[libvirt] [PATCH 00/30] storagefile, security: qcow2 data_file support

Han Han hhan at redhat.com
Wed Oct 16 02:28:05 UTC 2019 

On Wed, Oct 16, 2019 at 1:04 AM Cole Robinson <crobinso at redhat.com> wrote:

> On 10/15/19 3:56 AM, Han Han wrote:
> > Hello Cole, one issue is found:
> > The qcow2 data file XTTRs is not cleaned on external snapshot when
> > -blockdev is not enabled
> >
> > Versions:
> > libvirt v5.8.0-134-g9d03e9adf1
> > qemu-kvm-4.1.0-13.module+el8.1.0+4313+ef76ec61.x86_64
> >
> > Steps:
> > 1. Convert a OS image to qcow2&qcow2 data file:
> > # qemu-img convert -O qcow2 -o
> > data_file=/var/lib/libvirt/images/pc-data.raw,data_file_raw=on
> > /var/lib/libvirt/images/pc.qcow2 /var/lib/libvirt/images/pc-data.qcow2
> >
> > 2. Build and start libvirt source, start libvirt daemon:
> > # make clean && CC=/usr/lib64/ccache/cc ./autogen.sh&&./configure
> > --without-libssh --build=x86_64-redhat-linux-gnu
> > --host=x86_64-redhat-linux-gnu --program-prefix=
> > --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr
> > --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc
> > --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64
> > --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib
> > --mandir=/usr/share/man --infodir=/usr/share/info --with-qemu
> > --without-openvz --without-lxc --without-vbox --without-libxl
> > --with-sasl --with-polkit --with-libvirtd --without-phyp --with-esx
> > --without-hyperv --without-vmware --without-xenapi --without-vz
> > --without-bhyve --with-interface --with-network --with-storage-fs
> > --with-storage-lvm --with-storage-iscsi --with-storage-iscsi-direct
> > --with-storage-scsi --with-storage-disk --with-storage-mpath
> > --with-storage-rbd --without-storage-sheepdog --with-storage-gluster
> > --without-storage-zfs --without-storage-vstorage --with-numactl
> > --with-numad --with-capng --without-fuse --with-netcf --with-selinux
> > --with-selinux-mount=/sys/fs/selinux --without-apparmor --without-hal
> > --with-udev --with-yajl --with-sanlock --with-libpcap --with-macvtap
> > --with-audit --with-dtrace --with-driver-modules --with-firewalld
> > --with-firewalld-zone --without-wireshark-dissector --without-pm-utils
> > --with-nss-plugin '--with-packager=Unknown, 2019-08-19-12:13:01,
> > lab.rhel8.me <http://lab.rhel8.me>' --with-packager-version=1.el8
> > --with-qemu-user=qemu --with-qemu-group=qemu
> > --with-tls-priority=@LIBVIRT,SYSTEM --enable-werror
> > --enable-expensive-tests --with-init-script=systemd
> > --without-login-shell && make -j8
> > # LD_PRELOAD="$(find src -name '*.so.*'|tr '\n' ' ')" src/.libs/virtlogd
> > # LD_PRELOAD="$(find src -name '*.so.*'|tr '\n' ' ')" LIBVIRT_DEBUG=3
> > LIBVIRT_LOG_FILTERS="1:util 1:qemu 1:security"
> > LIBVIRT_LOG_OUTPUTS="1:file:/tmp/libvirt_daemon.log" src/.libs/libvirtd
> >
> > 3. Define and start an VM with the qcow2&qcow2 data file. Note that the
> > -blockdev is not enabled
> > # virsh define pc-data.xml
> > # virsh start pc-data
> >
> > 4. Create snapshot and check the data file XATTRs:
> > # virsh snapshot-create-as pc-data s1 --no-metadata --disk-only
> > # getfattr -m - -d /var/lib/libvirt/images/pc-data.raw
> > getfattr: Removing leading '/' from absolute path names
> > # file: var/lib/libvirt/images/pc-data.raw
> > security.selinux="unconfined_u:object_r:svirt_image_t:s0:c775,c1011"
> > trusted.libvirt.security.dac="+107:+107"
> > trusted.libvirt.security.ref_dac="1"
> > trusted.libvirt.security.ref_selinux="1"
> >
> trusted.libvirt.security.selinux="unconfined_u:object_r:svirt_image_t:s0:c284,c367"
> > trusted.libvirt.security.timestamp_dac="1563328069"
> > trusted.libvirt.security.timestamp_selinux="1563328069"
> >
> > Shutdown the VM. The XATTRs of data file is not changed.
> > It is not expected. The XTTRs should not contain *.libvirt.*
> >
> > Issue is not reproduced with -blockdev enabled:
> > <domain type='kvm' xmlns:qemu='
> http://libvirt.org/schemas/domain/qemu/1.0'>
> > ...
> >   <qemu:capabilities>
> >     <qemu:add capability='blockdev'/>
> >     <qemu:del capability='drive'/>
> >   </qemu:capabilities>
> > </domain>
> >
> > See the libvirt daemon log and vm xml in attachment.
>
> Nice catch! I will need to dig into this to figure out where the issue
> is. Can you put this info into an upstream bug report in
>
Sure. https://bugzilla.redhat.com/show_bug.cgi?id=1762135

> product=Virtualization Tools  and I will get to it when I can
>
> Thanks,
> Cole
>


-- 
Best regards,
-----------------------------------
Han Han
Quality Engineer
Redhat.

Email: hhan at redhat.com
Phone: +861065339333
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20191016/f41ec69e/attachment-0001.htm>

More information about the libvir-list mailing list