Bug 731243 - Migration failed with unable to execute QEMU command 'getfd'
Summary: Migration failed with unable to execute QEMU command 'getfd'
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libvirt
Version: 6.2
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Jiri Denemark
QA Contact: Virtualization Bugs
Depends On: 732417
TreeView+ depends on / blocked
Reported: 2011-08-17 06:49 UTC by yanbing du
Modified: 2011-12-06 11:49 UTC (History)
8 users (show)

Fixed In Version: libvirt-0.9.4-6.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-12-06 11:49:12 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1513 normal SHIPPED_LIVE libvirt bug fix and enhancement update 2011-12-06 01:23:30 UTC

Description yanbing du 2011-08-17 06:49:39 UTC
Description of problem:
Migration test get a error:
error: internal error unable to execute QEMU command 'getfd': No file descriptor supplied via SCM_RIGHTS

On libvirt-0.9.4-3.el6.x86_64, it works well.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Prepare the migration environment.
2. Do migration
   #virsh migrate guest qemu+ssh://$target_IP/system
Actual results:
error: internal error unable to execute QEMU command 'getfd': No file descriptor supplied via SCM_RIGHTS

Expected results:
Migration successful.

Additional info:

Comment 3 Jiri Denemark 2011-08-17 09:54:02 UTC
The operation is denied by SELinux since the socket we pass from libvirtd to qemu is not correctly labeled:

avc:  denied  { read write } for  pid=10369 comm="qemu-kvm" path="socket:[91003]" dev=sockfs ino=91003 scontext=system_u:system_r:svirt_t:s0:c54,c853 tcontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=tcp_socket

And BTW, the libvirt version which doesn't work is libvirt-0.9.4-4.el6.x86_64

Comment 4 yanbing du 2011-08-17 10:12:01 UTC
Sorry for the wrong libvirt version. Should be:


Comment 6 Jiri Denemark 2011-08-22 12:02:44 UTC
I fixed libvirt to set correct label on the tcp socket passed to qemu but this attempt was denied by SELinux. So now the error when trying to migrate a domain is

error: unable to set security context 'system_u:object_r:svirt_image_t:s0:c54,c853' on fd 22: Permission denied

and the following two messages appear in audit.log:

type=AVC msg=audit(1314013212.316:93716): avc:  denied  { relabelto } for pid=19499 comm="libvirtd" name="" dev=sockfs ino=636054 scontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_image_t:s0:c54,c853 tclass=tcp_socket

type=SYSCALL msg=audit(1314013212.316:93716): arch=c000003e syscall=190 success=no exit=-13 a0=16 a1=3ea2216239 a2=7f64441a43f0 a3=2c items=0 ppid=1 pid=19499 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)

Since we think SELinux shouldn't deny this, I filed bug 732417 for selinux-policy.

Comment 7 Jiri Denemark 2011-08-26 08:27:06 UTC
Patches that label the TCP socket in a correct way (and do not need any change in selinux-policy) were sent upstream:

Comment 8 Jiri Denemark 2011-08-26 11:47:30 UTC
Series sent to rhvirt-patches: http://post-office.corp.redhat.com/archives/rhvirt-patches/2011-August/msg00657.html

Comment 10 weizhang 2011-08-29 03:35:20 UTC
verify pass on 

migration can succeed with no error

Comment 11 weizhang 2011-08-29 06:19:54 UTC
But when test migration with --tunnelled flag, it failed with the same error. Do we need to report a new bug or just reassign this bug?

Comment 12 weizhang 2011-08-29 06:36:20 UTC
(In reply to comment #11)
> But when test migration with --tunnelled flag, it failed with the same error.
> Do we need to report a new bug or just reassign this bug?

we will report a new bug about it.

Comment 13 errata-xmlrpc 2011-12-06 11:49:12 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.