touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #123634
[Bug 1525310] Re: virsh with apparmor misconfigures libvirt-UUID files during snapshot
** Description changed:
Reproducible: Yes, every time.
Background:
When you create a virtual machine (VM) under KVM/Qemu in Ubuntu,
apparmor files are created as:
/etc/apparmor.d/libvirt/libvirt-<UUID>
- and
+ and
/etc/apparmor.d/libvirt/libvirt-<UUID>.files
And in the file /etc/apparmor.d/libvirt/libvirt-<UUID>.files there is
the line
- "PATH_to_BLOCK_DEVICE" rw,
+ "PATH_to_BLOCK_DEVICE" rw,
- where PATH_to_BLOCK_DEVICE is the full path name of the image. ( E.g. something like /var/lib/libvirtd/images/asdf.qcow2)
- and <UUID> is the UUID of the VM container.
+ where PATH_to_BLOCK_DEVICE is the full path name of the image. ( E.g. something like /var/lib/libvirtd/images/asdf.qcow2)
+ and <UUID> is the UUID of the VM container.
The problem:
When creating a shapshot of a running VM under KVM/Qemu you run the
command
$ sudo virsh snapshot-create-as DOMAIN_NAME DESCRIPTION --no-
metadata --disk-only --atomic
which creates a new file and stops writing to the old VM block device.
However: the old PATH_to_BLOCK_DEVICE in /etc/apparmor.d/libvirt
/libvirt-UUID.files is deleted and replaced with the new block device
info BEFORE virsh is done creating the snapshot. So you get the error
error: internal error: unable to execute QEMU command 'transaction':
Could not open 'PATH_to_BLOCK_DEVICE': Could not open
'PATH_to_BLOCK_DEVICE': Permission denied: Permission denied
and in /var/log/syslog you get the error:
type=1400 audit(1449752104.054:539): apparmor="DENIED" operation="open"
profile="libvirt-<UUID>" name="PATH_to_BLOCK_DEVICE" pid=8710 comm
="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=106 ouid=106
+ When you look now at /etc/apparmor.d/libvirt/libvirt-<UUID>.files you
+ find that the line that was there
- When you look now at /etc/apparmor.d/libvirt/libvirt-<UUID>.files you find that the line that was there
+ "PATH_to_BLOCK_DEVICE" rw,
- "PATH_to_BLOCK_DEVICE" rw,
+ has been replaced with
+ "PATH_to_BLOCK_DEVICE.DESCRIPTION" rw,
- has been replaced with
-
- "PATH_to_BLOCK_DEVICE.DESCRIPTION" rw,
-
-
- but you need BOTH LINES. in order for the command "virsh snapshot-create-as" to work. (or at least have the old file have read permissions)
+ but you need BOTH LINES. in order for the command "virsh snapshot-
+ create-as" to work. (or at least have the old file have read
+ permissions)
-----
Workarounds:
1. Disable apparmor for libvirtd
- or
+ or
2. Change /etc/apparmor.d/libvirt/libvirt-<UUID> to look like this
+
----------
#
# This profile is for the domain whose UUID matches this file.
- #
-
+ #
+
#include <tunables/global>
-
+
profile libvirt-UUID {
- #include <abstractions/libvirt-qemu>
- #include <libvirt/libvirt-UUID.files>
-
- "PATH_to_BLOCK_DEVICE*" rw,
- }
+ #include <abstractions/libvirt-qemu>
+ #include <libvirt/libvirt-UUID.files>
+
+ "PATH_to_BLOCK_DEVICE*" rw,
+ }
-----------
+ (
+ So if the old line was
+ "/var/lib/libvirtd/images/asdf.qcow2" rw,
+ , the line you can add would read something like this
+
+ "/var/lib/libvirtd/images/asdf*" rw,
+
+ )
+ --------
Details on server:
# lsb_release -rd
Description: Ubuntu 14.04.3 LTS
Release: 14.04
-
# apt-cache policy apparmor
apparmor:
- Installed: 2.8.95~2430-0ubuntu5.3
- Candidate: 2.8.95~2430-0ubuntu5.3
- Version table:
- *** 2.8.95~2430-0ubuntu5.3 0
- 500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
- 100 /var/lib/dpkg/status
- 2.8.95~2430-0ubuntu5.1 0
- 500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
- 2.8.95~2430-0ubuntu5 0
- 500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
+ Installed: 2.8.95~2430-0ubuntu5.3
+ Candidate: 2.8.95~2430-0ubuntu5.3
+ Version table:
+ *** 2.8.95~2430-0ubuntu5.3 0
+ 500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
+ 100 /var/lib/dpkg/status
+ 2.8.95~2430-0ubuntu5.1 0
+ 500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
+ 2.8.95~2430-0ubuntu5 0
+ 500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
# apt-cache policy libvirt-bin
libvirt-bin:
- Installed: 1.2.2-0ubuntu13.1.14
- Candidate: 1.2.2-0ubuntu13.1.14
- Version table:
- *** 1.2.2-0ubuntu13.1.14 0
- 500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
- 100 /var/lib/dpkg/status
- 1.2.2-0ubuntu13.1.7 0
- 500 http://security.u buntu.com/ubuntu/ trusty-security/main amd64 Packages
- 1.2.2-0ubuntu13 0
- 500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
-
+ Installed: 1.2.2-0ubuntu13.1.14
+ Candidate: 1.2.2-0ubuntu13.1.14
+ Version table:
+ *** 1.2.2-0ubuntu13.1.14 0
+ 500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
+ 100 /var/lib/dpkg/status
+ 1.2.2-0ubuntu13.1.7 0
+ 500 http://security.u buntu.com/ubuntu/ trusty-security/main amd64 Packages
+ 1.2.2-0ubuntu13 0
+ 500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
-----
Apologies if this is the wrong place to submit this bug.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1525310
Title:
virsh with apparmor misconfigures libvirt-UUID files during snapshot
Status in apparmor package in Ubuntu:
New
Bug description:
Reproducible: Yes, every time.
