Turns out, block mirror is not the only job a disk can have. It can also do commits of one layer into the other. Or possibly some other tricks too. Problem is that while we set seclabels on given layers of backing chain when the job is starting (via qemuDomainStorageSourceAccessAllow()) we don't restore them when job finishes. This leaves XATTRs set and corresponding images unusable. Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx> --- Not sure if we want to remove XATTRs for the top layer too or just the rest of the backing chain (n=disk->src vs. n=disk->src->backingStore). Peter? src/qemu/qemu_blockjob.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/src/qemu/qemu_blockjob.c b/src/qemu/qemu_blockjob.c index a991309ee7..6408f95e4e 100644 --- a/src/qemu/qemu_blockjob.c +++ b/src/qemu/qemu_blockjob.c @@ -658,9 +658,9 @@ qemuBlockJobEventProcessLegacyCompleted(virQEMUDriverPtr driver, virObjectUnref(disk->src); disk->src = disk->mirror; } else { + virStorageSourcePtr n; + if (disk->mirror) { - virStorageSourcePtr n; - virDomainLockImageDetach(driver->lockManager, vm, disk->mirror); /* Ideally, we would restore seclabels on the backing chain here @@ -678,6 +678,16 @@ qemuBlockJobEventProcessLegacyCompleted(virQEMUDriverPtr driver, virObjectUnref(disk->mirror); } + + for (n = disk->src; virStorageSourceIsBacking(n); n = n->backingStore) { + if (qemuSecurityMoveImageMetadata(driver, vm, n, NULL) < 0) { + VIR_WARN("Unable to remove disk metadata on " + "vm %s from %s (disk target %s)", + vm->def->name, + NULLSTR(n->path), + disk->dst); + } + } } /* Recompute the cached backing chain to match our -- 2.21.0 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list