# left my old dirs as-is (bad setup intentionally) after upgrade $ dpkg -l libvirt-bin | tee ii libvirt-bin 1.2.2-0ubuntu13.1.22 $ virsh start kvmguest-testgachannel testgachannel.org.qemu.guest_agent.0,server,nowait: Failed to bind socket: Permission denied $ ll /var/lib/libvirt/qemu/ drwxr-xr-x 3 ubuntu ubuntu 4096 Aug 28 11:12 channel/ drwxr-xr-x 2 ubuntu kvm 4096 Aug 28 11:19 target/
# Installs the dirs correctly if not avail (Default case) $ rm -rf /var/lib/libvirt/qemu/channel $ apt install --reinstall libvirt-bin Reading package lists... Done Building dependency tree Reading state information... Done The following packages were automatically installed and are no longer required: libfreetype6 os-prober Use 'apt-get autoremove' to remove them. 0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded. Need to get 0 B/2070 kB of archives. After this operation, 0 B of additional disk space will be used. (Reading database ... 28258 files and directories currently installed.) Preparing to unpack .../libvirt-bin_1.2.2-0ubuntu13.1.22_amd64.deb ... libvirt-bin stop/waiting Unpacking libvirt-bin (1.2.2-0ubuntu13.1.22) over (1.2.2-0ubuntu13.1.22) ... Processing triggers for libc-bin (2.19-0ubuntu6.13) ... Processing triggers for man-db (2.6.7.1-1ubuntu1) ... Processing triggers for ureadahead (0.100.0-16) ... Setting up libvirt-bin (1.2.2-0ubuntu13.1.22) ... libvirt-bin start/running, process 28874 Setting up libvirt-bin dnsmasq configuration. $ ll /var/lib/libvirt/qemu/channel/target/ total 8 drwxr-xr-x 2 libvirt-qemu kvm 4096 Sep 8 07:23 ./ drwxr-xr-x 3 libvirt-qemu kvm 4096 Sep 8 07:23 ../ # Now starting fine $ virsh start kvmguest-testgachannel Domain kvmguest-testgachannel started # Rule created with namespace $ grep target /etc/apparmor.d/libvirt/libvirt-4ec6a091-8aef-4bab-b8a4-ca46e91ed18f.files owner "/var/lib/libvirt/qemu/channel/target/kvmguest-testgachannel.**" rw, ** Tags removed: utopic verification-needed verification-needed-trusty ** Tags added: verification-done verification-done-trusty -- You received this bug notification because you are a member of AIMS, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1393842 Title: libvirt does not grant qemu-guest-agent channel perms Status in libvirt package in Ubuntu: Fix Released Status in libvirt source package in Trusty: Fix Committed Bug description: [Impact] * If one defines guest channels manually (xml) or via tools like virt- manager (there it defaults to add channels for some distros), then starting the guest fails. There are two reason: 1. by default the base dir for the channels doesn't exists so the open fails 2. further virt-aa-helper does not create a matchign rule to allow access, so apparmor blocks * In latter versions the paths are slightly different (better namespaced by guest name), but still similar. So this still can be considered backporting the virt-aa-helper change, and making sure the base dir exists (only needed in this old release) is a postinst change. [Test Case] * Create a libvirt based KVM guest on Trusty the way you prefer * Add a guest channel to it by adding a snippet like: <channel type='unix'> <source mode='bind' /> <target type='virtio' name='org.qemu.guest_agent.0'/> </channel> * Start the guest via e.g. virsh * Without the fix this fails, you'll see in strace a failed call to open the channel, but even if e.g. dirs are created then apparmor will block the access. * With the fix installed the guest starts correctly [Regression Potential] * The patch is a backport and only a slight change to code that is used quite some time (paths were different in Trusty). In any case it is "adding" one more rule to open up apparmor. It should functionally not regress by that, if anything one could consider it security risk, but due to the guestname-namespacing in the rule now generated this shoudl be safe - see the tail of comment #58 for some considerations on that. * The postinst change only runs if the dir is not existing, which should ensure that no former unexpected setup makes the postinst fail [Other Info] * Tests on the issue itself look good based on a ppa, see comment #59 ---- ======================================= 1. Impact: cannot create a default RHEL7 vm in virt-manager 2. fix: allow use of qemu-guest-agent channel 3. test case: see in description below. Create a VM in virt-manager specifying Linux os and RHEL7. 4. Regression potential: there should be none. We are only adding an apparmor permission for unix sockets which libvirt creates when needed for kvm vms. ======================================= Create a new VM, choose Linux for OS type and Red Hat Enterprise Linux 7 (or later) for Version. Proceed through the wizard leaving all other options unchanged. On clicking Finish, the following error is displayed: Unable to complete install: 'internal error: process exited while connecting to monitor: 2014-11-18T16:00:11.802430Z qemu-system-x86_64: -chardev socket,id=charchannel0,path=/var/lib/libvirt/qemu/channel/target/rhel7.org.qemu.guest_agent.0,server,nowait: Failed to bind socket: No such file or directory 2014-11-18T16:00:11.802483Z qemu-system-x86_64: -chardev socket,id=charchannel0,path=/var/lib/libvirt/qemu/channel/target/rhel7.org.qemu.guest_agent.0,server,nowait: chardev: opening backend "socket" failed ' Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/asyncjob.py", line 91, in cb_wrapper callback(asyncjob, *args, **kwargs) File "/usr/share/virt-manager/virtManager/create.py", line 1820, in do_install guest.start_install(meter=meter) File "/usr/share/virt-manager/virtinst/guest.py", line 403, in start_install noboot) File "/usr/share/virt-manager/virtinst/guest.py", line 467, in _create_guest dom = self.conn.createLinux(start_xml or final_xml, 0) File "/usr/lib/python2.7/dist-packages/libvirt.py", line 3398, in createLinux if ret is None:raise libvirtError('virDomainCreateLinux() failed', conn=self) libvirtError: internal error: process exited while connecting to monitor: 2014-11-18T16:00:11.802430Z qemu-system-x86_64: -chardev socket,id=charchannel0,path=/var/lib/libvirt/qemu/channel/target/rhel7.org.qemu.guest_agent.0,server,nowait: Failed to bind socket: No such file or directory 2014-11-18T16:00:11.802483Z qemu-system-x86_64: -chardev socket,id=charchannel0,path=/var/lib/libvirt/qemu/channel/target/rhel7.org.qemu.guest_agent.0,server,nowait: chardev: opening backend "socket" failed ProblemType: Bug DistroRelease: Ubuntu 14.10 Package: virt-manager 1:1.0.1-0ubuntu2 ProcVersionSignature: Ubuntu 3.16.0-24.32-generic 3.16.4 Uname: Linux 3.16.0-24-generic x86_64 ApportVersion: 2.14.7-0ubuntu8 Architecture: amd64 CurrentDesktop: KDE Date: Tue Nov 18 15:55:59 2014 EcryptfsInUse: Yes InstallationDate: Installed on 2014-11-07 (11 days ago) InstallationMedia: Kubuntu 14.10 "Utopic Unicorn" - Release amd64 (20141022.1) PackageArchitecture: all SourcePackage: virt-manager UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1393842/+subscriptions -- Mailing list: https://launchpad.net/~aims Post to : [email protected] Unsubscribe : https://launchpad.net/~aims More help : https://help.launchpad.net/ListHelp
