[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [Bug 1626972] Fwd: [PATCH] vhost: secure vhost shared log f
From: |
Rafael David Tinoco |
Subject: |
[Qemu-devel] [Bug 1626972] Fwd: [PATCH] vhost: secure vhost shared log files using argv paremeter |
Date: |
Sat, 22 Oct 2016 21:55:14 -0000 |
> Begin forwarded message:
>
> From: Rafael David Tinoco <address@hidden>
> Subject: Re: [Qemu-devel] [PATCH] vhost: secure vhost shared log files using
> argv paremeter
> Date: October 22, 2016 at 19:52:31 GMT-2
> To: Marc-André Lureau <address@hidden>
> Cc: Rafael David Tinoco <address@hidden>, qemu-devel <address@hidden>
>
> Hello,
>
>> On Oct 22, 2016, at 05:18, Marc-André Lureau <address@hidden> wrote:
>>
>> Hi
>>
>> On Sat, Oct 22, 2016 at 10:01 AM Rafael David Tinoco <address@hidden> wrote:
>> Commit 31190ed7 added a migration blocker in vhost_dev_init() to
>> check if memfd would succeed. It is better if this blocker first
>> checks if vhost backend requires shared log. This will avoid a
>> situation where a blocker is added inappropriately (e.g. shared
>> log allocation fails when vhost backend doesn't support it).
>>
>> Could you make this a seperate patch?
>
> Just did, in another e-mail, cc'ing you.
>
>> Argv examples:
>>
>> -netdev tap,id=net0,vhost=on
>> -netdev tap,id=net0,vhost=on,vhostlog=/tmp/guest.log
>> -netdev tap,id=net0,vhost=on,vhostlog=/tmp
>>
>> Could it be only a filename? This would simplify testing.
>
> It could. Should I keep the /tmp/<random> logic if no vhostlog arg is present
> ? Or you think it should fail if no arg is given ? I'm afraid of backward
> compatibility when back-porting this to older qemu versions on stable
> releases (like my case: I'll backport this to ~3 different versions).
>
>> For vhost backends supporting shared logs, if vhostlog is non-existent,
>> or a directory, random files are going to be created in the specified
>> directory (or, for non-existent, in tmpdir). If vhostlog is specified,
>> the filepath is always used when allocating vhost log files.
>>
>>
>> Regarding testing, you add utility code mmap-file, could you make this a
>> seperate commit, with unit tests?
>>
>
> Sure, I'll work on it.
>
>> thanks
>
> Thank u!
>
> -Rafael Tinoco
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1626972
Title:
QEMU memfd_create fallback mechanism change for security drivers
Status in QEMU:
In Progress
Bug description:
And, when libvirt starts using apparmor, and creating apparmor
profiles for every virtual machine created in the compute nodes,
mitaka qemu (2.5 - and upstream also) uses a fallback mechanism for
creating shared memory for live-migrations. This fall back mechanism,
on kernels 3.13 - that don't have memfd_create() system-call, try to
create files on /tmp/ directory and fails.. causing live-migration not
to work.
Trusty with kernel 3.13 + Mitaka with qemu 2.5 + apparmor capability =
can't live migrate.
From qemu 2.5, logic is on :
void *qemu_memfd_alloc(const char *name, size_t size, unsigned int seals, int
*fd)
{
if (memfd_create)... ### only works with HWE kernels
else ### 3.13 kernels, gets blocked by apparmor
tmpdir = g_get_tmp_dir
...
mfd = mkstemp(fname)
}
And you can see the errors:
From the host trying to send the virtual machine:
2016-08-15 16:36:26.160 1974 ERROR nova.virt.libvirt.driver
[req-0cac612b-8d53-4610-b773-d07ad6bacb91 691a581cfa7046278380ce82b1c38ddd
133ebc3585c041aebaead8c062cd6511 - - -] [instance:
2afa1131-bc8c-43d2-9c4a-962c1bf7723e] Migration operation has aborted
2016-08-15 16:36:26.248 1974 ERROR nova.virt.libvirt.driver
[req-0cac612b-8d53-4610-b773-d07ad6bacb91 691a581cfa7046278380ce82b1c38ddd
133ebc3585c041aebaead8c062cd6511 - - -] [instance:
2afa1131-bc8c-43d2-9c4a-962c1bf7723e] Live Migration failure: internal error:
unable to execute QEMU command 'migrate': Migration disabled: failed to
allocate shared memory
From the host trying to receive the virtual machine:
Aug 15 16:36:19 tkcompute01 kernel: [ 1194.356794] type=1400
audit(1471289779.791:72): apparmor="STATUS" operation="profile_load"
profile="unconfined" name="libvirt-2afa1131-bc8c-43d2-9c4a-962c1bf7723e"
pid=12565 comm="apparmor_parser"
Aug 15 16:36:19 tkcompute01 kernel: [ 1194.357048] type=1400
audit(1471289779.791:73): apparmor="STATUS" operation="profile_load"
profile="unconfined" name="qemu_bridge_helper" pid=12565 comm="apparmor_parser"
Aug 15 16:36:20 tkcompute01 kernel: [ 1194.877027] type=1400
audit(1471289780.311:74): apparmor="STATUS" operation="profile_replace"
profile="unconfined" name="libvirt-2afa1131-bc8c-43d2-9c4a-962c1bf7723e"
pid=12613 comm="apparmor_parser"
Aug 15 16:36:20 tkcompute01 kernel: [ 1194.904407] type=1400
audit(1471289780.343:75): apparmor="STATUS" operation="profile_replace"
profile="unconfined" name="qemu_bridge_helper" pid=12613 comm="apparmor_parser"
Aug 15 16:36:20 tkcompute01 kernel: [ 1194.973064] type=1400
audit(1471289780.407:76): apparmor="DENIED" operation="mknod"
profile="libvirt-2afa1131-bc8c-43d2-9c4a-962c1bf7723e" name="/tmp/memfd-tNpKSj"
pid=12625 comm="qemu-system-x86" requested_mask="c" denied_mask="c" fsuid=107
ouid=107
Aug 15 16:36:20 tkcompute01 kernel: [ 1194.979871] type=1400
audit(1471289780.411:77): apparmor="DENIED" operation="open"
profile="libvirt-2afa1131-bc8c-43d2-9c4a-962c1bf7723e" name="/tmp/" pid=12625
comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=107 ouid=0
Aug 15 16:36:20 tkcompute01 kernel: [ 1194.979881] type=1400
audit(1471289780.411:78): apparmor="DENIED" operation="open"
profile="libvirt-2afa1131-bc8c-43d2-9c4a-962c1bf7723e" name="/var/tmp/"
pid=12625 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=107
ouid=0
When leaving libvirt without apparmor capabilities (thus not confining
virtual machines on compute nodes, the live migration works as
expected, so, clearly, apparmor is stepping into the live migration).
I'm sure that virtual machines have to be confined and that this isn't
the desired behaviour...
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1626972/+subscriptions
- [Qemu-devel] [Bug 1626972] Fwd: [PATCH] vhost: secure vhost shared log files using argv paremeter,
Rafael David Tinoco <=