Hide Forgot
Description of problem: Migrate will fail with --tunnelled report error : error: internal error unable to execute QEMU command 'getfd': No file descriptor supplied via SCM_RIGHTS my environment is setenforce 1 and virt_use_nfs 1 Version-Release number of selected component (if applicable): libvirt-0.9.4-6.el6.x86_64 qemu-kvm-0.12.1.2-2.184.el6.x86_64 How reproducible: always Steps to Reproduce: 1. virsh migrate --live --p2p --tunnelled mig-2 qemu+ssh://10.66.104.54/system internal error unable to execute QEMU command 'getfd': No file descriptor supplied via SCM_RIGHTS Actual results: can not migrate with --tunnelled Expected results: can migrate with --tunnelled Add info : Migrate is fine without --tunnelled libvirt-0.9.3-1.el6.x86_64 can migrate with --tunnelled so this bug is a regression
Created attachment 520301 [details] guest xml attach guest xml file
Test with libvirt-0.9.4-0rc1.2.el6 it is fine with --tunnelled # virsh migrate --live --p2p --tunnelled mig-2 qemu+ssh://10.66.104.54/system # rpm -q libvirt qemu-kvm spice-server libvirt-0.9.4-0rc1.2.el6.x86_64 qemu-kvm-0.12.1.2-2.184.el6.x86_64 spice-server-0.8.2-3.el6.x86_64
Test steps : 1) NFS storage for mig for 2 hosts # mount 10.66.90.121:/vol/S3/libvirtmanual /mnt/mig -onolock 10.66.90.121:/vol/S3/libvirtmanual on /mnt/mig type nfs (rw,nolock,addr=10.66.90.121) 2 ) create a guest for migation xml as Comment 3 3) start guest 4) migrate # virsh migrate --live --p2p --tunnelled mig-2 qemu+ssh://10.66.104.54/system Migration CMD #
I haven't been able to reproduce this using the libvirt.git (that is, virsh migrate --p2p --tunnelled mig-2 qemu+ssh://dest/system [--live] worked for me, both with and without --live). I'll try again using libvirt-0.9.4-6.el6 to see if I can reproduce the failure there.
I reproduced this with libvirt-0.9.4-6.el6, combined with selinux-policy-3.7.19-108.el6.noarch. The failure was coming from the source-side qemu, reporting that it could not do outgoing migration to the pipe fd. But using 'setenforce 0' on the source let the migration get further, so this is either a SELinux bug, or a libvirt problem for not properly labeling the pipe fd it hands to qemu for outgoing migration.
Aug 29 10:56:03 office kernel: type=1400 audit(1314636963.758:85158): avc: denied { write } for pid=15050 comm="qemu-kvm" path="pipe:[82567]" dev=pipefs ino=82567 scontext=system_u:system_r:svirt_t:s0:c575,c675 tcontext=unconfined_u:unconfined_r:virtd_t:s0-s0:c0.c1023 tclass=fifo_file
I think the problem was introduced by this upstream patch, which was first backported into libvirt-0.9.4-4.el6 commit 3261761794c5de121927b9da5566a3bcbfa24832 Author: Jiri Denemark <jdenemar> Date: Thu Aug 11 15:47:02 2011 +0200 qemu: Use fd: protocol for migration By opening a connection to remote qemu process ourselves and passing the socket to qemu we get much better errors than just "migration failed" when the connection is opened by qemu. Proposed patch here (although I haven't yet completed testing): https://www.redhat.com/archives/libvir-list/2011-August/msg01400.html
Tested, and in POST: http://post-office.corp.redhat.com/archives/rhvirt-patches/2011-August/msg00724.html
verify pass on kernel-2.6.32-192.el6.x86_64 qemu-kvm-0.12.1.2-2.184.el6.x86_64 libvirt-0.9.4-7.el6.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1513.html