Bug 649523 - bogus permissions on /var/lib/libvirt in libvirt spec file
bogus permissions on /var/lib/libvirt in libvirt spec file
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libvirt (Show other bugs)
6.0
Unspecified Unspecified
low Severity medium
: rc
: ---
Assigned To: Eric Blake
Virtualization Bugs
: ZStream
: 627124 634862 (view as bug list)
Depends On:
Blocks: 662045
  Show dependency treegraph
 
Reported: 2010-11-03 17:39 EDT by Eric Blake
Modified: 2015-09-27 22:06 EDT (History)
19 users (show)

See Also:
Fixed In Version: libvirt-0.8.6-1.el6
Doc Type: Bug Fix
Doc Text:
A specification file bug caused permissions on the /var/lib/libvirt directory to change when a system was upgraded. With this update, correct permissions are assigned to the aforementioned directory.
Story Points: ---
Clone Of: 649511
: 684798 (view as bug list)
Environment:
Last Closed: 2011-05-19 09:23:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Eric Blake 2010-11-03 17:39:39 EDT
+++ This bug was initially created as a clone of Bug #649511 +++

Description of problem:
After using preupgrade to convert from F13 to F14, I could no longer start any VMs.  I tracked the problem to bad permissions on /var/lib/libvirt.

Version-Release number of selected component (if applicable):
libvirt-0.8.3-2.fc14.x86_64


How reproducible:
Haven't tried reproducing, but if you need me to, I could set up an F13 VM and re-run preupgrade to see if it repeats.


Steps to Reproduce:
1. preupgrade from f13 -> f14
2. virsh start vm-name
3. ls -ld /var/lib/libvirt
4. chmod 755 /var/lib/libvirt
5. virsh start vm-name 
  
Actual results:
1. upgrade appears to work fine
2. # virsh start fedora_12
error: Failed to start domain fedora_12
error: internal error Process exited while reading console log output: bind(unix:/var/lib/libvirt/qemu/fedora_12.monitor): Permission denied
chardev: opening backend "socket" failed
3. # ll -d /var/lib/libvirt/{,qemu}
drwx------. 9 root root 4096 Aug 23 15:32 /var/lib/libvirt/
drwx------. 4 qemu qemu 4096 Aug 23 15:32 /var/lib/libvirt/qemu
4. success
5. can start vm again


Expected results:
upgrading should not corrupt directory permissions

Additional info:
/var/lib/libvirt should be 0755, not 0700.  It might be a bug in the libvirt-0.8.3-2.fc14.x86_64 spec file that sets inappropriate permissions, and the preupgrade process favored the spec file permissions rather than the permissions that were previously in place in F13.

--- Additional comment from eblake@redhat.com on 2010-11-03 15:09:32 MDT ---

Hmm - I see this in upstream libvirt.spec.in, as well as in the libvirt.spec included in libvirt-0.8.3-2.fc14.srpm:

%dir %{_localstatedir}/lib/libvirt/

%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt

So it's definitely a spec-file bug, and traces back to commit 66823690e (v0.8.2~203).

--- Additional comment from eblake@redhat.com on 2010-11-03 15:26:51 MDT ---

Upstream patch posted:
https://www.redhat.com/archives/libvir-list/2010-November/msg00238.html

---
Although this specfile bug was not present in libvirt-0.8.1, it was back-ported into the spec file used to build libvirt-0.8.1-7.el6, and has remained there through libvirt-0.8.1-27.el6.
Comment 1 Eric Blake 2010-11-03 17:41:53 EDT
The upstream patch only touches libvirt.spec.in, and so it will automatically be picked up for RHEL 6.1 when we rebase to upstream 0.8.6 or newer.  But for the RHEL z-stream, it seems like this is an easy spec file fix to backport directly to libvirt.spec as soon as there is any other z-stream activity that warrants a release.
Comment 2 Eric Blake 2010-11-03 17:47:14 EDT
If we fail to fix the specfile, then it is possible for a z-stream update for any other reason to result in rpm downgrading the permissions of /var/lib/libvirt from 0755 to 0700 during the upgrade process.  Reduced permissions on this directory will then render it impossible for anyone running a VM as the qemu user to obtain access to any /var/lib/libvirt/*.monitor sockets.
Comment 3 Eric Blake 2010-11-08 10:03:04 EST
I've reduced things to a minimal testcase that proves the problem can affect z-stream upgrades if the spec file is not patched:

# rpm -q libvirt{,-client}
libvirt-0.8.1-27.el6.x86_64
libvirt-client-0.8.1-27.el6.x86_64
# ls -ld /var/lib/libvirt/
drwxr-xr-x. 7 root root 4096 Aug 18 06:07 /var/lib/libvirt/
# yum reinstall libvirt-client -y
...
# ls -ld /var/lib/libvirt/
drwx------. 7 root root 4096 Aug 18 06:07 /var/lib/libvirt/
# yum reinstall libvirt -y
# ls -ld /var/lib/libvirt/
drwxr-xr-x. 7 root root 4096 Aug 18 06:07 /var/lib/libvirt/

