Package: libvirt-daemon-system Version: 3.0.0-4 Severity: important Dear Maintainer,
First of all, thanks a lot for taking care of libvirt in Debian! Now, systemd may be a bit, shall we say, opinionated WRT resources it thinks it has to manage and resources other processes create. libvirt knows how to talk to systemd, at least regarding control groups, to let it know that the cgroups it creates for the virtual machines are real and should not be removed upon a daemon-reload as described in e.g. https://bugs.debian.org/777601 The problem is that libvirt mainly knows how to talk to systemd-machined, and if that is not installed, then libvirt cannot let systemd know about the newly-created cgroups. We actually observed this happening in a StorPool distributed storage customer installation: - several VM instances created in their own cgroups - a new system service installed, systemd reloaded - the VM cgroups removed, VM instances moved to the root cgroup Unfortunately, this posed a problem for our installation, since StorPool uses control groups to protect its services, and its operation depends on all processes being in the cgroups they belong in. Randomly moving processes to the (unconstrained) root cgroup is not really expected or desirable behavior. Installing the systemd-container package helped as it installed the systemd-machined service, and libvirt was now able to let it know about the per-instance cgroups. My suggestion would be to add a Recommends on either systemd-container or possibly another package that makes sure that systemd-machined is installed and usable by libvirt. Of course, I do realize that not all users of libvirt may wish to run it on a systemd-based Debian installation, but I think that people who know how to switch the init system would also know how to disable the automatic installation of recommended packages. Of course, this is just a suggestion to get the ball rolling towards some kind of solution; we'd be happy to look at any alternatives if this is not deemed the best way forward. Thanks once again for your work on libvirt and Debian in general! Best regards, Peter -- Peter Pentchev [email protected] [email protected] [email protected] PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 -- System Information: Debian Release: 9.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-4-amd64 (SMP w/32 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libvirt-daemon-system depends on: ii adduser 3.115 ii debconf [debconf-2.0] 1.5.61 ii gettext-base 0.19.8.1-2 ii init-system-helpers 1.48 ii iptables 1.6.0+snapshot20161117-6 ii libapparmor1 2.11.0-3 ii libaudit1 1:2.6.7-2 ii libblkid1 2.29.2-1 ii libc6 2.24-11+deb9u1 ii libcap-ng0 0.7.7-3+b1 ii libdbus-1-3 1.10.22-0+deb9u1 ii libdevmapper1.02.1 2:1.02.137-2 ii libnl-3-200 3.2.27-2 ii libnl-route-3-200 3.2.27-2 ii libnuma1 2.0.11-2.1 ii librados2 10.2.5-7.2 ii librbd1 10.2.5-7.2 ii libselinux1 2.6-3+b3 ii libvirt-clients 3.0.0-4 ii libvirt-daemon 3.0.0-4 ii libvirt0 3.0.0-4 ii libxml2 2.9.4+dfsg1-2.2+deb9u1 ii libyajl2 2.1.0-2+b3 ii logrotate 3.11.0-0.1 ii lsb-base 9.20161125 ii policykit-1 0.105-18 Versions of packages libvirt-daemon-system recommends: ii bridge-utils 1.5-13+deb9u1 ii dmidecode 3.0-4 ii dnsmasq-base 2.76-5+deb9u1 ii ebtables 2.0.10.4-3.5+b1 ii iproute2 4.9.0-1 ii parted 3.2-17 Versions of packages libvirt-daemon-system suggests: pn apparmor <none> pn auditd <none> pn nfs-common <none> pn pm-utils <none> pn radvd <none> ii systemd 232-25+deb9u1 pn systemtap <none> pn zfsutils <none> -- Configuration Files: /etc/apparmor.d/abstractions/libvirt-qemu