Hide Forgot
Description of problem: Migration test get a error: error: internal error unable to execute QEMU command 'getfd': No file descriptor supplied via SCM_RIGHTS On libvirt-0.9.4-3.el6.x86_64, it works well. Version-Release number of selected component (if applicable): libvirt-0.9.4-3.el6.x86_64 qemu-kvm-0.12.1.2-2.183.el6 kernel-2.6.32-188.el6 How reproducible: Always Steps to Reproduce: 1. Prepare the migration environment. 2. Do migration #virsh migrate guest qemu+ssh://$target_IP/system 3. Actual results: error: internal error unable to execute QEMU command 'getfd': No file descriptor supplied via SCM_RIGHTS Expected results: Migration successful. Additional info:
The operation is denied by SELinux since the socket we pass from libvirtd to qemu is not correctly labeled: avc: denied { read write } for pid=10369 comm="qemu-kvm" path="socket:[91003]" dev=sockfs ino=91003 scontext=system_u:system_r:svirt_t:s0:c54,c853 tcontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=tcp_socket And BTW, the libvirt version which doesn't work is libvirt-0.9.4-4.el6.x86_64
Sorry for the wrong libvirt version. Should be: libvirt-0.9.4-4.el6.x86_64 qemu-kvm-0.12.1.2-2.183.el6 kernel-2.6.32-188.el6
I fixed libvirt to set correct label on the tcp socket passed to qemu but this attempt was denied by SELinux. So now the error when trying to migrate a domain is error: unable to set security context 'system_u:object_r:svirt_image_t:s0:c54,c853' on fd 22: Permission denied and the following two messages appear in audit.log: type=AVC msg=audit(1314013212.316:93716): avc: denied { relabelto } for pid=19499 comm="libvirtd" name="" dev=sockfs ino=636054 scontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_image_t:s0:c54,c853 tclass=tcp_socket type=SYSCALL msg=audit(1314013212.316:93716): arch=c000003e syscall=190 success=no exit=-13 a0=16 a1=3ea2216239 a2=7f64441a43f0 a3=2c items=0 ppid=1 pid=19499 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null) Since we think SELinux shouldn't deny this, I filed bug 732417 for selinux-policy.
Patches that label the TCP socket in a correct way (and do not need any change in selinux-policy) were sent upstream: https://www.redhat.com/archives/libvir-list/2011-August/msg01312.html
Series sent to rhvirt-patches: http://post-office.corp.redhat.com/archives/rhvirt-patches/2011-August/msg00657.html
verify pass on kernel-2.6.32-191.el6.x86_64 qemu-kvm-0.12.1.2-2.184.el6.x86_64 libvirt-0.9.4-6.el6.x86_64 migration can succeed with no error
But when test migration with --tunnelled flag, it failed with the same error. Do we need to report a new bug or just reassign this bug?
(In reply to comment #11) > But when test migration with --tunnelled flag, it failed with the same error. > Do we need to report a new bug or just reassign this bug? we will report a new bug about it.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1513.html