Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-37519

[libvirt] Permission denied if passing a RW fd but setting the disk RO in vm xml.

XMLWordPrintable

    • libvirt-10.10.0-6.el9
    • Yes
    • Low
    • Regression
    • 1
    • rhel-sst-virt-tools
    • ssg_virtualization
    • 26
    • 3
    • Dev ack
    • False
    • Hide

      None

      Show
      None
    • None
    • RHEL-9.6/10.0 remaining items
    • None

      What were you trying to do that didn't work?

      Pass a RW fd to vm, but set the disk to RO in vm xml, qemu reports "permission denied" when starts vm or hotplug disk.

      Please provide the package NVR for which bug is seen:

      libvirt-10.3.0-1.el9.x86_64
      qemu-kvm-9.0.0-1.el9.x86_64

      How reproducible:

      100%

      Steps to reproduce

      1. Start a vm
      2. Create a disk image, and open a RW fd
      [root@dell-per740-78 ~]# qemu-img create -f raw /var/lib/libvirt/images/cdrom1.raw 100M
Formatting '/var/lib/libvirt/images/cdrom1.raw', fmt=raw size=104857600

[root@dell-per740-78 ~]# ll -Z /var/lib/libvirt/images/cdrom1.raw
-rw-r--r--. 1 root root unconfined_u:object_r:virt_image_t:s0 104857600 May 20 23:02 /var/lib/libvirt/images/cdrom1.raw

[root@dell-per740-78 ~]# exec 10<>/var/lib/libvirt/images/cdrom1.raw
      1. Associate the fd with vm, and try to attach the image to vm as readonly disk
      [root@dell-per740-78 ~]# cat fd.xml 
<disk type="file" device="disk">
  <driver name="qemu" type="raw"/>
  <source file="/var/lib/libvirt/images/cdrom1.raw" fdgroup="fg1"/>
  <backingStore/>
  <readonly/>
  <target dev="vde" bus="virtio"/>
</disk>

[root@dell-per740-78 ~]# virsh 
Welcome to virsh, the virtualization interactive terminal.
Type:  'help' for help with commands
       'quit' to quit
virsh # dom-fd-associate rhel9.5 fg1 10 --seclabel-writable 
virsh # attach-device rhel9.5 fd.xml 
error: Failed to attach device from fd.xml
error: internal error: unable to execute QEMU command 'blockdev-add': Could not dup FD for /dev/fdset/60 flags 0: Permission denied
 
[root@dell-per740-78 ~]# ll -Z /var/lib/libvirt/images/cdrom1.raw
-rw-r--r--. 1 root root unconfined_u:object_r:virt_image_t:s0 104857600 May 20 23:03 /var/lib/libvirt/images/cdrom1.raw

      Expected results

      No "permission denied" error, disk can be attached to vm

      Actual results

      "permission denied" error when trying to start vm or hotplug the disk.
       

      Additional info

      1. If I pass a RO fd to vm, the disk can be attached to vm successfully.
      # exec 11</var/lib/libvirt/images/cdrom1.raw

# virsh
virsh # dom-fd-associate rhel9.5 fg1 11
virsh # attach-device rhel9.5 fd.xml 
Device attached successfully

# ll -Z /var/lib/libvirt/images/cdrom1.raw
-rw-r--r--. 1 root root system_u:object_r:virt_content_t:s0 104857600 May 20 23:03 /var/lib/libvirt/images/cdrom1.raw
      1. This issue can not be reproduced on RHEL9.4
        libvirt-10.0.0-6.3.el9_4.x86_64
        qemu-kvm-8.2.0-11.el9_4.2.x86_64

        1. log.tar.xz
          17 kB

            [RHEL-37519] [libvirt] Permission denied if passing a RW fd but setting the disk RO in vm xml.

            Fangge Jin added a comment -

            Preverified with libvirt-10.10.0-6.el9.x86_64

            fd disk now has both protocol node and format node:

            2025-02-10 07:46:47.423+0000: 22989: info : qemuMonitorSend:839 : QEMU_MONITOR_SEND_MSG: mon=0x7f1d78004010 msg={"execute":"blockdev-add","arguments":{"driver":"file","filename":"/dev/fdset/2","node-name":"libvirt-7-storage","read-only":false,"discard":"unmap"},"id":"libvirt-25"}
2025-02-10 07:46:47.424+0000: 22989: info : qemuMonitorSend:839 : QEMU_MONITOR_SEND_MSG: mon=0x7f1d78004010 msg={"execute":"blockdev-add","arguments":{"node-name":"libvirt-7-format","read-only":false,"driver":"raw","file":"libvirt-7-storage"},"id":"libvirt-26"}
2025-02-10 07:46:47.426+0000: 22989: info : qemuMonitorSend:839 : QEMU_MONITOR_SEND_MSG: mon=0x7f1d78004010 msg={"execute":"device_add","arguments":{"driver":"virtio-blk-pci","bus":"pci.8","addr":"0x0","drive":"libvirt-7-format","id":"virtio-disk2"},"id":"libvirt-27"}

