RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 655735 - qemu-kvm (or libvirt?) permission denied errors when exporting readonly IDE disk to guest
Summary: qemu-kvm (or libvirt?) permission denied errors when exporting readonly IDE d...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: qemu-kvm
Version: 6.0
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: rc
: 6.1
Assignee: Markus Armbruster
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks: 580953
TreeView+ depends on / blocked
 
Reported: 2010-11-22 10:49 UTC by Richard W.M. Jones
Modified: 2013-01-09 23:22 UTC (History)
6 users (show)

Fixed In Version: qemu-kvm-0.12.1.2-2.148.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-19 11:31:56 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0534 0 normal SHIPPED_LIVE Important: qemu-kvm security, bug fix, and enhancement update 2011-05-19 11:20:36 UTC

Description Richard W.M. Jones 2010-11-22 10:49:04 UTC 
Description of problem:

On a RHEL 6 production host, I export a file to some guests read-only:

    <disk type='file' device='disk'>
      <driver name='qemu' type='raw'/>
      <source file='/usr/local/etc/virt/modules'/>
      <target dev='hdb' bus='ide'/>
      <readonly/>
      <address type='drive' controller='0' bus='0' unit='1'/>
    </disk>

This translates to the following qemu-kvm command line:

/usr/libexec/qemu-kvm -S -M rhel6.0.0 -enable-kvm -m 512 -smp
1,sockets=1,cores=1,threads=1 -name database -uuid
449d5071-88aa-bf2c-7f07-e27e0f6e1a0d -nodefconfig -nodefaults -chardev
socket,id=monitor,path=/var/lib/libvirt/qemu/database.monitor,server,nowait -mon
chardev=monitor,mode=control -rtc base=utc -boot c -kernel
/usr/local/etc/virt/vmlinuz -initrd /usr/local/etc/virt/initrd -append ro
root=/dev/hda -drive
file=/dev/mapper/VolGroup00-dbroot,if=none,id=drive-ide0-0-0,format=raw -device
ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0 -drive
file=/usr/local/etc/virt/modules,if=none,id=drive-ide0-0-1,readonly=on,format=ra
w -device ide-drive,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1 -drive
file=/dev/mapper/VolGroup00-dbdata,if=none,id=drive-ide0-1-0,format=raw -device
ide-drive,bus=ide.1,unit=0,drive=drive-ide0-1-0,id=ide0-1-0 -netdev
tap,fd=20,id=hostnet0 -device
rtl8139,netdev=hostnet0,id=net0,mac=54:52:00:6b:be:31,bus=pci.0,addr=0x3
-chardev pty,id!
 =serial0 -device isa-serial,chardev=serial0 -usb -vnc 127.0.0.1:0 -vga cirrus -
device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x4

This causes the guest to see lots of IDE errors, and on the host
side qemu-kvm spews out these permission denied errors:

  block I/O error in device 'drive-ide0-0-1': Permission denied (13)

There appears to be no actual permission problem with the file,
SELinux is off, and the file and its containing directory is o+rw.

If I remove the <readonly/> element, everything fixes itself.  The
new qemu-kvm command line looks like this:

/usr/libexec/qemu-kvm -S -M rhel6.0.0 -enable-kvm -m 512 -smp
1,sockets=1,cores=1,threads=1 -name database -uuid
449d5071-88aa-bf2c-7f07-e27e0f6e1a0d -nodefconfig -nodefaults -chardev
socket,id=monitor,path=/var/lib/libvirt/qemu/database.monitor,server,nowait -mon
chardev=monitor,mode=control -rtc base=utc -boot c -kernel
/usr/local/etc/virt/vmlinuz -initrd /usr/local/etc/virt/initrd -append ro
root=/dev/hda -drive
file=/dev/mapper/VolGroup00-dbroot,if=none,id=drive-ide0-0-0,format=raw -device
ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0 -drive
file=/usr/local/etc/virt/modules,if=none,id=drive-ide0-0-1,format=raw -device
ide-drive,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1 -drive
file=/dev/mapper/VolGroup00-dbdata,if=none,id=drive-ide0-1-0,format=raw -device
ide-drive,bus=ide.1,unit=0,drive=drive-ide0-1-0,id=ide0-1-0 -netdev
tap,fd=20,id=hostnet0 -device
rtl8139,netdev=hostnet0,id=net0,mac=54:52:00:6b:be:31,bus=pci.0,addr=0x3
-chardev pty,id=serial0 -de!
 vice isa-serial,chardev=serial0 -usb -vnc 127.0.0.1:0 -vga cirrus -device virti
o-balloon-pci,id=balloon0,bus=pci.0,addr=0x4


Version-Release number of selected component (if applicable):

I tested qemu-kvm from RHEL 6.0, and also the qemu-kvm from brew:

qemu-kvm-0.12.1.2-2.120.el6.x86_64

How reproducible:

Always.

