← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #123633

[Bug 1525310] [NEW] virsh with apparmor misconfigures libvirt-UUID files during snapshot

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Reproducible: Yes, every time.

Background:

When you create a virtual machine (VM) under KVM/Qemu in Ubuntu,
apparmor files are created as:

/etc/apparmor.d/libvirt/libvirt-<UUID>
  and
/etc/apparmor.d/libvirt/libvirt-<UUID>.files

And in the file /etc/apparmor.d/libvirt/libvirt-<UUID>.files there is
the line

  "PATH_to_BLOCK_DEVICE" rw,

where PATH_to_BLOCK_DEVICE is the full path name of the image. ( E.g. something like  /var/lib/libvirtd/images/asdf.qcow2)
and <UUID> is the UUID of the  VM container.

The problem:

When creating a shapshot of a running VM under KVM/Qemu you run the
command

$ sudo virsh snapshot-create-as DOMAIN_NAME   DESCRIPTION   --no-
metadata --disk-only --atomic

which creates a new file and stops writing to the old VM block device.

However:  the old PATH_to_BLOCK_DEVICE in  /etc/apparmor.d/libvirt
/libvirt-UUID.files is deleted and replaced with the new block device
info BEFORE virsh is done creating the snapshot. So you get the error

error: internal error: unable to execute QEMU command 'transaction':
Could not open 'PATH_to_BLOCK_DEVICE': Could not open
'PATH_to_BLOCK_DEVICE': Permission denied: Permission denied

and in /var/log/syslog you get the error:

type=1400 audit(1449752104.054:539): apparmor="DENIED" operation="open"
profile="libvirt-<UUID>" name="PATH_to_BLOCK_DEVICE" pid=8710 comm
="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=106 ouid=106

When you look now at /etc/apparmor.d/libvirt/libvirt-<UUID>.files you
find that the line that was there

  "PATH_to_BLOCK_DEVICE" rw,

has been replaced with

  "PATH_to_BLOCK_DEVICE.DESCRIPTION" rw,

but you need BOTH LINES. in order for the command "virsh  snapshot-
create-as" to work. (or at least have the old file have  read
permissions)

-----

Workarounds:

1. Disable apparmor for libvirtd

or
2. Change  /etc/apparmor.d/libvirt/libvirt-<UUID> to look like this

----------
#
# This profile is for the domain whose UUID matches this file.
#

#include <tunables/global>

profile libvirt-UUID {
  #include <abstractions/libvirt-qemu>
  #include <libvirt/libvirt-UUID.files>

  "PATH_to_BLOCK_DEVICE*" rw,
}
-----------

(
  So if the old line was 
     "/var/lib/libvirtd/images/asdf.qcow2" rw, 
  , the line you can add would read something like this

  "/var/lib/libvirtd/images/asdf*" rw,

)
--------

Details on server:

# lsb_release -rd
Description:    Ubuntu 14.04.3 LTS
Release:        14.04

# apt-cache policy apparmor
apparmor:
  Installed: 2.8.95~2430-0ubuntu5.3
  Candidate: 2.8.95~2430-0ubuntu5.3
  Version table:
 *** 2.8.95~2430-0ubuntu5.3 0
        500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     2.8.95~2430-0ubuntu5.1 0
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
     2.8.95~2430-0ubuntu5 0
        500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

# apt-cache policy libvirt-bin
libvirt-bin:
  Installed: 1.2.2-0ubuntu13.1.14
  Candidate: 1.2.2-0ubuntu13.1.14
  Version table:
 *** 1.2.2-0ubuntu13.1.14 0
        500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1.2.2-0ubuntu13.1.7 0
        500 http://security.u buntu.com/ubuntu/ trusty-security/main amd64 Packages
     1.2.2-0ubuntu13 0
        500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

-----

Apologies if this is the wrong place to submit this bug.

** Affects: apparmor (Ubuntu)
     Importance: Undecided
         Status: New

** Summary changed:

- virsh with apparmor misconfigures libvirtd-UUID files during snapshot
+ virsh with apparmor misconfigures libvirt-UUID files during snapshot

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1525310

Title:
  virsh with apparmor misconfigures libvirt-UUID files during snapshot

Status in apparmor package in Ubuntu:
  New

Bug description:
  Reproducible: Yes, every time.

