yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #62529
[Bug 1665698] Re: /etc/qemu-ifup not allowed by apparmor
** Also affects: nova (Ubuntu)
Importance: Undecided
Status: New
** Changed in: nova (Ubuntu)
Status: New => Triaged
** Changed in: nova (Ubuntu Yakkety)
Status: New => Triaged
** Changed in: nova (Ubuntu)
Importance: Undecided => High
** Changed in: nova (Ubuntu Yakkety)
Importance: Undecided => High
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1665698
Title:
/etc/qemu-ifup not allowed by apparmor
Status in Ubuntu Cloud Archive:
Invalid
Status in Ubuntu Cloud Archive newton series:
Triaged
Status in OpenStack Compute (nova):
Fix Released
Status in OpenStack Compute (nova) newton series:
In Progress
Status in OpenStack Compute (nova) ocata series:
In Progress
Status in libvirt package in Ubuntu:
Fix Released
Status in nova package in Ubuntu:
Invalid
Status in libvirt source package in Yakkety:
Triaged
Status in nova source package in Yakkety:
Triaged
Bug description:
[Impact]
* Please do note that this SRU statement is about the libvirt portion
of it, this is a fix of essentially an API break from Xenial to
Yakkety. This is independent to any decision to the Openstack context
discussion about the change to drop specifying a path at all.
* Before 9c17d665fdc5f (v1.3.2 which means 1.3.1 in Xenial for us) it
was possible to have the following interface configuration:
<interface type='ethernet'/>
<script path=''/>
</interface>
This resulted in -netdev tap,script=,.. Fortunately, qemu helped
us to get away with this as it just ignored the empty script
path. However, after the commit mentioned above it's libvirtd
who is executing the script. Unfortunately without special
case-ing empty script path.
* The fix adds the special casing that qemu had into libvirts handling
of the interface definition.
[Test Case]
* That is tricky as the way openstack is using to shove that in
seems to not care on xml validation as much as e.g. virsh.
If normally adding a device like
<interface type='ethernet'/>
<script path=''/>
<model type='virtio'/>
</interface>
At least in xenial AND yakkety blocked by the XML validation.
But if trying to work around like:
<script path='""'/>
Which gave "-netdev tap,script="",id=hostnet1" on yakkety then
the fix does not apply as this is '""' and not ''.
So to add the above you have to edit it in via --skip-validate like
$ virsh edit --skip-validate zesty-on-x-test
This on onlder libvrit gave: -netdev tap,script=,id=hostnet1
Which qemu understood as nop. But newer libvirt refuses.
* Error:
error: Failed to start domain <name>
error: Cannot find '' in path: No such file or directory
* Expected:
Starting the domain as-is without calling a script,
but also without complaining about being empty.
[Regression Potential]
* Regression should be low because of:
* The fix is upstream for a while now without follow on fix
* We are essentially going back to how it was
* There is no case like "I had '' set in my setup but now it is
a no-op which makes me fail" because if one had '' it failed until
now.
* Fix is in zesty for a few days without new fallout being reported
* also it passed several levels of testing (on the case and general
regression testing)
* Due to extra xml checks a device like path='' is not even definable.
So only those who run --skip-validate or similar are affected in
the first place.
[Other Info]
* n/a
----
I have VMs failing to start with 2017-02-17 15:38:44.458 264015 ERROR
nova.compute.manager [instance: 0c97ab16-2d30-43fa-b0e4-a064a842b5ed]
libvirtError: internal error: process exited while connecting to
monitor: 2017-02-17T15:38:43.907222Z qemu-system-x86_64: -netdev
tap,ifname=tapf34ef99e-18,id=hostnet0,vhost=on,vhostfd=28: network
script /etc/qemu-ifup failed with status 256
Log excerpt:
http://cdn.pasteraw.com/b3tw4cjefomfi3e9k09hvodrfun85z
Seems to be that /etc/qemu-ifup is being blocked by apparmor:
type=AVC msg=audit(1487347189.015:28536): apparmor="DENIED" operation="exec" profile="libvirt-4a03fea7-e966-48e4-80ac-aa138db67243" name="/etc/qemu-ifup" pid=285438 comm="qemu-system-x86" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
type=PATH msg=audit(1487347189.015:28536): item=0 name="/etc/qemu-ifup" inode=66403 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
root@ubuntu-trusty-5773:/etc/apparmor.d/abstractions# cat /etc/apparmor.d/libvirt/libvirt-4a03fea7-e966-48e4-80ac-aa138db67243
#
# This profile is for the domain whose UUID matches this file.
#
#include <tunables/global>
profile libvirt-4a03fea7-e966-48e4-80ac-aa138db67243 {
#include <abstractions/libvirt-qemu>
#include <libvirt/libvirt-4a03fea7-e966-48e4-80ac-aa138db67243.files>
}
root@ubuntu-trusty-5773:/etc/apparmor.d/abstractions# cat /etc/apparmor.d/libvirt/libvirt-4a03fea7-e966-48e4-80ac-aa138db67243.files
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
"/var/log/libvirt/**/instance-00000008.log" w,
"/var/lib/libvirt/qemu/domain-instance-00000008/monitor.sock" rw,
"/var/run/libvirt/**/instance-00000008.pid" rwk,
"/run/libvirt/**/instance-00000008.pid" rwk,
"/var/run/libvirt/**/*.tunnelmigrate.dest.instance-00000008" rw,
"/run/libvirt/**/*.tunnelmigrate.dest.instance-00000008" rw,
"/var/lib/nova/instances/4a03fea7-e966-48e4-80ac-aa138db67243/console.log" rw,
"/var/lib/nova/instances/4a03fea7-e966-48e4-80ac-aa138db67243/console.log" rw,
# for qemu guest agent channel
owner "/var/lib/libvirt/qemu/channel/target/domain-instance-00000008/**" rw,
/dev/vhost-net rw,
root@ubuntu-trusty-5773:/etc/apparmor.d/abstractions# dpkg -S libvirt-qemu
libvirt-bin: /etc/apparmor.d/abstractions/libvirt-qemu
root@ubuntu-trusty-5773:/etc/apparmor.d/abstractions# dpkg -l libvirt-bin
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=========================================-=========================-=========================-=======================================================================================
ii libvirt-bin 1.3.1-1ubuntu10.6~cloud0 amd64 programs for the libvirt library
Seeing identical behavior on Xenial
ubuntu@ubuntu-xenial-5165:~$ dpkg -l libvirt-bin
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=========================================-=========================-=========================-=======================================================================================
ii libvirt-bin 1.3.1-1ubuntu10.8 amd64 programs for the libvirt library
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1665698/+subscriptions