Steps to Reproduce:
1. Export a file-backed IDE disk to a guest with <readonly/> in XML.

Actual results:

Lots of permission-denied errors.

Expected results:

Shouldn't have these errors.

Additional info:
Comment 2 Markus Armbruster 2011-02-16 09:12:17 UTC 
IDE disks can't do readonly.  QEMU rejects readonly=on with if=ide, but fails to do so with if=none.  Fixed upstream in commit 7aa9c811.

Would backporting that commit fix this bug?  I figure only if libvirt handles the error sanely.  Let's find out.
Comment 3 Markus Armbruster 2011-02-16 12:08:55 UTC 
Dan Berrange says libvirt handles this kind of error.
Comment 4 Markus Armbruster 2011-02-16 20:04:55 UTC 
Related: invalid CHS.  Best fixed together.

Reproducer:
$ qemu-kvm -nodefaults -vnc :0 -enable-kvm -S -monitor stdio -drive id=drv,file=tmp.qcow2,if=none,cyls=256,heads=17,secs=63 -device ide-drive,drive=drv

Expected:
qemu-system-x86_64: -device ide-drive,drive=drv: heads must be between 1 and 16
qemu-system-x86_64: -device ide-drive,drive=drv: Device 'ide-drive' could not be initialized

Actual:
No error.  I didn't check how the invalid geometry is exposed to the guest, nor how guests commonly react to it.  Don't expect it to be pretty.

Similarly simplified reproducer for readonly:

$ qemu-kvm -nodefaults -vnc :0 -enable-kvm -S -monitor stdio -drive id=drv,file=tmp.qcow2,readonly,if=none -device ide-drive,drive=drv

Expected:
qemu-system-x86_64: -device ide-drive,drive=drv: Can't use a read-only drive
qemu-system-x86_64: -device ide-drive,drive=drv: Device 'ide-drive' could not be initialized

Actual:
No error.  Guest sees IDE disk (which can't be readonly), attempts to write, gets nasty IDE errors.
Comment 9 Shirley Zhou 2011-03-03 06:00:57 UTC 
Reproduce this bug with qemu-kvm-0.12.1.2-2.133.el6.x86_64 as following steps:

1. Start guest with attached ide data disk with readonly=on
-drive file=/root/data.img,if=none,id=driveide0-0-1,format=qcow2,cache=none,readonly=on 
-device ide-drive,drive=drive-ide0-0-1,id=ide0-0-1
2. login guest, try to make partition on above ide disk, some block io error occurs in qemu monitor, and error happens in guest

(qemu) block I/O error in device 'drive-ide0-0-1': Operation not permitted (1)
block I/O error in device 'drive-ide0-0-1': Operation not permitted (1)

sd 1:0:0:0: [sda] Add. Sense: No additional sense information
sd 1:0:0:0: [sda] CDB: Write(10): 2a 00 00 00 00 00 00 00 08 00
end_request: I/O error, dev sda, sector 0
Buffer I/O error on device sda, logical block 0
lost page write due to I/O error on sda
ata2: EH complete
 sda: unknown partition table

Verify this bug with qemu-kvm-0.12.1.2-2.148.el6.x86_64, guest can not be start when start guest with attached ide data disk with readonly=on

qemu-kvm: -device ide-drive,drive=drive-ide0-0-1,id=ide0-0-1: Can't use a read-only drive
qemu-kvm: -device ide-drive,drive=drive-ide0-0-1,id=ide0-0-1: Device 'ide-drive' could not be initialized

So this bug has been resolved.
Comment 10 Miya Chen 2011-03-17 09:17:39 UTC 
move to verified based on comment#9
Comment 11 errata-xmlrpc 2011-05-19 11:31:56 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0534.html
Comment 12 errata-xmlrpc 2011-05-19 13:00:28 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0534.html
Note You need to log in before you can comment on or make changes to this bug.