[libvirt] [PATCH 00/30] storagefile, security: qcow2 data_file support

Tue Oct 15 17:04:50 UTC 2019

On 10/15/19 3:56 AM, Han Han wrote:
> Hello Cole, one issue is found:
> The qcow2 data file XTTRs is not cleaned on external snapshot when
> -blockdev is not enabled
> 
> Versions:
> libvirt v5.8.0-134-g9d03e9adf1
> qemu-kvm-4.1.0-13.module+el8.1.0+4313+ef76ec61.x86_64
> 
> Steps:
> 1. Convert a OS image to qcow2&qcow2 data file:
> # qemu-img convert -O qcow2 -o
> data_file=/var/lib/libvirt/images/pc-data.raw,data_file_raw=on
> /var/lib/libvirt/images/pc.qcow2 /var/lib/libvirt/images/pc-data.qcow2
> 
> 2. Build and start libvirt source, start libvirt daemon:
> # make clean && CC=/usr/lib64/ccache/cc ./autogen.sh&&./configure
> --without-libssh --build=x86_64-redhat-linux-gnu
> --host=x86_64-redhat-linux-gnu --program-prefix=
> --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr
> --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc
> --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64
> --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib
> --mandir=/usr/share/man --infodir=/usr/share/info --with-qemu
> --without-openvz --without-lxc --without-vbox --without-libxl
> --with-sasl --with-polkit --with-libvirtd --without-phyp --with-esx
> --without-hyperv --without-vmware --without-xenapi --without-vz
> --without-bhyve --with-interface --with-network --with-storage-fs
> --with-storage-lvm --with-storage-iscsi --with-storage-iscsi-direct
> --with-storage-scsi --with-storage-disk --with-storage-mpath
> --with-storage-rbd --without-storage-sheepdog --with-storage-gluster
> --without-storage-zfs --without-storage-vstorage --with-numactl
> --with-numad --with-capng --without-fuse --with-netcf --with-selinux
> --with-selinux-mount=/sys/fs/selinux --without-apparmor --without-hal
> --with-udev --with-yajl --with-sanlock --with-libpcap --with-macvtap
> --with-audit --with-dtrace --with-driver-modules --with-firewalld
> --with-firewalld-zone --without-wireshark-dissector --without-pm-utils
> --with-nss-plugin '--with-packager=Unknown, 2019-08-19-12:13:01,
> lab.rhel8.me <http://lab.rhel8.me>' --with-packager-version=1.el8
> --with-qemu-user=qemu --with-qemu-group=qemu
> --with-tls-priority=@LIBVIRT,SYSTEM --enable-werror
> --enable-expensive-tests --with-init-script=systemd
> --without-login-shell && make -j8
> # LD_PRELOAD="$(find src -name '*.so.*'|tr '\n' ' ')" src/.libs/virtlogd
> # LD_PRELOAD="$(find src -name '*.so.*'|tr '\n' ' ')" LIBVIRT_DEBUG=3
> LIBVIRT_LOG_FILTERS="1:util 1:qemu 1:security"
> LIBVIRT_LOG_OUTPUTS="1:file:/tmp/libvirt_daemon.log" src/.libs/libvirtd
> 
> 3. Define and start an VM with the qcow2&qcow2 data file. Note that the
> -blockdev is not enabled
> # virsh define pc-data.xml
> # virsh start pc-data
> 
> 4. Create snapshot and check the data file XATTRs:
> # virsh snapshot-create-as pc-data s1 --no-metadata --disk-only
> # getfattr -m - -d /var/lib/libvirt/images/pc-data.raw
> getfattr: Removing leading '/' from absolute path names
> # file: var/lib/libvirt/images/pc-data.raw
> security.selinux="unconfined_u:object_r:svirt_image_t:s0:c775,c1011"
> trusted.libvirt.security.dac="+107:+107"
> trusted.libvirt.security.ref_dac="1"
> trusted.libvirt.security.ref_selinux="1"
> trusted.libvirt.security.selinux="unconfined_u:object_r:svirt_image_t:s0:c284,c367"
> trusted.libvirt.security.timestamp_dac="1563328069"
> trusted.libvirt.security.timestamp_selinux="1563328069"
> 
> Shutdown the VM. The XATTRs of data file is not changed.
> It is not expected. The XTTRs should not contain *.libvirt.*
> 
> Issue is not reproduced with -blockdev enabled:
> <domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
> ...
>   <qemu:capabilities>
>     <qemu:add capability='blockdev'/>
>     <qemu:del capability='drive'/>
>   </qemu:capabilities>
> </domain>
> 
> See the libvirt daemon log and vm xml in attachment.

Nice catch! I will need to dig into this to figure out where the issue
is. Can you put this info into an upstream bug report in
product=Virtualization Tools  and I will get to it when I can

Thanks,
Cole