Bug 601135 - Unable to change CDROM media when SELinux is enforcing readonly access to image
Summary: Unable to change CDROM media when SELinux is enforcing readonly access to image
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libvirt
Version: 6.0
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Daniel Berrange
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Keywords:
Depends On: 602186
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-06-07 10:10 UTC by dyuan
Modified: 2010-09-09 07:38 UTC (History)
7 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2010-06-23 07:13:37 UTC


Attachments (Terms of Use)

Description dyuan 2010-06-07 10:10:33 UTC
Description of problem:

insert a cd(just like iso) into vm cdrom using attach-disk , failed with "internal error unable to execute QEMU command 'change'"

Version-Release number of selected component (if applicable):
libvirt-0.8.1-7.el6.x86_64
qemu-kvm-0.12.1.2-2.68.el6.x86_64
kernel-2.6.32-30.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. prepare a vm with cdrom 
# virsh dumpxml snapshot-4
...
<disk type='file' device='cdrom'>
      <driver name='qemu'/>
      <target dev='hdc' bus='ide'/>
      <readonly/>
      <alias name='ide0-1-0'/>
      <address type='drive' controller='0' bus='1' unit='0'/>
    </disk>
    <controller type='ide' index='0'>
      <alias name='ide0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
    </controller>
...

2. insert an iso into vm cdrom. 
# virsh attach-disk snapshot-4 /var/lib/libvirt/images/test.iso hdc --driver file --type cdrom --mode readonly


Actual results:

# virsh attach-disk snapshot-4 /var/lib/libvirt/images/test.iso hdc --driver file --type cdrom --mode readonly
error: Failed to attach disk
error: internal error unable to execute QEMU command 'change': An undefined error has ocurred

Expected results:
iso can be inserted successfully.

Additional info:

that's ok for qemu:

# /usr/libexec/qemu-kvm -S -M rhel6.0.0 -enable-kvm -m 2048 -smp 1,sockets=1,cores=1,threads=1 -name snapshot-4 -uuid 555cc7fc-b3df-786f-b73a-4e876a654b9c -nodefaults -rtc base=utc -boot c -drive file=/var/lib/libvirt/images/snapshot-4.img,if=none,id=drive-virtio-disk0,boot=on,format=raw -device virtio-blk-pci,bus=pci.0,addr=0x6,drive=drive-virtio-disk0,id=virtio-disk0 -drive file=/mnt/vol/shareable.iso,if=none,media=cdrom,id=drive-ide0-1-0,readonly=on -device ide-drive,bus=ide.1,unit=0,drive=drive-ide0-1-0,id=ide0-1-0 -vnc 127.0.0.1:1 -k en-us -vga cirrus -device AC97,id=sound0,bus=pci.0,addr=0x5 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3 -monitor stdio
QEMU 0.12.1 monitor - type 'help' for more information
(qemu) info block
drive-virtio-disk0: type=hd removable=0 file=/var/lib/libvirt/images/snapshot-4.img ro=0 drv=raw encrypted=0
drive-ide0-1-0: type=cdrom removable=1 locked=0 [not inserted]
(qemu) change drive-ide0-1-0 /mnt/vol/shareable.iso
(qemu) info block
drive-virtio-disk0: type=hd removable=0 file=/var/lib/libvirt/images/snapshot-4.img ro=0 drv=raw encrypted=0
drive-ide0-1-0: type=cdrom removable=1 locked=0 file=/mnt/vol/shareable.iso ro=0 drv=raw encrypted=0


# man virsh 
...
attach-disk domain-id source target optional --driver driver --subdriver subdriver --type type --mode mode
Attach a new disk device to the domain.  source and target are paths for the files and devices. driver can be file, tap or phy depending on the kind of access. type can indicate cdrom or floppy as alternative to the disk default.  mode can specify the two specific mode readonly or shareable.
...

Comment 2 RHEL Product and Program Management 2010-06-07 17:03:31 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.

Comment 3 Daniel Berrange 2010-06-09 09:05:51 UTC
Tracing QEMU shows

19215 stat("/var/lib/libvirt/images/boot.iso", {st_mode=S_IFREG|0644, st_size=203423744, ...}) = 0
19215 stat("/var/lib/libvirt/images/boot.iso", {st_mode=S_IFREG|0644, st_size=203423744, ...}) = 0
19215 open("/var/lib/libvirt/images/boot.iso", O_RDONLY|O_SYNC|O_CLOEXEC) = 21
19215 close(21)                         = 0
19215 stat("/var/lib/libvirt/images/boot.iso", {st_mode=S_IFREG|0644, st_size=203423744, ...}) = 0
19215 open("/var/lib/libvirt/images/boot.iso", O_RDWR|O_SYNC|O_CLOEXEC) = -1 EACCES (Permission denied)
19215 write(19, "{\"error\": {\"class\": \"UndefinedError\", \"desc\": \"An undefined error has ocurred\", \"data\": {}}}\r\n", 94) = 94

So it opens it readonly to start with, then for some reason, closes it and retries read-write and fails.

Comment 4 Daniel Berrange 2010-06-09 10:42:27 UTC
After looking at this there are several problems at the QEMU level

 - The EACCESS error condition is not being reported back via QMP properly

 - Either 
    * QEMU needs to honour the original 'readonly=on' flag for this device when
changing media
   Or
    * The 'change' command needs to allow specification of the readonly flag
for the new media


Since fixing the latter problem will also require libvirt changes, I'm leaving this bug assigned to libvirt and have open bug 602186 for qemu-kvm.

Comment 5 Daniel Berrange 2010-06-22 14:36:41 UTC
Please retest this bug with  qemu-kvm-0.12.1.2-2.78.el6 which has a suitable fix present

Comment 6 dyuan 2010-06-23 01:37:00 UTC
Retest with qemu-kvm-0.12.1.2-2.79.el6, attached successfully.

# virsh attach-disk snapshot-4 /var/lib/libvirt/images/test.iso hdc --driver
file --type cdrom --mode readonly
Disk attached successfully

Comment 7 Nan Zhang 2010-09-09 07:38:04 UTC
Verified with libvirt-0.8.1-27.el6.x86_64 & qemu-kvm-0.12.1.2-2.113.el6.x86_64.

# virsh attach-disk rhel6 /var/lib/libvirt/boot/boot.iso hdc --driver file --type cdrom --mode readonly
Disk attached successfully


Note You need to log in before you can comment on or make changes to this bug.