[libvirt] [PATCH 6/6] qemu: Use fd: protocol for migration
Daniel Veillard
veillard at redhat.com
Tue Aug 30 14:49:08 UTC 2011
On Mon, Aug 29, 2011 at 11:40:23AM -0600, Eric Blake wrote:
> On 08/15/2011 01:58 AM, Jiri Denemark wrote:
> > By opening a connection to remote qemu process ourselves and passing the
> > socket to qemu we get much better errors than just "migration failed"
> > when the connection is opened by qemu.
> > ---
> > src/qemu/qemu_migration.c | 128 ++++++++++++++++++++++++++++++++++-----------
> > 1 files changed, 98 insertions(+), 30 deletions(-)
> >
> > + if (qemuCapsGet(priv->qemuCaps, QEMU_CAPS_MIGRATE_QEMU_FD)) {
> > + int fds[2];
> > +
> > + spec.destType = MIGRATION_DEST_FD;
> > + spec.dest.fd.qemu = -1;
> > + spec.dest.fd.local = -1;
> > +
> > + if (pipe(fds) == 0) {
> > + spec.dest.fd.qemu = fds[1];
> > + spec.dest.fd.local = fds[0];
> > + }
> > + if (spec.dest.fd.qemu == -1 ||
> > + virSetCloseExec(spec.dest.fd.qemu) < 0 ||
> > + virSetCloseExec(spec.dest.fd.local) < 0) {
> > + virReportSystemError(errno, "%s",
> > + _("cannot create pipe for tunnelled migration"));
>
> SELinux doesn't like this. We never label the pipe here, and
> qemuMonitorMigrateToFd doesn't label the outgoing pipe either. Thus,
> when we hand the fd to qemu for tunneled migration, SELinux rejects the
> first write() attempt, and qemu fails with:
>
> internal error unable to execute QEMU command 'getfd': No file
> descriptor supplied via SCM_RIGHTS
>
> I'm still testing this, but based on how we label the incoming pipe in
> qemuProcessStart, I think this will solve the problem.
>
> diff --git i/src/qemu/qemu_migration.c w/src/qemu/qemu_migration.c
> index a2dc97c..38b05a9 100644
> --- i/src/qemu/qemu_migration.c
> +++ w/src/qemu/qemu_migration.c
> @@ -24,6 +24,7 @@
> #include <sys/time.h>
> #include <gnutls/gnutls.h>
> #include <gnutls/x509.h>
> +#include <fcntl.h>
>
> #include "qemu_migration.h"
> #include "qemu_monitor.h"
> @@ -1691,13 +1692,13 @@ static int doTunnelMigrate(struct qemud_driver
> *driver,
> spec.dest.fd.qemu = -1;
> spec.dest.fd.local = -1;
>
> - if (pipe(fds) == 0) {
> + if (pipe2(fds, O_CLOEXEC) == 0) {
> spec.dest.fd.qemu = fds[1];
> spec.dest.fd.local = fds[0];
> }
> if (spec.dest.fd.qemu == -1 ||
> - virSetCloseExec(spec.dest.fd.qemu) < 0 ||
> - virSetCloseExec(spec.dest.fd.local) < 0) {
> + virSecurityManagerSetImageFDLabel(driver->securityManager, vm,
> + spec.dest.fd.qemu) < 0) {
> virReportSystemError(errno, "%s",
> _("cannot create pipe for tunnelled migration"));
> goto cleanup;
>
Okay, I managed to reproduce the problem and this fixes it,
ACK,
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel at veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
More information about the libvir-list
mailing list