            Fangge Jin added a comment - Preverified with libvirt-10.10.0-6.el9.x86_64 fd disk now has both protocol node and format node: 2025-02-10 07:46:47.423+0000: 22989: info : qemuMonitorSend:839 : QEMU_MONITOR_SEND_MSG: mon=0x7f1d78004010 msg={ "execute" : "blockdev-add" , "arguments" :{ "driver" : "file" , "filename" : "/dev/fdset/2" , "node-name" : "libvirt-7-storage" , "read-only" : false , "discard" : "unmap" }, "id" : "libvirt-25" } 2025-02-10 07:46:47.424+0000: 22989: info : qemuMonitorSend:839 : QEMU_MONITOR_SEND_MSG: mon=0x7f1d78004010 msg={ "execute" : "blockdev-add" , "arguments" :{ "node-name" : "libvirt-7-format" , "read-only" : false , "driver" : "raw" , "file" : "libvirt-7-storage" }, "id" : "libvirt-26" } 2025-02-10 07:46:47.426+0000: 22989: info : qemuMonitorSend:839 : QEMU_MONITOR_SEND_MSG: mon=0x7f1d78004010 msg={ "execute" : "device_add" , "arguments" :{ "driver" : "virtio-blk-pci" , "bus" : "pci.8" , "addr" : "0x0" , "drive" : "libvirt-7-format" , "id" : "virtio-disk2" }, "id" : "libvirt-27" }

            Peter Krempa added a comment -

            Fixed upstream:

            5830e564bb qemu: domain: Initialize FD passthrough for a virStorageSource before using it
7a119483a3 qemuxmlconftest: Add testing of FDs with 'writable' flag in 'disk-source-fd'
500d985a13 qemuxmlconftest: Allow testing of the 'writable' flag for passed FDs for disks

            Peter Krempa added a comment - Fixed upstream: 5830e564bb qemu: domain: Initialize FD passthrough for a virStorageSource before using it 7a119483a3 qemuxmlconftest: Add testing of FDs with 'writable' flag in 'disk-source-fd' 500d985a13 qemuxmlconftest: Allow testing of the 'writable' flag for passed FDs for disks

            Fangge Jin added a comment -

            Are there any SELinux denials generated during the Steps to Reproduce?

            mmalik@redhat.com Sorry for the late reply. I didn't notice your comment.
            There are no avc denials.

            # ausearch -m avc -ts recent
<no matches>

            Fangge Jin added a comment - Are there any SELinux denials generated during the Steps to Reproduce? mmalik@redhat.com Sorry for the late reply. I didn't notice your comment. There are no avc denials. # ausearch -m avc -ts recent <no matches>

            Meina Li added a comment -

            This bug got another error now:
            error: internal error: process exited while connecting to monitor: 2024-11-21T08:34:52.422894Z qemu-kvm: -blockdev {"driver":"file","filename":"/dev/fdset/0","node-name":"libvirt-1-storage","read-only":true}: Failed to find file descriptor with matching flags=0x0

            Failed version:
            libvirt-10.9.0-1.el9.x86_64
            qemu-kvm-9.1.0-2.el9.x86_64

            Failed steps:
            1. Prepare a disk image and check the label.

            # qemu-img create -f raw  /var/lib/libvirt/images/disk_test_fd 1.0G
Formatting '/var/lib/libvirt/images/disk_test_fd', fmt=raw size=1073741824
# ll -Z /var/lib/libvirt/images/disk_test_fd 
-rw-r--r--. 1 root root unconfined_u:object_r:virt_image_t:s0 1073741824 Nov 21 03:34 /var/lib/libvirt/images/disk_test_fd

            2.Prepare a guest with a readonly disk with fdgroup.