Background:
When you create a virtual machine (VM) under KVM/Qemu in Ubuntu,
apparmor files are created as:
/etc/apparmor.d/libvirt/libvirt-<UUID>
and
/etc/apparmor.d/libvirt/libvirt-<UUID>.files
And in the file /etc/apparmor.d/libvirt/libvirt-<UUID>.files there is
the line
"PATH_to_BLOCK_DEVICE" rw,
where PATH_to_BLOCK_DEVICE is the full path name of the image. ( E.g. something like /var/lib/libvirtd/images/asdf.qcow2)
and <UUID> is the UUID of the VM container.
The problem:
When creating a shapshot of a running VM under KVM/Qemu you run the
command
$ sudo virsh snapshot-create-as DOMAIN_NAME DESCRIPTION --no-
metadata --disk-only --atomic
which creates a new file and stops writing to the old VM block device.
However: the old PATH_to_BLOCK_DEVICE in /etc/apparmor.d/libvirt
/libvirt-UUID.files is deleted and replaced with the new block device
info BEFORE virsh is done creating the snapshot. So you get the error
error: internal error: unable to execute QEMU command 'transaction':
Could not open 'PATH_to_BLOCK_DEVICE': Could not open
'PATH_to_BLOCK_DEVICE': Permission denied: Permission denied
and in /var/log/syslog you get the error:
type=1400 audit(1449752104.054:539): apparmor="DENIED"
operation="open" profile="libvirt-<UUID>" name="PATH_to_BLOCK_DEVICE"
pid=8710 comm="qemu-system-x86" requested_mask="r" denied_mask="r"
fsuid=106 ouid=106
When you look now at /etc/apparmor.d/libvirt/libvirt-<UUID>.files you
find that the line that was there
"PATH_to_BLOCK_DEVICE" rw,
has been replaced with
"PATH_to_BLOCK_DEVICE.DESCRIPTION" rw,
but you need BOTH LINES. in order for the command "virsh snapshot-
create-as" to work. (or at least have the old file have read
permissions)
-----
Workarounds:
1. Disable apparmor for libvirtd
or
2. Change /etc/apparmor.d/libvirt/libvirt-<UUID> to look like this
----------
#
# This profile is for the domain whose UUID matches this file.
#
#include <tunables/global>
profile libvirt-UUID {
#include <abstractions/libvirt-qemu>
#include <libvirt/libvirt-UUID.files>
"PATH_to_BLOCK_DEVICE*" rw,
}
-----------
(
So if the old line was
"/var/lib/libvirtd/images/asdf.qcow2" rw,
, the line you can add would read something like this
"/var/lib/libvirtd/images/asdf*" rw,
)
--------
Details on server:
# lsb_release -rd
Description: Ubuntu 14.04.3 LTS
Release: 14.04
# apt-cache policy apparmor
apparmor:
Installed: 2.8.95~2430-0ubuntu5.3
Candidate: 2.8.95~2430-0ubuntu5.3
Version table:
*** 2.8.95~2430-0ubuntu5.3 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
100 /var/lib/dpkg/status
2.8.95~2430-0ubuntu5.1 0
500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
2.8.95~2430-0ubuntu5 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
# apt-cache policy libvirt-bin
libvirt-bin:
Installed: 1.2.2-0ubuntu13.1.14
Candidate: 1.2.2-0ubuntu13.1.14
Version table:
*** 1.2.2-0ubuntu13.1.14 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
100 /var/lib/dpkg/status
1.2.2-0ubuntu13.1.7 0
500 http://security.u buntu.com/ubuntu/ trusty-security/main amd64 Packages
1.2.2-0ubuntu13 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
-----
Apologies if this is the wrong place to submit this bug.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1525310/+subscriptions
References