changed: #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/nameservice> # required for reading disk images capability dac_override, capability dac_read_search, capability chown, # needed to drop privileges capability setgid, capability setuid, network inet stream, network inet6 stream, /dev/net/tun rw, /dev/kvm rw, /dev/ptmx rw, /dev/kqemu rw, @{PROC}/*/status r, # Per man(5) proc, the kernel enforces that a thread may # only modify its comm value or those in its thread group. owner @{PROC}/@{pid}/task/@{tid}/comm rw, @{PROC}/sys/kernel/cap_last_cap r, # For hostdev access. The actual devices will be added dynamically /sys/bus/usb/devices/ r, /sys/devices/**/usb[0-9]*/** r, # WARNING: this gives the guest direct access to host hardware and specific # portions of shared memory. This is required for sound using ALSA with kvm, # but may constitute a security risk. If your environment does not require # the use of sound in your VMs, feel free to comment out or prepend 'deny' to # the rules for files in /dev. /{dev,run}/shm r, /{dev,run}/shmpulse-shm* r, /{dev,run}/shmpulse-shm* rwk, /dev/snd/* rw, capability ipc_lock, # spice owner /{dev,run}/shm/spice.* rw, # 'kill' is not required for sound and is a security risk. Do not enable # unless you absolutely need it. deny capability kill, # Uncomment the following if you need access to /dev/fb* #/dev/fb* rw, /etc/pulse/client.conf r, @{HOME}/.pulse-cookie rwk, owner /root/.pulse-cookie rwk, owner /root/.pulse/ rw, owner /root/.pulse/* rw, /usr/share/alsa/** r, owner /tmp/pulse-*/ rw, owner /tmp/pulse-*/* rw, /var/lib/dbus/machine-id r, # access to firmware's etc /usr/share/kvm/** r, /usr/share/qemu/** r, /usr/share/qemu-kvm/** r, /usr/share/bochs/** r, /usr/share/openbios/** r, /usr/share/openhackware/** r, /usr/share/proll/** r, /usr/share/vgabios/** r, /usr/share/seabios/** r, /usr/share/ovmf/** r, /usr/share/OVMF/** r, # access PKI infrastructure /etc/pki/libvirt-vnc/** r, # the various binaries /usr/bin/kvm rmix, /usr/bin/qemu rmix, /usr/bin/qemu-kvm rmix, /usr/bin/qemu-system-aarch64 rmix, /usr/bin/qemu-system-alpha rmix, /usr/bin/qemu-system-arm rmix, /usr/bin/qemu-system-cris rmix, /usr/bin/qemu-system-i386 rmix, /usr/bin/qemu-system-lm32 rmix, /usr/bin/qemu-system-m68k rmix, /usr/bin/qemu-system-microblaze rmix, /usr/bin/qemu-system-microblazeel rmix, /usr/bin/qemu-system-mips rmix, /usr/bin/qemu-system-mips64 rmix, /usr/bin/qemu-system-mips64el rmix, /usr/bin/qemu-system-mipsel rmix, /usr/bin/qemu-system-moxie rmix, /usr/bin/qemu-system-or32 rmix, /usr/bin/qemu-system-ppc rmix, /usr/bin/qemu-system-ppc64 rmix, /usr/bin/qemu-system-ppcemb rmix, /usr/bin/qemu-system-s390x rmix, /usr/bin/qemu-system-sh4 rmix, /usr/bin/qemu-system-sh4eb rmix, /usr/bin/qemu-system-sparc rmix, /usr/bin/qemu-system-sparc64 rmix, /usr/bin/qemu-system-tricore rmix, /usr/bin/qemu-system-unicore32 rmix, /usr/bin/qemu-system-x86_64 rmix, /usr/bin/qemu-system-xtensa rmix, /usr/bin/qemu-system-xtensaeb rmix, /usr/bin/qemu-aarch64 rmix, /usr/bin/qemu-alpha rmix, /usr/bin/qemu-arm rmix, /usr/bin/qemu-armeb rmix, /usr/bin/qemu-cris rmix, /usr/bin/qemu-i386 rmix, /usr/bin/qemu-m68k rmix, /usr/bin/qemu-microblaze rmix, /usr/bin/qemu-microblazeel rmix, /usr/bin/qemu-mips rmix, /usr/bin/qemu-mips64 rmix, /usr/bin/qemu-mips64el rmix, /usr/bin/qemu-mipsel rmix, /usr/bin/qemu-mipsn32 rmix, /usr/bin/qemu-mipsn32el rmix, /usr/bin/qemu-nbd rmix, /usr/bin/qemu-or32 rmix, /usr/bin/qemu-ppc rmix, /usr/bin/qemu-ppc64 rmix, /usr/bin/qemu-ppc64abi32 rmix, /usr/bin/qemu-ppc64le rmix, /usr/bin/qemu-s390x