Therefore, it is the libvirt-client package that has the broken permissions, and if libvirt-client is upgraded independently (or after) libvirt, then the problem is present.  In general, libvirt and libvirt-client bump versions simulatneously, and yum dependencies favor installing libvirt last, which is why we haven't run into the problem very many times in practice.
Comment 4 Dave Allan 2010-11-08 21:34:53 EST
*** Bug 634862 has been marked as a duplicate of this bug. ***
Comment 6 Daniel Berrange 2010-11-12 11:36:50 EST
*** Bug 627124 has been marked as a duplicate of this bug. ***
Comment 7 Jiri Denemark 2010-12-10 07:07:12 EST
Fixed upstream by v0.8.5-60-gf970d80:

commit f970d802ab805f1a37af384f148f34e108714034
Author: Eric Blake <eblake@redhat.com>
Date:   Wed Nov 3 15:20:24 2010 -0600

    rpm: fix /var/lib/libvirt permissions
Comment 9 wangyimiao 2010-12-24 03:19:02 EST
verified it PASSED on build :
libvirt-0.8.6-1.el6.x86_64
libvirt-client-0.8.6-1.el6.x86_64
qemu-kvm-0.12.1.2-2.128.el6.x86_64
qemu-img-0.12.1.2-2.128.el6.x86_64
kernel-2.6.32-93.el6.x86_64
Steps:
1.
# rpm -q libvirt{,-client}
libvirt-0.8.6-1.el6.x86_64
libvirt-client-0.8.6-1.el6.x86_64

2.Check "/var/lib/libvirt" permission
# ls -ld /var/lib/libvirt/
drwxr-xr-x. 9 root root 4096 Dec 24 09:14 /var/lib/libvirt/

3.Reinstall "libvirt-client" package
# rpm -ivh --replacepkgs libvirt-client-0.8.6-1.el6.x86_64.rpm 

4.Check "/var/lib/libvirt" permission
# ls -ld /var/lib/libvirt/
drwxr-xr-x. 9 root root 4096 Dec 23 15:36 /var/lib/libvirt/


5.Reinstall "libvirt-client" package again
# rpm -ivh --replacepkgs libvirt-client-0.8.6-1.el6.x86_64.rpm 

6.Check "/var/lib/libvirt" permission again.
# ls -ld /var/lib/libvirt/
drwxr-xr-x. 9 root root 4096 Dec 23 15:36 /var/lib/libvirt/
Comment 11 Vivian Bian 2011-02-15 04:17:48 EST
retested with 

libvirt-0.8.7-6.el6.x86_64
libvirt-client-0.8.7-6.el6.x86_64

Steps:
1.# rpm -q libvirt{,-client}
libvirt-0.8.7-6.el6.x86_64
libvirt-client-0.8.7-6.el6.x86_64


2.Check "/var/lib/libvirt" permission
# ls -ld /var/lib/libvirt/
drwxr-xr-x. 9 root root 4096 Feb 12 00:35 /var/lib/libvirt/



3.Reinstall "libvirt-client" package
# rpm -ivh --replacepkgs libvirt-new/libvirt-client-0.8.7-6.el6.x86_64.rpm 
Preparing...                ########################################### [100%]
   1:libvirt-client         ########################################### [100%]


4.Check "/var/lib/libvirt" permission
# ls -ld /var/lib/libvirt/
drwxr-xr-x. 9 root root 4096 Feb 12 00:35 /var/lib/libvirt/


5.Reinstall "libvirt-client" package again
# rpm -ivh --replacepkgs libvirt-new/libvirt-client-0.8.7-6.el6.x86_64.rpm 
Preparing...                ########################################### [100%]
   1:libvirt-client         ########################################### [100%]

6.Check "/var/lib/libvirt" permission again.
# ls -ld /var/lib/libvirt/
drwxr-xr-x. 9 root root 4096 Feb 12 00:35 /var/lib/libvirt/

the permissions on /var/lib/libvirt is correct. So set bug status to VERIFIED
Comment 12 Martin Prpič 2011-04-15 10:22:18 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
A specification file bug caused permissions on the /var/lib/libvirt directory to change when upgrading a system. With this update, correct permissions are assigned to the aforementioned directory.
Comment 15 Laura Bailey 2011-05-04 01:12:46 EDT
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1 @@
-A specification file bug caused permissions on the /var/lib/libvirt directory to change when upgrading a system. With this update, correct permissions are assigned to the aforementioned directory.+A specification file bug caused permissions on the /var/lib/libvirt directory to change when a system was upgraded. With this update, correct permissions are assigned to the aforementioned directory.
Comment 16 errata-xmlrpc 2011-05-19 09:23:35 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0596.html

Note You need to log in before you can comment on or make changes to this bug.