libvirt: Ensure swtpm_ioctl is available for vTPM support

Libvirt uses swtpm_ioctl to terminate swtpm processes. If the binary does not exist, swtpm processes are kept running after the associated VM terminates, because QEMU does not send shutdown to swtpm. Closes-Bug: #2052761 Change-Id: I682f71512fc33a49b8dfe93894f144e48f33abe6
2024-02-09 12:16:45 +09:00
parent 7a7427691e
commit 9a11bb2523
3 changed files with 20 additions and 9 deletions
--- a/nova/tests/unit/virt/libvirt/test_driver.py
+++ b/nova/tests/unit/virt/libvirt/test_driver.py
@@ -1470,13 +1470,14 @@ class LibvirtConnTestCase(test.NoDBTestCase,
        exc = self.assertRaises(exception.InvalidConfiguration,
                                drvr.init_host, "dummyhost")
        self.assertIn(
-            "vTPM support is configured but one (or all) of the 'swtpm' "
-            "and 'swtpm_setup' binaries could not be found on PATH.",
+            "vTPM support is configured but some (or all) of the 'swtpm', "
+            "'swtpm_setup' and 'swtpm_ioctl' binaries could not be found "
+            "on PATH.",
            str(exc),
        )

        mock_which.assert_has_calls(
-            [mock.call('swtpm_setup')],
+            [mock.call('swtpm_ioctl')],
        )

    @mock.patch.object(host.Host, 'has_min_version', return_value=True)
@@ -1552,9 +1553,11 @@ class LibvirtConnTestCase(test.NoDBTestCase,
        drvr = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), True)
        drvr.init_host('dummyhost')

-        mock_which.assert_has_calls(
-            [mock.call('swtpm_setup'), mock.call('swtpm')],
-        )
+        mock_which.assert_has_calls([
+            mock.call('swtpm_ioctl'),
+            mock.call('swtpm_setup'),
+            mock.call('swtpm')
+        ])

    @mock.patch.object(libvirt_driver.LOG, 'warning')
    def test_check_cpu_set_configuration__no_configuration(self, mock_log):
--- a/nova/virt/libvirt/driver.py
+++ b/nova/virt/libvirt/driver.py
@@ -1090,10 +1090,12 @@ class LibvirtDriver(driver.ComputeDriver):
        # NOTE(stephenfin): This checks using the PATH of the user running
        # nova-compute rather than the libvirtd service, meaning it's an
        # imperfect check but the best we can do
-        if not all(shutil.which(cmd) for cmd in ('swtpm_setup', 'swtpm')):
+        if not all(shutil.which(cmd) for cmd in (
+                'swtpm_ioctl', 'swtpm_setup', 'swtpm')):
            msg = _(
-                "vTPM support is configured but one (or all) of the 'swtpm' "
-                "and 'swtpm_setup' binaries could not be found on PATH.")
+                "vTPM support is configured but some (or all) of the 'swtpm', "
+                "'swtpm_setup' and 'swtpm_ioctl' binaries could not be found "
+                "on PATH.")
            raise exception.InvalidConfiguration(msg)

        # The user and group must be valid on this host for cold migration and
--- a/releasenotes/notes/bug-2052761-02a1f203c67f7124.yaml
+++ b/releasenotes/notes/bug-2052761-02a1f203c67f7124.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    The libvirt driver now ensures the ``swtpm_ioctl`` binary, which is used
+    to terminate swtpm processes, is present when ``[libvirt] swtpm_enabled``
+    is set to ``True``.