Bug 733998 - Migrate will fail with --tunnelled
Summary: Migrate will fail with --tunnelled
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libvirt
Version: 6.2
Hardware: x86_64
OS: Linux
Target Milestone: rc
: ---
Assignee: Eric Blake
QA Contact: Virtualization Bugs
Depends On:
TreeView+ depends on / blocked
Reported: 2011-08-29 06:49 UTC by Huang Wenlong
Modified: 2013-10-20 21:44 UTC (History)
8 users (show)

Fixed In Version: libvirt-0.9.4-7.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-12-06 11:27:39 UTC

Attachments (Terms of Use)
guest xml (1.73 KB, text/plain)
2011-08-29 07:03 UTC, Huang Wenlong
no flags Details

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1513 normal SHIPPED_LIVE libvirt bug fix and enhancement update 2011-12-06 01:23:30 UTC

Description Huang Wenlong 2011-08-29 06:49:40 UTC
Description of problem:
Migrate will fail with --tunnelled  
report error :
error: internal error unable to execute QEMU command 'getfd': No file 
descriptor supplied via SCM_RIGHTS

my environment  is  setenforce 1  and virt_use_nfs 1 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

1. virsh migrate --live --p2p --tunnelled  mig-2 qemu+ssh://
internal error unable to execute QEMU command 'getfd': No file 
descriptor supplied via SCM_RIGHTS

Actual results:
can not migrate with --tunnelled

Expected results:
can migrate with --tunnelled

Add info :

Migrate is fine without --tunnelled

libvirt-0.9.3-1.el6.x86_64 can migrate with --tunnelled  so  this bug is a regression

Comment 3 Huang Wenlong 2011-08-29 07:03:35 UTC
Created attachment 520301 [details]
guest xml

attach guest xml file

Comment 5 Huang Wenlong 2011-08-29 07:24:07 UTC
Test with libvirt-0.9.4-0rc1.2.el6  it is fine with --tunnelled 

# virsh migrate --live --p2p --tunnelled  mig-2 qemu+ssh://

# rpm -q libvirt qemu-kvm spice-server 

Comment 6 Huang Wenlong 2011-08-29 08:51:54 UTC
Test steps :

1) NFS storage for mig  for 2 hosts 

 # mount /mnt/mig -onolock on /mnt/mig type nfs (rw,nolock,addr=

2 ) create a guest for migation 
xml as Comment 3  

3) start guest 

4) migrate 

# virsh migrate --live --p2p --tunnelled  mig-2 qemu+ssh://

Migration CMD 

Comment 7 Eric Blake 2011-08-29 15:25:14 UTC
I haven't been able to reproduce this using the libvirt.git (that is, virsh migrate --p2p --tunnelled mig-2 qemu+ssh://dest/system [--live] worked for me, both with and without --live).  I'll try again using libvirt-0.9.4-6.el6 to see if I can reproduce the failure there.

Comment 8 Eric Blake 2011-08-29 17:04:51 UTC
I reproduced this with libvirt-0.9.4-6.el6, combined with selinux-policy-3.7.19-108.el6.noarch.  The failure was coming from the source-side qemu, reporting that it could not do outgoing migration to the pipe fd.  But using 'setenforce 0' on the source let the migration get further, so this is either a SELinux bug, or a libvirt problem for not properly labeling the pipe fd it hands to qemu for outgoing migration.

Comment 9 Eric Blake 2011-08-29 17:10:00 UTC
Aug 29 10:56:03 office kernel: type=1400 audit(1314636963.758:85158): avc:  denied  { write } for  pid=15050 comm="qemu-kvm" path="pipe:[82567]" dev=pipefs ino=82567 scontext=system_u:system_r:svirt_t:s0:c575,c675 tcontext=unconfined_u:unconfined_r:virtd_t:s0-s0:c0.c1023 tclass=fifo_file

Comment 10 Eric Blake 2011-08-29 17:45:12 UTC
I think the problem was introduced by this upstream patch, which was first backported into libvirt-0.9.4-4.el6

commit 3261761794c5de121927b9da5566a3bcbfa24832
Author: Jiri Denemark <jdenemar@redhat.com>
Date:   Thu Aug 11 15:47:02 2011 +0200

    qemu: Use fd: protocol for migration
    By opening a connection to remote qemu process ourselves and passing the
    socket to qemu we get much better errors than just "migration failed"
    when the connection is opened by qemu.

Proposed patch here (although I haven't yet completed testing):

Comment 15 weizhang 2011-08-31 07:14:47 UTC
verify pass on 

Comment 16 errata-xmlrpc 2011-12-06 11:27:39 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.