External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-12-22 05:35:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

qemu: Handle locking of TPM state directory for incoming migration

Browse Source 
By not attempting to lock the lock file, which would fail.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
This commit is contained in:
Andrea Bolognani 2024-10-02 11:10:08 +02:00
parent 454219ad6c
commit 7d6759135e
3 changed files with 28 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/qemu/qemu_security.c
View File

@ -551,7 +551,8 @@ qemuSecurityRestoreNetdevLabel(virQEMUDriver *driver,
int
qemuSecuritySetTPMLabels(virQEMUDriver *driver,
virDomainObj *vm,
bool setTPMStateLabel)
bool setTPMStateLabel,
bool lockMetadataException)
{
qemuDomainObjPrivate *priv = vm->privateData;
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
@ -567,7 +568,7 @@ qemuSecuritySetTPMLabels(virQEMUDriver *driver,
if (virSecurityManagerTransactionCommit(driver->securityManager,
-1, priv->rememberOwner,
false) < 0)
lockMetadataException) < 0)
goto cleanup;
ret = 0;
@ -580,7 +581,8 @@ qemuSecuritySetTPMLabels(virQEMUDriver *driver,
int
qemuSecurityRestoreTPMLabels(virQEMUDriver *driver,
virDomainObj *vm,
bool restoreTPMStateLabel)
bool restoreTPMStateLabel,
bool lockMetadataException)
{
qemuDomainObjPrivate *priv = vm->privateData;
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
@ -596,7 +598,7 @@ qemuSecurityRestoreTPMLabels(virQEMUDriver *driver,
if (virSecurityManagerTransactionCommit(driver->securityManager,
-1, priv->rememberOwner,
false) < 0)
lockMetadataException) < 0)
goto cleanup;
ret = 0;

6
src/qemu/qemu_security.h
View File

@ -87,11 +87,13 @@ int qemuSecurityRestoreNetdevLabel(virQEMUDriver *driver,
int qemuSecuritySetTPMLabels(virQEMUDriver *driver,
virDomainObj *vm,
bool setTPMStateLabel);
bool setTPMStateLabel,
bool lockMetadataException);
int qemuSecurityRestoreTPMLabels(virQEMUDriver *driver,
virDomainObj *vm,
bool restoreTPMStateLabel);
bool restoreTPMStateLabel,
bool lockMetadataException);
int qemuSecuritySetSavedStateLabel(virQEMUDriver *driver,
virDomainObj *vm,

21
src/qemu/qemu_tpm.c
View File

@ -934,6 +934,7 @@ qemuTPMEmulatorStart(virQEMUDriver *driver,
virTimeBackOffVar timebackoff;
const unsigned long long timeout = 1000; /* ms */
pid_t pid = -1;
bool lockMetadataException = false;
cfg = virQEMUDriverGetConfig(driver);
@ -959,7 +960,21 @@ qemuTPMEmulatorStart(virQEMUDriver *driver,
virCommandSetPidFile(cmd, pidfile);
virCommandSetErrorFD(cmd, &errfd);
if (qemuSecuritySetTPMLabels(driver, vm, true) < 0)
if (incomingMigration && qemuTPMHasSharedStorage(driver, vm->def)) {
/* If the TPM is being migrated over shared storage, we can't
* lock all files before labeling them: the source swtpm
* process is still holding on to the lock file, and it will
* only release it after negotiation with the target swtpm
* process, which we can't start until labeling has been
* performed.
*
* So we explicity request for the lock file not to be locked
* before labeling in this specific, narrow scenario in order
* to make migration possible at all */
lockMetadataException = true;
}
if (qemuSecuritySetTPMLabels(driver, vm, true, lockMetadataException) < 0)
return -1;
if (qemuSecurityCommandRun(driver, vm, cmd, cfg->swtpm_user,
@ -1008,7 +1023,7 @@ qemuTPMEmulatorStart(virQEMUDriver *driver,
virProcessKillPainfully(pid, true);
if (pidfile)
unlink(pidfile);
qemuSecurityRestoreTPMLabels(driver, vm, true);
qemuSecurityRestoreTPMLabels(driver, vm, true, lockMetadataException);
return -1;
}
@ -1144,7 +1159,7 @@ qemuExtTPMStop(virQEMUDriver *driver,
if (outgoingMigration && qemuTPMHasSharedStorage(driver, vm->def))
restoreTPMStateLabel = false;
if (qemuSecurityRestoreTPMLabels(driver, vm, restoreTPMStateLabel) < 0)
if (qemuSecurityRestoreTPMLabels(driver, vm, restoreTPMStateLabel, false) < 0)
VIR_WARN("Unable to restore labels on TPM state and/or log file");
}