Re: [PATCH 6/6] qemu: Use fd: protocol for migration

Daniel Veillard <veillard@xxxxxxxxxx> · Tue, 30 Aug 2011 22:49:08 +0800



On Mon, Aug 29, 2011 at 11:40:23AM -0600, Eric Blake wrote:
> On 08/15/2011 01:58 AM, Jiri Denemark wrote:
> > By opening a connection to remote qemu process ourselves and passing the
> > socket to qemu we get much better errors than just "migration failed"
> > when the connection is opened by qemu.
> > ---
> >  src/qemu/qemu_migration.c |  128 ++++++++++++++++++++++++++++++++++-----------
> >  1 files changed, 98 insertions(+), 30 deletions(-)
> > 
> > +    if (qemuCapsGet(priv->qemuCaps, QEMU_CAPS_MIGRATE_QEMU_FD)) {
> > +        int fds[2];
> > +
> > +        spec.destType = MIGRATION_DEST_FD;
> > +        spec.dest.fd.qemu = -1;
> > +        spec.dest.fd.local = -1;
> > +
> > +        if (pipe(fds) == 0) {
> > +            spec.dest.fd.qemu = fds[1];
> > +            spec.dest.fd.local = fds[0];
> > +        }
> > +        if (spec.dest.fd.qemu == -1 ||
> > +            virSetCloseExec(spec.dest.fd.qemu) < 0 ||
> > +            virSetCloseExec(spec.dest.fd.local) < 0) {
> > +            virReportSystemError(errno, "%s",
> > +                        _("cannot create pipe for tunnelled migration"));
> 
> SELinux doesn't like this.  We never label the pipe here, and
> qemuMonitorMigrateToFd doesn't label the outgoing pipe either.  Thus,
> when we hand the fd to qemu for tunneled migration, SELinux rejects the
> first write() attempt, and qemu fails with:
> 
> internal error unable to execute QEMU command 'getfd': No file
> descriptor supplied via SCM_RIGHTS
> 
> I'm still testing this, but based on how we label the incoming pipe in
> qemuProcessStart, I think this will solve the problem.
> 
> diff --git i/src/qemu/qemu_migration.c w/src/qemu/qemu_migration.c
> index a2dc97c..38b05a9 100644
> --- i/src/qemu/qemu_migration.c
> +++ w/src/qemu/qemu_migration.c
> @@ -24,6 +24,7 @@
>  #include <sys/time.h>
>  #include <gnutls/gnutls.h>
>  #include <gnutls/x509.h>
> +#include <fcntl.h>
> 
>  #include "qemu_migration.h"
>  #include "qemu_monitor.h"
> @@ -1691,13 +1692,13 @@ static int doTunnelMigrate(struct qemud_driver
> *driver,
>          spec.dest.fd.qemu = -1;
>          spec.dest.fd.local = -1;
> 
> -        if (pipe(fds) == 0) {
> +        if (pipe2(fds, O_CLOEXEC) == 0) {
>              spec.dest.fd.qemu = fds[1];
>              spec.dest.fd.local = fds[0];
>          }
>          if (spec.dest.fd.qemu == -1 ||
> -            virSetCloseExec(spec.dest.fd.qemu) < 0 ||
> -            virSetCloseExec(spec.dest.fd.local) < 0) {
> +            virSecurityManagerSetImageFDLabel(driver->securityManager, vm,
> +                                              spec.dest.fd.qemu) < 0) {
>              virReportSystemError(errno, "%s",
>                          _("cannot create pipe for tunnelled migration"));
>              goto cleanup;
> 

  Okay, I managed to reproduce the problem and this fixes it,

  ACK,

Daniel

-- 
Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
daniel@xxxxxxxxxxxx  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library  http://libvirt.org/

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list