Re: [PATCH 6/6] qemu: Use fd: protocol for migration

Eric Blake <eblake@xxxxxxxxxx> · Mon, 29 Aug 2011 11:40:23 -0600

On 08/15/2011 01:58 AM, Jiri Denemark wrote:
> By opening a connection to remote qemu process ourselves and passing the
> socket to qemu we get much better errors than just "migration failed"
> when the connection is opened by qemu.
> ---
>  src/qemu/qemu_migration.c |  128 ++++++++++++++++++++++++++++++++++-----------
>  1 files changed, 98 insertions(+), 30 deletions(-)
> 
> +    if (qemuCapsGet(priv->qemuCaps, QEMU_CAPS_MIGRATE_QEMU_FD)) {
> +        int fds[2];
> +
> +        spec.destType = MIGRATION_DEST_FD;
> +        spec.dest.fd.qemu = -1;
> +        spec.dest.fd.local = -1;
> +
> +        if (pipe(fds) == 0) {
> +            spec.dest.fd.qemu = fds[1];
> +            spec.dest.fd.local = fds[0];
> +        }
> +        if (spec.dest.fd.qemu == -1 ||
> +            virSetCloseExec(spec.dest.fd.qemu) < 0 ||
> +            virSetCloseExec(spec.dest.fd.local) < 0) {
> +            virReportSystemError(errno, "%s",
> +                        _("cannot create pipe for tunnelled migration"));

SELinux doesn't like this.  We never label the pipe here, and
qemuMonitorMigrateToFd doesn't label the outgoing pipe either.  Thus,
when we hand the fd to qemu for tunneled migration, SELinux rejects the
first write() attempt, and qemu fails with:

internal error unable to execute QEMU command 'getfd': No file
descriptor supplied via SCM_RIGHTS

I'm still testing this, but based on how we label the incoming pipe in
qemuProcessStart, I think this will solve the problem.

diff --git i/src/qemu/qemu_migration.c w/src/qemu/qemu_migration.c
index a2dc97c..38b05a9 100644
--- i/src/qemu/qemu_migration.c
+++ w/src/qemu/qemu_migration.c
@@ -24,6 +24,7 @@
 #include <sys/time.h>
 #include <gnutls/gnutls.h>
 #include <gnutls/x509.h>
+#include <fcntl.h>

 #include "qemu_migration.h"
 #include "qemu_monitor.h"
@@ -1691,13 +1692,13 @@ static int doTunnelMigrate(struct qemud_driver
*driver,
         spec.dest.fd.qemu = -1;
         spec.dest.fd.local = -1;

-        if (pipe(fds) == 0) {
+        if (pipe2(fds, O_CLOEXEC) == 0) {
             spec.dest.fd.qemu = fds[1];
             spec.dest.fd.local = fds[0];
         }
         if (spec.dest.fd.qemu == -1 ||
-            virSetCloseExec(spec.dest.fd.qemu) < 0 ||
-            virSetCloseExec(spec.dest.fd.local) < 0) {
+            virSecurityManagerSetImageFDLabel(driver->securityManager, vm,
+                                              spec.dest.fd.qemu) < 0) {
             virReportSystemError(errno, "%s",
                         _("cannot create pipe for tunnelled migration"));
             goto cleanup;


-- 
Eric Blake   eblake@xxxxxxxxxx    +1-801-349-2682
Libvirt virtualization library http://libvirt.org

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list