rmix, /usr/bin/qemu-sh4 rmix, /usr/bin/qemu-sh4eb rmix, /usr/bin/qemu-sparc rmix, /usr/bin/qemu-sparc32plus rmix, /usr/bin/qemu-sparc64 rmix, /usr/bin/qemu-unicore32 rmix, /usr/bin/qemu-x86_64 rmix, /usr/{lib,lib64}/qemu/block-curl.so mr, /usr/{lib,lib64}/qemu/block-rbd.so mr, # for save and resume /{usr/,}bin/dash rmix, /{usr/,}bin/dd rmix, /{usr/,}bin/cat rmix, # for restore /{usr/,}bin/bash rmix, # for usb access /dev/bus/usb/ r, /etc/udev/udev.conf r, /sys/bus/ r, /sys/class/ r, /srv/** rw, /var/lib/one/datastores/** rw, /srv/** rwk, /var/lib/one/datastores/** rwk, /etc/libvirt/nwfilter/allow-arp.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit allow-arp or other application using the libvirt API. --> <filter name='allow-arp' chain='arp' priority='-500'> <uuid>5a1774fd-ab9d-4f34-a834-b68595db2582</uuid> <rule action='accept' direction='inout' priority='500'/> </filter> /etc/libvirt/nwfilter/allow-dhcp-server.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit allow-dhcp-server or other application using the libvirt API. --> <filter name='allow-dhcp-server' chain='ipv4' priority='-700'> <uuid>4ce75d99-2d34-474e-b69b-4057b15d6fe2</uuid> <rule action='accept' direction='out' priority='100'> <ip srcipaddr='0.0.0.0' dstipaddr='255.255.255.255' protocol='udp' srcportstart='68' dstportstart='67'/> </rule> <rule action='accept' direction='in' priority='100'> <ip srcipaddr='$DHCPSERVER' protocol='udp' srcportstart='67' dstportstart='68'/> </rule> </filter> /etc/libvirt/nwfilter/allow-dhcp.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit allow-dhcp or other application using the libvirt API. --> <filter name='allow-dhcp' chain='ipv4' priority='-700'> <uuid>7314995c-76d8-4a32-a695-02768ce82ae7</uuid> <rule action='accept' direction='out' priority='100'> <ip srcipaddr='0.0.0.0' dstipaddr='255.255.255.255' protocol='udp' srcportstart='68' dstportstart='67'/> </rule> <rule action='accept' direction='in' priority='100'> <ip protocol='udp' srcportstart='67' dstportstart='68'/> </rule> </filter> /etc/libvirt/nwfilter/allow-incoming-ipv4.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit allow-incoming-ipv4 or other application using the libvirt API. --> <filter name='allow-incoming-ipv4' chain='ipv4' priority='-700'> <uuid>002fe3ce-5757-477a-bb67-bc552f79ca22</uuid> <rule action='accept' direction='in' priority='500'/> </filter> /etc/libvirt/nwfilter/allow-ipv4.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit allow-ipv4 or other application using the libvirt API. --> <filter name='allow-ipv4' chain='ipv4' priority='-700'> <uuid>181fc814-6e4d-40a9-9713-4b2a5a38f58d</uuid> <rule action='accept' direction='inout' priority='500'/> </filter> /etc/libvirt/nwfilter/clean-traffic.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit clean-traffic or other application using the libvirt API. --> <filter name='clean-traffic' chain='root'> <uuid>0739d517-7291-4176-b992-91c81a9bdbfc</uuid> <filterref filter='no-mac-spoofing'/> <filterref filter='no-ip-spoofing'/> <rule action='accept' direction='out' priority='-650'> <mac protocolid='ipv4'/> </rule> <filterref filter='allow-incoming-ipv4'/> <filterref filter='no-arp-spoofing'/> <rule action='accept' direction='inout' priority='-500'> <mac protocolid='arp'/> </rule> <filterref filter='no-other-l2-traffic'/> <filterref filter='qemu-announce-self'/> </filter> /etc/libvirt/nwfilter/no-arp-ip-spoofing.