            # virsh dumpxml avocado-vt-vm1 --xpath //disk
<disk type="file" device="disk">
  <driver name="qemu" type="qcow2" cache="none" io="native" discard="unmap"/>
  <source file="/var/lib/avocado/data/avocado-vt/images/jeos-27-x86_64.qcow2"/>
  <target dev="vda" bus="virtio"/>
  <address type="pci" domain="0x0000" bus="0x04" slot="0x00" function="0x0"/>
</disk>
<disk type="file" device="disk">
  <driver name="qemu" type="raw"/>
  <source file="/var/lib/libvirt/images/disk_test_fd" fdgroup="diskfdgroup"/>
  <target dev="vdb" bus="virtio"/>
  <readonly/>
  <address type="pci" domain="0x0000" bus="0x07" slot="0x00" function="0x0"/>
</disk>

            3. Start the guest.

            # virsh "dom-fd-associate avocado-vt-vm1 diskfdgroup 4  --seclabel-writable; start avocado-vt-vm1" 4<>/var/lib/libvirt/images/disk_test_fd
error: Failed to start domain 'avocado-vt-vm1'error: internal error: process exited while connecting to monitor: 2024-11-21T08:34:52.422894Z qemu-kvm: -blockdev {"driver":"file","filename":"/dev/fdset/0","node-name":"libvirt-1-storage","read-only":true}: Failed to find file descriptor with matching flags=0x0

            4. Check the label again.
            # ll -Z /var/lib/libvirt/images/disk_test_fd 
            rw-rr-. 1 root root system_u:object_r:svirt_image_t:s0:c35,c376 1073741824 Nov 21 03:34 /var/lib/libvirt/images/disk_test_fd

            Meina Li added a comment - This bug got another error now: error: internal error: process exited while connecting to monitor: 2024-11-21T08:34:52.422894Z qemu-kvm: -blockdev {"driver":"file","filename":"/dev/fdset/0","node-name":"libvirt-1-storage","read-only":true}: Failed to find file descriptor with matching flags=0x0 Failed version: libvirt-10.9.0-1.el9.x86_64 qemu-kvm-9.1.0-2.el9.x86_64 Failed steps: 1. Prepare a disk image and check the label. # qemu-img create -f raw  / var /lib/libvirt/images/disk_test_fd 1.0G Formatting '/ var /lib/libvirt/images/disk_test_fd' , fmt=raw size=1073741824 # ll -Z / var /lib/libvirt/images/disk_test_fd  -rw-r--r--. 1 root root unconfined_u:object_r:virt_image_t:s0 1073741824 Nov 21 03:34 / var /lib/libvirt/images/disk_test_fd 2.Prepare a guest with a readonly disk with fdgroup. # virsh dumpxml avocado-vt-vm1 --xpath //disk <disk type= "file" device= "disk" >   <driver name= "qemu" type= "qcow2" cache= "none" io= " native " discard= "unmap" />   <source file= "/ var /lib/avocado/data/avocado-vt/images/jeos-27-x86_64.qcow2" />   <target dev= "vda" bus= "virtio" />   <address type= "pci" domain= "0x0000" bus= "0x04" slot= "0x00" function= "0x0" /> </disk> <disk type= "file" device= "disk" >   <driver name= "qemu" type= "raw" />   <source file= "/ var /lib/libvirt/images/disk_test_fd" fdgroup= "diskfdgroup" />   <target dev= "vdb" bus= "virtio" />   <readonly/>   <address type= "pci" domain= "0x0000" bus= "0x07" slot= "0x00" function= "0x0" /> </disk> 3. Start the guest. # virsh "dom-fd-associate avocado-vt-vm1 diskfdgroup 4  --seclabel-writable; start avocado-vt-vm1" 4<>/ var /lib/libvirt/images/disk_test_fd error: Failed to start domain 'avocado-vt-vm1' error: internal error: process exited while connecting to monitor: 2024-11-21T08:34:52.422894Z qemu-kvm: -blockdev { "driver" : "file" , "filename" : "/dev/fdset/0" , "node-name" : "libvirt-1-storage" , "read-only" : true }: Failed to find file descriptor with matching flags=0x0 4. Check the label again. # ll -Z /var/lib/libvirt/images/disk_test_fd  rw-r r -. 1 root root system_u:object_r:svirt_image_t:s0:c35,c376 1073741824 Nov 21 03:34 /var/lib/libvirt/images/disk_test_fd

            Milos Malik added a comment -

            Are there any SELinux denials generated during the Steps to Reproduce?

            # ausearch -m avc -m selinux_err -i ts today

            Milos Malik added a comment - Are there any SELinux denials generated during the Steps to Reproduce? # ausearch -m avc -m selinux_err -i ts today

            Kevin Wolf added a comment -

            pkrempa@redhat.com Any updates? We're not supposed to leave issues untriaged for an extended time. It would be good to decide now if this is for 9.5 or not, and move it to Planning.

            Kevin Wolf added a comment - pkrempa@redhat.com Any updates? We're not supposed to leave issues untriaged for an extended time. It would be good to decide now if this is for 9.5 or not, and move it to Planning.

              pkrempa@redhat.com Peter Krempa
              rhn-support-fjin Fangge Jin
              Peter Krempa Peter Krempa
              Fangge Jin Fangge Jin
              Votes:
              1 Vote for this issue
              Watchers:
              14 Start watching this issue

                Created:
                Updated: