Description of problem: using virt-qemu-run to start guest with specified root dir and luks image failed with error "No current identity to elevate" Version-Release number of selected component (if applicable): libvirt 7.6.0-2.el9 qemu-kvm 6.0.0-13.el9 How reproducible: 100% Steps to Reproduce: 1.prepare a qcow2 luks image #qemu-img create --object secret,id=sec0,data=123456 -f qcow2 -o encrypt.format=luks,encrypt.key-secret=sec0 /var/lib/libvirt/images/luks.qcow2 1G 2.Prepare secret xml and secret value: #cat /xml/secret.xml <secret ephemeral='no' private='yes'> <description>LUKS Sample Secret</description> <uuid>f981dd17-143f-45bc-88e6-ed1fe20ce9da</uuid> <usage type='volume'> <volume>/var/lib/libvirt/images/luks.img</volume> </usage> </secret> #cat /xml/secret-value 123456 3.Prepare a guest xml with the luks image: #cat /tmp/vm1.xml ... <disk type='file' device='disk'> <driver name='qemu' type='qcow2' cache='none' io='threads' copy_on_read='off'/> <source file='/var/lib/libvirt/images/luks.qcow2' index='1'> <encryption format='luks'> <secret type='passphrase' uuid='f981dd17-143f-45bc-88e6-ed1fe20ce9da'/> </encryption> </source> ... </disk> ... 4. Start guest with specified root dir and luks image: # virt-qemu-run -s /xml/secret.xml,/xml/value -d -v -r /tmp/test1 /tmp/vm1.xml Actual results: virt-qemu-run: 127: initializing libvirt 259671 virt-qemu-run: 1719: initializing signal handlers virt-qemu-run: 1807: preparing event loop thread virt-qemu-run: 1999: opening secret:///embed?root=%2Ftmp%2Ftest1 virt-qemu-run: 3590: loading secret secret.xml and secret-value virt-qemu-run: 3951: opening qemu:///embed?root=%2Ftmp%2Ftest1 virt-qemu-run: 25790: fetching guest config /tmp/vm1.xml virt-qemu-run: 25868: starting guest /tmp/vm1.xml 2021-09-02 04:13:24.782+0000: 259671: info : libvirt version: 7.6.0, package: 2.el9 (Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>, 2021-08-10-04:33:30, ) 2021-09-02 04:13:24.782+0000: 259671: info : hostname: hhan-rhel9-1 2021-09-02 04:13:24.782+0000: 259671: warning : qemuProcessStop:7964 : Unable to release network device '<null>' virt-qemu-run: cannot start VM: internal error: No current identity to elevate virt-qemu-run: 452573: cleaned up, exiting Expected results: Start guest successfully and show verbose output. Additional info:
Start vm without specified root dir has same issue
*** Bug 2000983 has been marked as a duplicate of this bug. ***
*** Bug 2016264 has been marked as a duplicate of this bug. ***
Upstream patch: https://listman.redhat.com/archives/libvir-list/2023-March/238834.html Given the disclaimer in virt-qemu-run's man page: NOTE: this tool is currently considered experimental. Its usage and behaviour is still subject to change in future libvirt re‐ leases. For further information on its usage consult the QEMU driver documentation. I don't think we care about it much. But the fix seemed trivial enough.
commit 8c8cda2c9a94c63917e859ed83593dc4e28b0644 Author: Ján Tomko <jtomko> CommitDate: 2023-03-22 14:41:28 +0100 qemu_shim: set system identity Otherwise looking up a secret fails when we try to elevate the identity in qemuDomainSecretInfoSetupFromSecret. https://bugzilla.redhat.com/show_bug.cgi?id=2000410 Signed-off-by: Ján Tomko <jtomko> Reviewed-by: Michal Privoznik <mprivozn> git describe: v9.1.0-275-g8c8cda2c9a
Created attachment 1955674 [details] The scripts for verification Test as comment0 on qemu-kvm-7.2.0-14.el9_2.x86_64 libvirt-9.2.0-1.el9.x86_64. PASS
Tested as comment7 on libvirt-9.3.0-2.el9.x86_64 qemu-kvm-8.0.0-4.el9.x86_64. PASS