11-26 07:33:28 UTC 
Verify this bug with libvirt-daemon-6.6.0-7.1.module+el8.3.0+8852+b44fca9f.x86_64:

S1: Start guest without vcpupin and emulatorpin in a unprivileged env

0. prepare special env:

# useradd -u 33 -g 0 libvirt
# chown libvirt:root /run/libvirt/qemu/

1. disable cpuset cgroup and manualy start libvirtd:

# vim /etc/libvirt/qemu.conf

cgroup_controllers = ["devices", "memory", "blkio" ]
stdio_handler = "file"

# /usr/sbin/libvirtd

2. there is no vcpupin and emulatorpin in guest xml

3. use gdb to make a similar env:

# gdb -p `pidof libvirtd`

(gdb) b virProcessSetAffinity

4. start guest 
# virsh start vm1
(blocking)

5. in gdb terminal change libvirtd permission when set cpu Affinity:
(gdb) c
(gdb) c
(gdb) handle SIG33 nostop
Signal        Stop	Print	Pass to program	Description
SIG33         No	Yes	Yes		Real-time event 33
(gdb) call (int)setuid(33)
$1 = 0
(gdb) c

6. guest start without error like "cannot set CPU affinity on process X: Operation not permitted":

# virsh start vm1
Domain vm1 started

7. check libvirtd debug log, can find debug log like "cannot set CPU affinity on process 28649: Operation not permitted":

2020-11-26 06:25:59.701+0000: 28520: debug : virProcessSetAffinity:447 : Set process affinity on 28649
2020-11-26 06:25:59.701+0000: 28520: debug : virProcessSetAffinity:486 : cannot set CPU affinity on process 28649: Operation not permitted
2020-11-26 06:25:59.701+0000: 28520: debug : virProcessSetScheduler:1483 : pid=28649, policy=0, priority=0
2020-11-26 06:25:59.701+0000: 28520: debug : virFileClose:135 : Closed fd 36
2020-11-26 06:26:03.871+0000: 28520: debug : virProcessSetAffinity:447 : Set process affinity on 28650
2020-11-26 06:26:03.871+0000: 28520: debug : virProcessSetAffinity:486 : cannot set CPU affinity on process 28650: Operation not permitted


S2: Start guest with vcpupin in a unprivileged env

0. prepare special env:

# useradd -u 33 -g 0 libvirt
# chown libvirt:root /run/libvirt/qemu/

1. disable cpuset cgroup and manualy start libvirtd:

# vim /etc/libvirt/qemu.conf

cgroup_controllers = ["devices", "memory", "blkio" ]
stdio_handler = "file"

# /usr/sbin/libvirtd

2. set vcpupin to vcpu 0

# virsh vcpupin vm1 0 1-20 --config

3. use gdb to make a similar env:

# gdb -p `pidof libvirtd`

(gdb) b virProcessSetAffinity

4. start guest 
# virsh start vm1
(blocking)

5. in gdb terminal change libvirtd permission when set cpu Affinity:
(gdb) c
(gdb) c
(gdb) handle SIG33 nostop
Signal        Stop	Print	Pass to program	Description
SIG33         No	Yes	Yes		Real-time event 33
(gdb) call (int)setuid(33)
$1 = 0
(gdb) c

6. guest should failed to start since there is vcpupin setting in guest config:

# virsh start vm1
error: Failed to start domain vm1
error: cannot set CPU affinity on process 30112: Operation not permitted


Also test with emulatorpin and cpuset, get the same expected results.
Comment 9 errata-xmlrpc 2020-12-02 16:07:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (virt:8.3 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:5328
Note You need to log in before you can comment on or make changes to this bug.