2192112 – seclabel DAC relabel no VS yes & 'backup-begin'

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2192112 - seclabel DAC relabel no VS yes & 'backup-begin'

Summary: seclabel DAC relabel no VS yes & 'backup-begin'

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	CentOS Stream
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Virtualization Maintenance
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-04-29 16:19 UTC by lejeczek
Modified:	2023-05-04 08:51 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-05-02 10:09:41 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
dom definition (6.48 KB, text/plain) 2023-05-04 08:42 UTC, lejeczek	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-156113	0	None	None	None	2023-04-29 16:20:07 UTC

Description lejeczek 2023-04-29 16:19:38 UTC

Description of problem:

Hi,
with xml definition as here:
...
  <seclabel type='static' model='dac' relabel='no'>
    <label>+107:+107</label>
    <imagelabel>+107:+107</imagelabel>
  </seclabel>

'backup-begin' fails with:
...
internal error: unable to execute QEMU command 'blockdev-add': Could not open '/devs/X-VMs-BKPs/vda.qcow2': Permission denied
Path '/devs/X-VMs-BKPs/vda.qcow2' is not accessible: No such file or directory
Unable to tear down cgroup access on /devs/X-VMs-BKPs/vda.qcow2
cannot resolve symlink /devs/X-VMs-BKPs/vda.qcow2: No such file or directory
Unable to restore security label on /devs/X-VMs-BKPs/vda.qcow2
...

even tough 'qemu' user has write permission to the target path.
Suffices to set relabel='yes' and backup works.

Does not make much sense having a fully up&running VM not being able to backup.
What I also see is that with 'no' running dom definition is:
...
<seclabel type='static' model='dac' relabel='no'>
    <label>+107:+107</label>
</seclabel>

so this is absent:
    <imagelabel>+107:+107</imagelabel>
which is present with 'yes'

Version-Release number of selected component (if applicable):

libvirt-libs-9.0.0-7.el9.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 lejeczek 2023-04-30 14:40:20 UTC

That is not it, but instead it's utterly misleading & confusing 'no available space' - VMs images where different sizes and when failed/succeded I could only attribute that to 'relabel' for dom XML apart from 'relabel' where identical.
I remember I failed a report some time ago - precisely about the way 'backup' messages a failure out with such a "test-case" as no-space-left. I was hoping devel would improve this.

... so, not a bug, nothing to do with 'relabel'
thanks, L.

Comment 2 Vivek Goyal 2023-05-01 13:32:27 UTC

(In reply to lejeczek from comment #1)
> That is not it, but instead it's utterly misleading & confusing 'no
> available space' - VMs images where different sizes and when failed/succeded
> I could only attribute that to 'relabel' for dom XML apart from 'relabel'
> where identical.
> I remember I failed a report some time ago - precisely about the way
> 'backup' messages a failure out with such a "test-case" as no-space-left. I
> was hoping devel would improve this.
> 
> ... so, not a bug, nothing to do with 'relabel'
> thanks, L.

So you ran out of space and hence you faced this failure? Sounds like this bug can be closed as NOTABUG?

Comment 3 Peter Krempa 2023-05-02 10:09:41 UTC

Next time please don't foget to also attach the full VM xml and the full backup XML ( or the full virsh commadnline) used to start the backup if you are going to report a bug. From your report it's impossible to see whats happening.

Since Comment 1 mentions that it's not a bug I'll close this. If you end up reopening it for any reason please make sure to attach as much information as possible.

Comment 4 lejeczek 2023-05-04 08:41:02 UTC

Hello again - actually there is a problem with relabel - now after a bigger clean up storages is done, re-testing is done and definetely:

  <seclabel type='dynamic' model='dac' relabel='yes'> -- good backup!
  <seclabel type='static' model='dac' relabel='no'>   -- ! no backup!

logs below and a domdef in attachment.
...
internal error: unable to execute QEMU command 'blockdev-add': Could not open '/devs/X-VMs-BKPs/vda.qcow2': Permission denied
Path '/devs/X-VMs-BKPs/vda.qcow2' is not accessible: No such file or directory
Unable to tear down cgroup access on /devs/X-VMs-BKPs/vda.qcow2
cannot resolve symlink /devs/X-VMs-BKPs/vda.qcow2: No such file or directory
Unable to restore security label on /devs/X-VMs-BKPs/vda.qcow2

<domainbackup mode='push'>
  <disks>
    <disk name='vda' type='file'>
      <driver type='qcow2'/>
      <target file='/devs/X-VMs-BKPs/vda.qcow2'>
        <encryption format='luks'>
          <secret type='passphrase' uuid='xxxxxxxxxxxxxxxx'/>
         </encryption>
      </target>
    </disk>
  </disks>
</domainbackup>

Comment 5 lejeczek 2023-05-04 08:42:17 UTC

Created attachment 1962165 [details]
dom definition

Comment 6 lejeczek 2023-05-04 08:51:52 UTC

Just to mention, I think I got some packages updates since I filed this report.
qemu-img-8.0.0-1.el9.x86_64     
qemu-kvm-common-8.0.0-1.el9.x86_64
qemu-kvm-core-8.0.0-1.el9.x86_64
selinux-policy-38.1.12-1.el9.noarch

Note You need to log in before you can comment on or make changes to this bug.