← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1677398] Re: Apparmor prevents using storage pools and hostdev networks

 

Hi Nicolas,
yeah that isn't easy to fix and at least I didn't find the time to develop something completely new to cover this yet.

I challenge the statement "Even the default storage pool /var/lib/libvirt/images is not working", it does and it does well.
And for things that are under the control of Ubuntu in the Archive even a few alternative paths work (openstack, uvtool, ...).

The issue you report is -not- using the default paths, the Deny lists
"/mnt/images/ubuntu-admin-qcow2" which clearly is not in one of the
common paths.

In general for using uncommon paths [1] the solution is that an admin
has to declare those paths as allowed in a local apparmor include. So if
terraform would usually /a/b/c it should also either recommend the admin
to do so or even consider adding it to the files itself.

[1]: https://wiki.ubuntu.com/LibvirtApparmor#Using_uncommon_paths

** Changed in: libvirt (Ubuntu Xenial)
       Status: Confirmed => Won't Fix

** Changed in: libvirt (Ubuntu Zesty)
       Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1677398

Title:
  Apparmor prevents using storage pools and hostdev networks

Status in libvirt package in Ubuntu:
  Triaged
Status in libvirt source package in Xenial:
  Won't Fix
Status in libvirt source package in Yakkety:
  Won't Fix
Status in libvirt source package in Zesty:
  Won't Fix

Bug description:
  Apparmor prevents qemu-kvm guests from using ZFS volumes.

  [Impact]
  * storage pools are not usable.
    Examples with zfs and LVM pools

  [Test Case 1]
  # Prep ZFS
  1) Create a zpool
   $ for i in $(seq 1 3); do dd if=/dev/zero of=/tmp/fdisk${i} bs=1M count=1024; done
   $ sudo zpool create internal /tmp/fdisk*
  2) Create a ZFS storage pool and volume (named like your zpool, "internal" here)
    $ virsh pool-define-as internal zfs
    $ virsh pool-start internal
    $ virsh vol-create-as internal foo 2G

  # prep LVM
  4) prepare a (fake) LVM
    $ for i in $(seq 1 3); do dd if=/dev/zero of=/tmp/lvdisk${i} bs=1M count=1024; done
    $ sync
    $ DISKS=$(for i in $(seq 1 3); do sudo losetup -f show /tmp/lvdisk${i}; done)
    $ sudo pvcreate --verbose $DISKS
    $ sudo vgcreate --verbose testvg $DISKS
  5) Create LVM Pool and volume
   $ virsh pool-define-as testvg logical
   $ virsh pool-start testvg
   $ virsh vol-create-as testvg guest1 2G

  # Prep Guest and use Pools
  6) Create a KVM guest e.g. via uvtool
   $ uvt-simplestreams-libvirt --verbose sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=xenial
   $ ssh-keygen
   $ uvt-kvm create --password=ubuntu testguest release=xenial arch=amd64 label=daily
  7) Edit the guest's XML profile to use the ZFS and LVM volumes (zvol)
      <disk type='volume' device='disk'>
        <driver name='qemu' type='raw' cache='none'/>
        <source pool='internal' volume='foo'/>
        <target dev='vda' bus='virtio'/>
      </disk>
      <disk type='volume' device='disk'>
        <driver name='qemu' type='raw'/>
        <source pool='testvg' volume='guest1'/>
        <target dev='vda' bus='virtio'/>
      </disk>
  8) Start the guest

  The guest refuses to start:

    # virsh start nms
    error: Failed to start domain foo
    error: internal error: process exited while connecting to monitor: 2017-03-29T22:07:31.507017Z qemu-system-x86_64: -drive file=/dev/zvol/internal/foo,format=raw,if=none,id=drive-virtio-disk0,cache=none: Could not open '/dev/zvol/internal/foo': Permission denied

  dmesg reveals the culprit:

  apparmor="DENIED" operation="open" profile="libvirt-988a8c25-5190-4762-8170-55dc75fc66ca" name="/dev/zd224" pid=23052 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=109 ouid=109
  apparmor="DENIED" operation="open" profile="libvirt-988a8c25-5190-4762-8170-55dc75fc66ca" name="/dev/zd224" pid=23052 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=109 ouid=109

  Checking /etc/apparmor.d/libvirt/libvirt-$UUID.files shows that no
  "/dev/zdXX" has been added.

  [Additional info]

  # lsb_release -rd
  Description:	Ubuntu 16.04.2 LTS
  Release:	16.04

  # apt-cache policy libvirt-bin apparmor linux-image-generic
  libvirt-bin:
    Installed: 1.3.1-1ubuntu10.8
    Candidate: 1.3.1-1ubuntu10.8
    Version table:
   *** 1.3.1-1ubuntu10.8 500
          500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       1.3.1-1ubuntu10 500
          500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
  apparmor:
    Installed: 2.10.95-0ubuntu2.5
    Candidate: 2.10.95-0ubuntu2.5
    Version table:
   *** 2.10.95-0ubuntu2.5 500
          500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       2.10.95-0ubuntu2 500
          500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
  linux-image-generic:
    Installed: 4.4.0.70.76
    Candidate: 4.4.0.70.76
    Version table:
   *** 4.4.0.70.76 500
          500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
          500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
          100 /var/lib/dpkg/status
       4.4.0.21.22 500
          500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: libvirt-bin 1.3.1-1ubuntu10.8
  ProcVersionSignature: Ubuntu 4.4.0-70.91-generic 4.4.49
  Uname: Linux 4.4.0-70-generic x86_64
  NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
  ApportVersion: 2.20.1-0ubuntu2.5
  Architecture: amd64
  Date: Wed Mar 29 17:48:06 2017
  SourcePackage: libvirt
  UpgradeStatus: No upgrade log present (probably fresh install)
  modified.conffile..etc.default.libvirt-guests: [modified]
  modified.conffile..etc.libvirt.qemu.conf: [modified]
  modified.conffile..etc.libvirt.qemu.networks.default.xml: [modified]
  mtime.conffile..etc.default.libvirt-guests: 2016-08-29T21:09:57.632048
  mtime.conffile..etc.libvirt.qemu.conf: 2017-03-29T17:26:03.924234
  mtime.conffile..etc.libvirt.qemu.networks.default.xml: 2016-04-23T19:24:13.505208

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1677398/+subscriptions