← Back to team overview

aims team mailing list archive

  1. aims team
  2. Mailing list archive
  3. Message #01713

[Bug 1393842] Re: libvirt does not grant qemu-guest-agent channel perms

  Thread PreviousDate PreviousThread Next 
Hello Mark, or anyone else affected,

Accepted libvirt into trusty-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/libvirt/1.2.2-0ubuntu13.1.22 in a
few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-trusty to verification-done-trusty. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-trusty. In either case, details of your
testing will help us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: libvirt (Ubuntu Trusty)
       Status: In Progress => Fix Committed

** Tags removed: verification-failed
** Tags added: verification-needed verification-needed-trusty

-- 
You received this bug notification because you are a member of AIMS,
which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1393842

Title:
  libvirt does not grant qemu-guest-agent channel perms

Status in libvirt package in Ubuntu:
  Fix Released
Status in libvirt source package in Trusty:
  Fix Committed

Bug description:
  [Impact]

   * If one defines guest channels manually (xml) or via tools like virt-
     manager (there it defaults to add channels for some distros), then 
     starting the guest fails.
     There are two reason:
     1. by default the base dir for the channels doesn't exists so the 
        open fails
     2. further virt-aa-helper does not create a matchign rule to allow 
        access, so apparmor blocks

   * In latter versions the paths are slightly different (better namespaced 
     by guest name), but still similar. So this still can be considered 
     backporting the virt-aa-helper change, and making sure the base dir 
     exists (only needed in this old release) is a postinst change.

  [Test Case]

   * Create a libvirt based KVM guest on Artful the way you prefer
   * Add a guest channel to it by adding a snippet like:
      <channel type='unix'>
        <source mode='bind' />
        <target type='virtio' name='org.qemu.guest_agent.0'/>
      </channel>
   * Start the guest via e.g. virsh
   * Without the fix this fails, you'll see in strace a  failed call to open 
     the channel, but even if e.g. dirs are created then apparmor will block 
     the access.
   * With the fix installed the guest starts correctly

  [Regression Potential]

   * The patch is a backport and only a slight change to code that is used 
     quite some time (paths were different in Trusty). In any case it is 
     "adding" one more rule to open up apparmor. It should functionally not 
     regress by that, if anything one could consider it security risk, but 
     due to the guestname-namespacing in the rule now generated this shoudl 
     be safe - see the tail of comment #58 for some considerations on that.

   * The postinst change only runs if the dir is not existing, which should 
     ensure that no former unexpected setup makes the postinst fail

  [Other Info]
   
   * Tests on the issue itself look good based on a ppa, see comment #59

  
  ----


  =======================================
  1. Impact: cannot create a default RHEL7 vm in virt-manager
  2. fix: allow use of qemu-guest-agent channel
  3. test case: see in description below.  Create a VM in virt-manager specifying
     Linux os and RHEL7.
  4. Regression potential: there should be none.  We are only adding an
     apparmor permission for unix sockets which libvirt creates when needed
     for kvm vms.
  =======================================

  Create a new VM, choose Linux for OS type and Red Hat Enterprise Linux
  7 (or later) for Version. Proceed through the wizard leaving all other
  options unchanged. On clicking Finish, the following error is
  displayed:

  Unable to complete install: 'internal error: process exited while connecting to monitor: 2014-11-18T16:00:11.802430Z qemu-system-x86_64: -chardev socket,id=charchannel0,path=/var/lib/libvirt/qemu/channel/target/rhel7.org.qemu.guest_agent.0,server,nowait: Failed to bind socket: No such file or directory
  2014-11-18T16:00:11.802483Z qemu-system-x86_64: -chardev socket,id=charchannel0,path=/var/lib/libvirt/qemu/channel/target/rhel7.org.qemu.guest_agent.0,server,nowait: chardev: opening backend "socket" failed
  '

  Traceback (most recent call last):
    File "/usr/share/virt-manager/virtManager/asyncjob.py", line 91, in cb_wrapper
      callback(asyncjob, *args, **kwargs)
    File "/usr/share/virt-manager/virtManager/create.py", line 1820, in do_install
      guest.start_install(meter=meter)
    File "/usr/share/virt-manager/virtinst/guest.py", line 403, in start_install
      noboot)
    File "/usr/share/virt-manager/virtinst/guest.py", line 467, in _create_guest
      dom = self.conn.createLinux(start_xml or final_xml, 0)
    File "/usr/lib/python2.7/dist-packages/libvirt.py", line 3398, in createLinux
      if ret is None:raise libvirtError('virDomainCreateLinux() failed', conn=self)
  libvirtError: internal error: process exited while connecting to monitor: 2014-11-18T16:00:11.802430Z qemu-system-x86_64: -chardev socket,id=charchannel0,path=/var/lib/libvirt/qemu/channel/target/rhel7.org.qemu.guest_agent.0,server,nowait: Failed to bind socket: No such file or directory
  2014-11-18T16:00:11.802483Z qemu-system-x86_64: -chardev socket,id=charchannel0,path=/var/lib/libvirt/qemu/channel/target/rhel7.org.qemu.guest_agent.0,server,nowait: chardev: opening backend "socket" failed

  ProblemType: Bug
  DistroRelease: Ubuntu 14.10
  Package: virt-manager 1:1.0.1-0ubuntu2
  ProcVersionSignature: Ubuntu 3.16.0-24.32-generic 3.16.4
  Uname: Linux 3.16.0-24-generic x86_64
  ApportVersion: 2.14.7-0ubuntu8
  Architecture: amd64
  CurrentDesktop: KDE
  Date: Tue Nov 18 15:55:59 2014
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2014-11-07 (11 days ago)
  InstallationMedia: Kubuntu 14.10 "Utopic Unicorn" - Release amd64 (20141022.1)
  PackageArchitecture: all
  SourcePackage: virt-manager
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1393842/+subscriptions
  Thread PreviousDate PreviousThread Next