Bug 601135 - Unable to change CDROM media when SELinux is enforcing readonly access to image
Unable to change CDROM media when SELinux is enforcing readonly access to image
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libvirt (Show other bugs)
6.0
All Linux
low Severity medium
: rc
: ---
Assigned To: Daniel Berrange
Virtualization Bugs
:
Depends On: 602186
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-07 06:10 EDT by dyuan
Modified: 2010-09-09 03:38 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-06-23 03:13:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description dyuan 2010-06-07 06:10:33 EDT
Description of problem:

insert a cd(just like iso) into vm cdrom using attach-disk , failed with "internal error unable to execute QEMU command 'change'"

Version-Release number of selected component (if applicable):
libvirt-0.8.1-7.el6.x86_64
qemu-kvm-0.12.1.2-2.68.el6.x86_64
kernel-2.6.32-30.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. prepare a vm with cdrom 
# virsh dumpxml snapshot-4
...
<disk type='file' device='cdrom'>
      <driver name='qemu'/>
      <target dev='hdc' bus='ide'/>
      <readonly/>
      <alias name='ide0-1-0'/>
      <address type='drive' controller='0' bus='1' unit='0'/>
    </disk>
    <controller type='ide' index='0'>
      <alias name='ide0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
    </controller>
...

2. insert an iso into vm cdrom. 
# virsh attach-disk snapshot-4 /var/lib/libvirt/images/test.iso hdc --driver file --type cdrom --mode readonly


Actual results:

# virsh attach-disk snapshot-4 /var/lib/libvirt/images/test.iso hdc --driver file --type cdrom --mode readonly
error: Failed to attach disk
error: internal error unable to execute QEMU command 'change': An undefined error has ocurred

Expected results:
iso can be inserted successfully.

Additional info:

that's ok for qemu:

# /usr/libexec/qemu-kvm -S -M rhel6.0.0 -enable-kvm -m 2048 -smp 1,sockets=1,cores=1,threads=1 -name snapshot-4 -uuid 555cc7fc-b3df-786f-b73a-4e876a654b9c -nodefaults -rtc base=utc -boot c -drive file=/var/lib/libvirt/images/snapshot-4.img,if=none,id=drive-virtio-disk0,boot=on,format=raw -device virtio-blk-pci,bus=pci.0,addr=0x6,drive=drive-virtio-disk0,id=virtio-disk0 -drive file=/mnt/vol/shareable.iso,if=none,media=cdrom,id=drive-ide0-1-0,readonly=on -device ide-drive,bus=ide.1,unit=0,drive=drive-ide0-1-0,id=ide0-1-0 -vnc 127.0.0.1:1 -k en-us -vga cirrus -device AC97,id=sound0,bus=pci.0,addr=0x5 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3 -monitor stdio
QEMU 0.12.1 monitor - type 'help' for more information
(qemu) info block
drive-virtio-disk0: type=hd removable=0 file=/var/lib/libvirt/images/snapshot-4.img ro=0 drv=raw encrypted=0
drive-ide0-1-0: type=cdrom removable=1 locked=0 [not inserted]
(qemu) change drive-ide0-1-0 /mnt/vol/shareable.iso
(qemu) info block
drive-virtio-disk0: type=hd removable=0 file=/var/lib/libvirt/images/snapshot-4.img ro=0 drv=raw encrypted=0
drive-ide0-1-0: type=cdrom removable=1 locked=0 file=/mnt/vol/shareable.iso ro=0 drv=raw encrypted=0


# man virsh 
...
attach-disk domain-id source target optional --driver driver --subdriver subdriver --type type --mode mode
Attach a new disk device to the domain.  source and target are paths for the files and devices. driver can be file, tap or phy depending on the kind of access. type can indicate cdrom or floppy as alternative to the disk default.  mode can specify the two specific mode readonly or shareable.
...
Comment 2 RHEL Product and Program Management 2010-06-07 13:03:31 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 3 Daniel Berrange 2010-06-09 05:05:51 EDT
Tracing QEMU shows

19215 stat("/var/lib/libvirt/images/boot.iso", {st_mode=S_IFREG|0644, st_size=203423744, ...}) = 0
19215 stat("/var/lib/libvirt/images/boot.iso", {st_mode=S_IFREG|0644, st_size=203423744, ...}) = 0
19215 open("/var/lib/libvirt/images/boot.iso", O_RDONLY|O_SYNC|O_CLOEXEC) = 21
19215 close(21)                         = 0
19215 stat("/var/lib/libvirt/images/boot.iso", {st_mode=S_IFREG|0644, st_size=203423744, ...}) = 0
19215 open("/var/lib/libvirt/images/boot.iso", O_RDWR|O_SYNC|O_CLOEXEC) = -1 EACCES (Permission denied)
19215 write(19, "{\"error\": {\"class\": \"UndefinedError\", \"desc\": \"An undefined error has ocurred\", \"data\": {}}}\r\n", 94) = 94

So it opens it readonly to start with, then for some reason, closes it and retries read-write and fails.
Comment 4 Daniel Berrange 2010-06-09 06:42:27 EDT
After looking at this there are several problems at the QEMU level

 - The EACCESS error condition is not being reported back via QMP properly

 - Either 
    * QEMU needs to honour the original 'readonly=on' flag for this device when
changing media
   Or
    * The 'change' command needs to allow specification of the readonly flag
for the new media


Since fixing the latter problem will also require libvirt changes, I'm leaving this bug assigned to libvirt and have open bug 602186 for qemu-kvm.
Comment 5 Daniel Berrange 2010-06-22 10:36:41 EDT
Please retest this bug with  qemu-kvm-0.12.1.2-2.78.el6 which has a suitable fix present
Comment 6 dyuan 2010-06-22 21:37:00 EDT
Retest with qemu-kvm-0.12.1.2-2.79.el6, attached successfully.

# virsh attach-disk snapshot-4 /var/lib/libvirt/images/test.iso hdc --driver
file --type cdrom --mode readonly
Disk attached successfully
Comment 7 Nan Zhang 2010-09-09 03:38:04 EDT
Verified with libvirt-0.8.1-27.el6.x86_64 & qemu-kvm-0.12.1.2-2.113.el6.x86_64.

# virsh attach-disk rhel6 /var/lib/libvirt/boot/boot.iso hdc --driver file --type cdrom --mode readonly
Disk attached successfully

Note You need to log in before you can comment on or make changes to this bug.