+++ This bug was initially created as a clone of Bug #503955 +++ +++ This bug was initially created as a clone of Bug #489654 +++ So the idea is the following: * Motivation - Some (many) of qemu's features are not officially supported. - We cannot fix them in time - It is also problematic to block them in the code and some users might want to use tech preview of them. - Also qemu is a complex beast. If controlled directly without vdsm/libvirt it can lead to serious problems like corruption is disk caching is used (write back), ungraceful shutdown of the vm, running with the wrong -drive/rtc-time-drift, etc parameters. * Proposed solution - Qemu will only run if supplied with the flag -experimental or -authorized_mgmt_interface - -experimental would be for non production use. - -authorized_mgmt_interface would be used for libvirt, vdsm and any authorized solution by 3rd party that we reviewed. - Libvirt/vdsm/vdc will forbid the usage of non official features like: - scsi - usb pass through - Userspace irqchip - qcow1/vmdk (will be allowed to convert through qemu-img) - etc Closing bugs 484343, 485219 and replace with this one. --- Additional comment from dlaor on 2009-03-11 04:08:36 EDT --- *** Bug 485219 has been marked as a duplicate of this bug. *** --- Additional comment from dlaor on 2009-03-11 04:08:47 EDT --- *** Bug 484343 has been marked as a duplicate of this bug. *** --- Additional comment from dlaor on 2009-03-16 19:05:53 EDT --- Following the thread to disable qemu/kvm features, here is a list of unsupported/should-be-blocked features. It is relevant only to libvirt/vdsm invocations (probably libvirt does not use most of the cmds below). Qemu from cmdline is not supported at all. - scsi - qcow1/vmdk/vhd (not qemu-img for convert) - usb pass through - hpet --enable-nesting - huge-pages (mem path) --virtioconsole ----------- Actually we probably need to block there: - es1370 sound device ( ac97 is much better) - It stops playing if 2 streams where using it. - All the none default -cpu options - -M machine flag - no-graphics - stg-vga mode - smb - -kernel --- Additional comment from rjones on 2009-03-17 04:25:02 EDT --- I would like to keep -nographic and -kernel options. --- Additional comment from berrange on 2009-03-17 05:49:38 EDT --- libvirt *always* sets -M machine flag, and will also use "-cpu qemu32" to force a 64-bit emulator into 32-bit mode. -nographics is perfectly acceptable if you have a serial console and libvirt will use it. -kernel, -initrd & -append are the *strongly recommended* way to provision Linux guests because you can boot straight into the installer with install URL pre-populated. -std-vga mode is not currently used, but will be in next libvirt release. -smb is crazy & shouldn't be used - SELinux ought to block its use too. libvirt happily exposes USB passthrough and I know of people succesfully and happily using it. hpet, enable-nesting, huge-pages & virtioconsole are not used in libvirt so no prboelm with those at this time. NB, the next release of libvirt will likely include virtioconsole support because it is very useful to have a virtio based text console we can enable by default in all guest OS - its one of the things people often ask us for after experiancing Xen PV. --- Additional comment from rjones on 2009-03-17 13:05:06 EDT --- Created an attachment (id=335562) qemu-no-qcow2-snapshots patch For discussion only, how about something like that patch above, that allows qemu to be configured to disable a dangerous feature (in this case qcow2 snapshots)? Apart from qcow2 snapshots, are there other genuinely dangerous features? --- Additional comment from berrange on 2009-04-28 08:14:31 EDT --- This patch looks good to me. The only thing would be to block the corresponding 'savevm' and 'loadvm' monitor commands, since they're unusable without qcow2 snapshots (or equiv). Probably compiling without the -smb / SAMBA support would be desirable from a security POV. --- Additional comment from dlaor on 2009-04-30 07:13:41 EDT --- We're fixing the savevm bug Eduardo, what about compiling out the -smb option? --- Additional comment from dlaor on 2009-04-30 08:38:40 EDT --- Patch sent to virtualist --- Additional comment from markmc on 2009-05-27 05:28:33 EDT --- *** Bug 