From 9a11bb25238288139c4473d9d91bf365ed88f435 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Fri, 9 Feb 2024 12:16:45 +0900 Subject: [PATCH] libvirt: Ensure swtpm_ioctl is available for vTPM support Libvirt uses swtpm_ioctl to terminate swtpm processes. If the binary does not exist, swtpm processes are kept running after the associated VM terminates, because QEMU does not send shutdown to swtpm. Closes-Bug: #2052761 Change-Id: I682f71512fc33a49b8dfe93894f144e48f33abe6 --- nova/tests/unit/virt/libvirt/test_driver.py | 15 +++++++++------ nova/virt/libvirt/driver.py | 8 +++++--- .../notes/bug-2052761-02a1f203c67f7124.yaml | 6 ++++++ 3 files changed, 20 insertions(+), 9 deletions(-) create mode 100644 releasenotes/notes/bug-2052761-02a1f203c67f7124.yaml diff --git a/nova/tests/unit/virt/libvirt/test_driver.py b/nova/tests/unit/virt/libvirt/test_driver.py index 660b671f2e..7f933d07cd 100644 --- a/nova/tests/unit/virt/libvirt/test_driver.py +++ b/nova/tests/unit/virt/libvirt/test_driver.py @@ -1470,13 +1470,14 @@ class LibvirtConnTestCase(test.NoDBTestCase, exc = self.assertRaises(exception.InvalidConfiguration, drvr.init_host, "dummyhost") self.assertIn( - "vTPM support is configured but one (or all) of the 'swtpm' " - "and 'swtpm_setup' binaries could not be found on PATH.", + "vTPM support is configured but some (or all) of the 'swtpm', " + "'swtpm_setup' and 'swtpm_ioctl' binaries could not be found " + "on PATH.", str(exc), ) mock_which.assert_has_calls( - [mock.call('swtpm_setup')], + [mock.call('swtpm_ioctl')], ) @mock.patch.object(host.Host, 'has_min_version', return_value=True) @@ -1552,9 +1553,11 @@ class LibvirtConnTestCase(test.NoDBTestCase, drvr = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), True) drvr.init_host('dummyhost') - mock_which.assert_has_calls( - [mock.call('swtpm_setup'), mock.call('swtpm')], - ) + mock_which.assert_has_calls([ + mock.call('swtpm_ioctl'), + mock.call('swtpm_setup'), + mock.call('swtpm') + ]) @mock.patch.object(libvirt_driver.LOG, 'warning') def test_check_cpu_set_configuration__no_configuration(self, mock_log): diff --git a/nova/virt/libvirt/driver.py b/nova/virt/libvirt/driver.py index 37613eb2c6..a49e82bb29 100644 --- a/nova/virt/libvirt/driver.py +++ b/nova/virt/libvirt/driver.py @@ -1090,10 +1090,12 @@ class LibvirtDriver(driver.ComputeDriver): # NOTE(stephenfin): This checks using the PATH of the user running # nova-compute rather than the libvirtd service, meaning it's an # imperfect check but the best we can do - if not all(shutil.which(cmd) for cmd in ('swtpm_setup', 'swtpm')): + if not all(shutil.which(cmd) for cmd in ( + 'swtpm_ioctl', 'swtpm_setup', 'swtpm')): msg = _( - "vTPM support is configured but one (or all) of the 'swtpm' " - "and 'swtpm_setup' binaries could not be found on PATH.") + "vTPM support is configured but some (or all) of the 'swtpm', " + "'swtpm_setup' and 'swtpm_ioctl' binaries could not be found " + "on PATH.") raise exception.InvalidConfiguration(msg) # The user and group must be valid on this host for cold migration and diff --git a/releasenotes/notes/bug-2052761-02a1f203c67f7124.yaml b/releasenotes/notes/bug-2052761-02a1f203c67f7124.yaml new file mode 100644 index 0000000000..7927ea1088 --- /dev/null +++ b/releasenotes/notes/bug-2052761-02a1f203c67f7124.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + The libvirt driver now ensures the ``swtpm_ioctl`` binary, which is used + to terminate swtpm processes, is present when ``[libvirt] swtpm_enabled`` + is set to ``True``.