-
Bug
-
Resolution: Done
-
Undefined
-
rhel-9.2.0
-
sst_virtualization
-
ssg_virtualization
-
13
-
False
-
-
None
-
None
-
None
-
Manual
-
If docs needed, set a value
-
-
x86_64
-
None
Description of problem:
For vm with shared tpmstate(/var/lib/libvirt/swtpm), security context of swtpm.log was not restored after migration failed and vm shutdown
Later start vm will meet error:
'error: Requested operation is not valid: Setting different SELinux label on /var/log/swtpm/libvirt/qemu/vm2-swtpm.log which is already in use'
Version-Release number of selected component (if applicable):
libvirt-9.0.0-4.el9.x86_64
qemu-kvm-7.2.0-8.el9.x86_64
swtpm-0.8.0-1.el9.x86_64
libtpms-0.9.1-2.20211126git1ff6fe1f43.el9.x86_64
How reproducible:
100%
Steps to Reproduce:
1. mount /var/lib/libvirt/swtpm on a shared storage(on both hosts), e.g. NFS:
- df -hT
10..:/test/swtpm nfs4 70G 14G 57G 20% /var/lib/libvirt/swtpm - ls /var/lib/libvirt/swtpm/
(nothing)
2. Define vm with vtpm from an xml
- cat vm2.xml
...
<cpu mode='host-model' check='partial'>
<feature policy='disable' name='vmx'/>
</cpu>
...
<tpm model='tpm-crb'>
<backend type='emulator' version='2.0'/>
</tpm>
... - virsh define vm2.xml
Domain 'vm2' defined from vm2.xml - ls /var/lib/libvirt/swtpm/
44db1abb-17eb-4b8e-ac9e-c18549741b65
3. Start vm and check seclabel:
- virsh start vm2
Domain 'vm2' started - ll -hZ /var/log/swtpm/libvirt/qemu/vm2-swtpm.log
rw-rr-. 1 tss tss system_u:object_r:svirt_image_t:s0:c62,c987 19K Feb 12 09:36 /var/log/swtpm/libvirt/qemu/vm2-swtpm.log
4. migrate to a host with different cpu features, to cause failure:
- virsh migrate vm2 --live qemu+ssh://hostB/system --verbose
root@hostB's password:
error: operation failed: guest CPU doesn't match specification: missing features: ds,dtes64,avx512ifma,sha-ni,avx512vbmi,avx512vbmi2,gfni,vaes,vpclmulqdq,avx512bitalg,avx512-vpopcntdq,la57,rdpid,fsrm,wbnoinvd
- ll -hZ /var/log/swtpm/libvirt/qemu/vm2-swtpm.log
rw-rr-. 1 tss tss system_u:object_r:svirt_image_t:s0:c62,c987 19K Feb 12 09:36 /var/log/swtpm/libvirt/qemu/vm2-swtpm.log
5. Shutdown vm and check seclabel again:
- virsh shutdown vm2
Domain 'vm2' is being shutdown - virsh list --all
Id Name State
-------------------------------
- avocado-vtpm shut off
- vm2 shut off
- ll -hZ /var/log/swtpm/libvirt/qemu/vm2-swtpm.log
rw-rr-. 1 tss tss system_u:object_r:svirt_image_t:s0:c62,c987 20K Feb 12 09:37 /var/log/swtpm/libvirt/qemu/vm2-swtpm.log
6. Try to start vm again:
- virsh start vm2
error: Failed to start domain 'vm2'
error: Requested operation is not valid: Setting different SELinux label on /var/log/swtpm/libvirt/qemu/vm2-swtpm.log which is already in use
- ll -hZ /var/log/swtpm/libvirt/qemu/vm2-swtpm.log
rw-rr-. 1 tss tss system_u:object_r:virt_log_t:s0 23K Feb 12 09:38 /var/log/swtpm/libvirt/qemu/vm2-swtpm.log
Actual results:
In step5, swtpm.log seclable wasn't restored. Then later start will encounter error.
Expected results:
selinux context of swtpm.log should be restored to system_u:object_r:virt_log_t:s0, like step6 shows.
Additional info:
1. Not reproduced for local tpmstate(/var/lib/libvirt/swtpm not mounted).
2. The vm must be freshly defined on shared tpmstate, otherwise only starting a vm defined on local tpmstate before can not reproduce this issue.
3. Not all kinds of migration failure can reproduce, e.g. migrate with local disk failure can not.
- external trackers