502586 has been marked as a duplicate of this bug. *** --- Additional comment from markmc on 2009-05-27 05:33:15 EDT --- As per bug #502586, currently discussed solution is: 1) Move /usr/bin/qemu-kvm to /usr/libexec/qemu-kvm 2) Make /usr/bin/qemu-kvm a script which checks whether the requested features are supported and, if not, warns the user Note, it's not mentioned anywhere else in this bug, but TCG should be included in this - and in order to do that, the script needs to warn if KVM is not available on the host --- Additional comment from rjones on 2009-05-27 05:46:06 EDT --- Can we make sure this script does 'exec /usr/libexec/qemu-kvm ...' as the last line? The reason is that if it just runs qemu-kvm (forked from the script's shell) then you can't easily send signals to the qemu-kvm process. You end up sending them to the shell script's shell, which doesn't pass them down. This is particularly important for libguestfs, but I guess libvirt too if it runs the script instead of the direct executable. --- Additional comment from markmc on 2009-05-27 06:03:56 EDT --- (In reply to comment #12) > Can we make sure this script does 'exec /usr/libexec/qemu-kvm ...' > as the last line? Definitely, yes. > but I guess libvirt too if it runs the script instead of the direct > executable. I think libvirt should use /usr/libexec/qemu-kvm directly - that's kind of the point, we're almost trying to deprecate /usr/bin/qemu-kvm and make it clear that /usr/libexec/qemu-kvm should only be run by e.g. libvirt or libguestfs, not directly by users
Created attachment 346515 [details] Check for kvm binary in libexec To verify it is working correctly, do # virsh -c qemu:///system capabilities <capabilities> <host> <cpu> <arch>x86_64</arch> </cpu> <topology> <cells num='1'> <cell id='0'> <cpus num='2'> <cpu id='0'/> <cpu id='1'/> </cpus> </cell> </cells> </topology> </host> <guest> <os_type>hvm</os_type> <arch name='i686'> <wordsize>32</wordsize> <emulator>/usr/libexec/qemu-kvm</emulator> <machine>pc</machine> <machine>isapc</machine> <domain type='qemu'> </domain> <domain type='kvm'> <emulator>/usr/libexec/qemu-kvm</emulator> </domain> </arch> <features> <pae/> <nonpae/> <acpi default='on' toggle='yes'/> <apic default='on' toggle='no'/> </features> </guest> <guest> <os_type>hvm</os_type> <arch name='x86_64'> <wordsize>64</wordsize> <emulator>/usr/libexec/qemu-kvm</emulator> <machine>pc</machine> <machine>isapc</machine> <domain type='qemu'> </domain> <domain type='kvm'> <emulator>/usr/libexec/qemu-kvm</emulator> </domain> </arch> <features> <acpi default='on' toggle='yes'/> <apic default='on' toggle='no'/> </features> </guest> </capabilities> Note that it should fine qemu-kvm in /usr/libexec as per this example
libvirt-0.6.3-6.el5 has been built in dist-5E-qu-candidate with the fix, Daniel
Verified with libvirt 0.6.3-6 on RHEL-5.4, did not find qemu-kvm in /usr/libexec: [root@dhcp-66-70-85 ~]# virsh -c qemu:///system capabilities <capabilities> <host> <cpu> <arch>x86_64</arch> </cpu> <topology> <cells num='1'> <cell id='0'> <cpus num='2'> <cpu id='0'/> <cpu id='1'/> </cpus> </cell> </cells> </topology> </host> <guest> <os_type>hvm</os_type> <arch name='i686'> <wordsize>32</wordsize> <emulator>/usr/bin/qemu-kvm</emulator> <machine>pc</machine> <machine>isapc</machine> <domain type='qemu'> </domain> <domain type='kvm'> <emulator>/usr/bin/qemu-kvm</emulator> </domain> </arch> <features> <pae/> <nonpae/> <acpi default='on' toggle='yes'/> <apic default='on' toggle='no'/> </features> </guest> <guest> <os_type>hvm</os_type> <arch name='x86_64'> <wordsize>64</wordsize> <emulator>/usr/bin/qemu-kvm</emulator> <machine>pc</machine> <machine>isapc</machine> <domain type='qemu'> </domain> <domain type='kvm'> <emulator>/usr/bin/qemu-kvm</emulator> </domain> </arch> <features> <acpi default='on' toggle='yes'/> <apic default='on' toggle='no'/> </features> </guest> </capabilities> [root@dhcp-66-70-85 ~]# ls /usr/bin/qemu-kvm /usr/bin/qemu-kvm [root@dhcp-66-70-85 ~]# ls /usr/libexec/qemu-kvm ls: /usr/libexec/qemu-kvm: No such file or directory [root@dhcp-66-70-85 ~]# [root@dhcp-66-70-85 ~]# rpm -qa | grep kvm kvm-tools-83-56.el5ovirt etherboot-zroms-kvm-5.4.4-10.el5 kmod-kvm-83-56.el5ovirt kvm-qemu-img-83-56.el5ovirt etherboot-roms-kvm-5.4.4-10.el5 kvm-83-56.el5ovirt [root@dhcp-66-70-85 ~]#