  Background:

  When you create a virtual machine (VM) under KVM/Qemu in Ubuntu,
  apparmor files are created as:

  /etc/apparmor.d/libvirt/libvirt-<UUID>
    and
  /etc/apparmor.d/libvirt/libvirt-<UUID>.files

  And in the file /etc/apparmor.d/libvirt/libvirt-<UUID>.files there is
  the line

    "PATH_to_BLOCK_DEVICE" rw,

  where PATH_to_BLOCK_DEVICE is the full path name of the image. ( E.g. something like  /var/lib/libvirtd/images/asdf.qcow2)
  and <UUID> is the UUID of the  VM container.

  The problem:

  When creating a shapshot of a running VM under KVM/Qemu you run the
  command

  $ sudo virsh snapshot-create-as DOMAIN_NAME   DESCRIPTION   --no-
  metadata --disk-only --atomic

  which creates a new file and stops writing to the old VM block device.

  However:  the old PATH_to_BLOCK_DEVICE in  /etc/apparmor.d/libvirt
  /libvirt-UUID.files is deleted and replaced with the new block device
  info BEFORE virsh is done creating the snapshot. So you get the error

  error: internal error: unable to execute QEMU command 'transaction':
  Could not open 'PATH_to_BLOCK_DEVICE': Could not open
  'PATH_to_BLOCK_DEVICE': Permission denied: Permission denied

  and in /var/log/syslog you get the error:

  type=1400 audit(1449752104.054:539): apparmor="DENIED"
  operation="open" profile="libvirt-<UUID>" name="PATH_to_BLOCK_DEVICE"
  pid=8710 comm="qemu-system-x86" requested_mask="r" denied_mask="r"
  fsuid=106 ouid=106

  When you look now at /etc/apparmor.d/libvirt/libvirt-<UUID>.files you
  find that the line that was there

    "PATH_to_BLOCK_DEVICE" rw,

  has been replaced with

    "PATH_to_BLOCK_DEVICE.DESCRIPTION" rw,

  but you need BOTH LINES. in order for the command "virsh  snapshot-
  create-as" to work. (or at least have the old file have  read
  permissions)

  -----

  Workarounds:

  1. Disable apparmor for libvirtd

  or
  2. Change  /etc/apparmor.d/libvirt/libvirt-<UUID> to look like this

  ----------
  #
  # This profile is for the domain whose UUID matches this file.
  #

  #include <tunables/global>

  profile libvirt-UUID {
    #include <abstractions/libvirt-qemu>
    #include <libvirt/libvirt-UUID.files>

    "PATH_to_BLOCK_DEVICE*" rw,
  }
  -----------

  (
    So if the old line was 
       "/var/lib/libvirtd/images/asdf.qcow2" rw, 
    , the line you can add would read something like this

    "/var/lib/libvirtd/images/asdf*" rw,

  )
  --------

  Details on server:

  # lsb_release -rd
  Description:    Ubuntu 14.04.3 LTS
  Release:        14.04

  # apt-cache policy apparmor
  apparmor:
    Installed: 2.8.95~2430-0ubuntu5.3
    Candidate: 2.8.95~2430-0ubuntu5.3
    Version table:
   *** 2.8.95~2430-0ubuntu5.3 0
          500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       2.8.95~2430-0ubuntu5.1 0
          500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
       2.8.95~2430-0ubuntu5 0
          500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

  # apt-cache policy libvirt-bin
  libvirt-bin:
    Installed: 1.2.2-0ubuntu13.1.14
    Candidate: 1.2.2-0ubuntu13.1.14
    Version table:
   *** 1.2.2-0ubuntu13.1.14 0
          500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       1.2.2-0ubuntu13.1.7 0
          500 http://security.u buntu.com/ubuntu/ trusty-security/main amd64 Packages
       1.2.2-0ubuntu13 0
          500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

  -----

  Apologies if this is the wrong place to submit this bug.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1525310/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next