You haven't updated to a new enough KVM RPM. kvm-83-56.el5ovirt is still in /usr/bin. * Wed Jun 03 2009 Eduardo Habkost <ehabkost> - 83-59.el5ovirt - Move qemu-kvm to /usr/libexec, and make /usr/bin/qemu-kvm a symlink to it - Related: bz#489654
This BZ is against RHEL 5.4 but I don't see /usr/libexec/qemu-kvm in kvm.el5 version: https://brewweb.devel.redhat.com/rpminfo?rpmID=1321707
Regardless of whether testing on 5.4 or 5.4-ovirt, it is necessary to install a KVM RPM with the qemu-kvm binary in /usr/libexec, before you can verify this libvirt fix. libvirt simply reports where the KVM binary is located. It won't report it as in /usr/libexec, if the KVM rpm still only has it in /usr/bin
Yes, it's fixed with the latest KVM package. Verified with libvirt 0.6.3-6 on RHEL-5.4. [root@dhcp-66-70-85 ~]# rpm -qa | grep kvm kvm-83-65.el5 etherboot-zroms-kvm-5.4.4-10.el5 kvm-qemu-img-83-65.el5 kmod-kvm-83-65.el5 kvm-tools-83-65.el5 etherboot-roms-kvm-5.4.4-10.el5 kvm-debuginfo-83-65.el5 [root@dhcp-66-70-85 ~]# virsh -c qemu:///system capabilities <capabilities> <host> <cpu> <arch>x86_64</arch> </cpu> <topology> <cells num='1'> <cell id='0'> <cpus num='2'> <cpu id='0'/> <cpu id='1'/> </cpus> </cell> </cells> </topology> </host> <guest> <os_type>hvm</os_type> <arch name='i686'> <wordsize>32</wordsize> <emulator>/usr/libexec/qemu-kvm</emulator> <machine>pc</machine> <machine>isapc</machine> <domain type='qemu'> </domain> <domain type='kvm'> <emulator>/usr/libexec/qemu-kvm</emulator> </domain> </arch> <features> <pae/> <nonpae/> <acpi default='on' toggle='yes'/> <apic default='on' toggle='no'/> </features> </guest> <guest> <os_type>hvm</os_type> <arch name='x86_64'> <wordsize>64</wordsize> <emulator>/usr/libexec/qemu-kvm</emulator> <machine>pc</machine> <machine>isapc</machine> <domain type='qemu'> </domain> <domain type='kvm'> <emulator>/usr/libexec/qemu-kvm</emulator> </domain> </arch> <features> <acpi default='on' toggle='yes'/> <apic default='on' toggle='no'/> </features> </guest> </capabilities>
Seems it was luck that this worked, because KVM had the binary in /usr/bin and /usr/libexec. Now that it has gone from /usr/bin completely, this now fails
Created attachment 347248 [details] Remove bogus & redundant probe There is a bogus piece of code that probes for binaries in /usr/bin. This is redundant, since the previous qemu_driver check is the important one that determines if QEMU driver is available or not. This patch is in addition to the previous one.
<grin/> patch is trivial, IMHO fine for 5.4 Daniel
libvirt-0.6.3-8.el5 has been built with the fix in dist-5E-qu-candidate Daniel
Has been fixed on libvirt-0.6.3-8.el5 [root@dhcp-66-70-85 ~]# rpm -qa | grep kvm kvm-83-74.el5 etherboot-zroms-kvm-5.4.4-10.el5 kvm-qemu-img-83-74.el5 etherboot-roms-kvm-5.4.4-10.el5 kmod-kvm-83-74.el5 [root@dhcp-66-70-85 ~]# virsh -c qemu:///system capabilities <capabilities> <host> <cpu> <arch>x86_64</arch> </cpu> <topology> <cells num='1'> <cell id='0'> <cpus num='2'> <cpu id='0'/> <cpu id='1'/> </cpus> </cell> </cells> </topology> </host> <guest> <os_type>hvm</os_type> <arch name='i686'> <wordsize>32</wordsize> <emulator>/usr/libexec/qemu-kvm</emulator> <machine>pc</machine> <machine>isapc</machine> <domain type='qemu'> </domain> <domain type='kvm'> <emulator>/usr/libexec/qemu-kvm</emulator> </domain> </arch> <features> <pae/> <nonpae/> <acpi default='on' toggle='yes'/> <apic default='on' toggle='no'/> </features> </guest> <guest> <os_type>hvm</os_type> <arch name='x86_64'> <wordsize>64</wordsize> <emulator>/usr/libexec/qemu-kvm</emulator> <machine>pc</machine> <machine>isapc</machine> <domain type='qemu'> </domain> <domain type='kvm'> <emulator>/usr/libexec/qemu-kvm</emulator> </domain> </arch> <features> <acpi default='on' toggle='yes'/> <apic default='on' toggle='no'/> </features> </guest> </capabilities> [root@dhcp-66-70-85 ~]# ll /usr/libexec/qemu* -rwxr-xr-x 1 root root 1954424 Jun 9 13:09 /usr/libexec/qemu-kvm [root@dhcp-66-70-85 ~]# ll /usr/bin/qemu* -rwxr-xr-x 1 root root 149928 Jun 9 13:09 /usr/bin/qemu-img -rwxr-xr-x 1 root root 144928 Jun 9 13:09 /usr/bin/qemu-nbd [root@dhcp-66-70-85 ~]#
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-1269.html