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit no-arp-ip-spoofing or other application using the libvirt API. --> <filter name='no-arp-ip-spoofing' chain='arp-ip' priority='-510'> <uuid>d228403d-1b6c-4962-b0c1-c09709e412f4</uuid> <rule action='return' direction='out' priority='400'> <arp arpsrcipaddr='$IP'/> </rule> <rule action='drop' direction='out' priority='1000'/> </filter> /etc/libvirt/nwfilter/no-arp-mac-spoofing.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit no-arp-mac-spoofing or other application using the libvirt API. --> <filter name='no-arp-mac-spoofing' chain='arp-mac' priority='-520'> <uuid>7dd0b382-d7c5-4c3d-a491-f6cac25ca693</uuid> <rule action='return' direction='out' priority='350'> <arp arpsrcmacaddr='$MAC'/> </rule> <rule action='drop' direction='out' priority='1000'/> </filter> /etc/libvirt/nwfilter/no-arp-spoofing.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit no-arp-spoofing or other application using the libvirt API. --> <filter name='no-arp-spoofing' chain='root'> <uuid>c2f595bd-e069-4632-b460-964afd62cc06</uuid> <filterref filter='no-arp-mac-spoofing'/> <filterref filter='no-arp-ip-spoofing'/> </filter> /etc/libvirt/nwfilter/no-ip-multicast.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit no-ip-multicast or other application using the libvirt API. --> <filter name='no-ip-multicast' chain='ipv4' priority='-700'> <uuid>3a4dba0c-68ca-4dc3-b7a9-1f167bb86eaa</uuid> <rule action='drop' direction='out' priority='500'> <ip dstipaddr='224.0.0.0' dstipmask='4'/> </rule> </filter> /etc/libvirt/nwfilter/no-ip-spoofing.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit no-ip-spoofing or other application using the libvirt API. --> <filter name='no-ip-spoofing' chain='ipv4-ip' priority='-710'> <uuid>a3affce7-fb93-47f1-811d-69491f11ebff</uuid> <rule action='return' direction='out' priority='100'> <ip srcipaddr='0.0.0.0' protocol='udp'/> </rule> <rule action='return' direction='out' priority='500'> <ip srcipaddr='$IP'/> </rule> <rule action='drop' direction='out' priority='1000'/> </filter> /etc/libvirt/nwfilter/no-mac-broadcast.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit no-mac-broadcast or other application using the libvirt API. --> <filter name='no-mac-broadcast' chain='ipv4' priority='-700'> <uuid>75bba660-ab4a-4c18-b279-b9d1d74ef0d0</uuid> <rule action='drop' direction='out' priority='500'> <mac dstmacaddr='ff:ff:ff:ff:ff:ff'/> </rule> </filter> /etc/libvirt/nwfilter/no-mac-spoofing.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit no-mac-spoofing or other application using the libvirt API. --> <filter name='no-mac-spoofing' chain='mac' priority='-800'> <uuid>1dbaea3a-272c-4900-87c2-943cc6fd988b</uuid> <rule action='return' direction='out' priority='500'> <mac srcmacaddr='$MAC'/> </rule> <rule action='drop' direction='out' priority='500'> <mac/> </rule> </filter> /etc/libvirt/nwfilter/no-other-l2-traffic.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit no-other-l2-traffic or other application using the libvirt API. --> <filter name='no-other-l2-traffic' chain='root'> <uuid>0f2c58c1-2616-4867-b276-474ed88a1cd5</uuid> <rule action='drop' direction='inout' priority='1000'/> </filter> /etc/libvirt/nwfilter/no-other-rarp-traffic.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit no-other-rarp-traffic or other application using the libvirt API. --> <filter name='no-other-rarp-traffic' chain='rarp' priority='-400'> <uuid>a45db608-aeee-4edd-a2ce-b812025db2fc</uuid> <rule action='drop' direction='inout' priority='1000'/> </filter> /etc/libvirt/nwfilter/qemu-announce-self-rarp.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit qemu-announce-self-rarp or other application using the libvirt API. --> <filter name='qemu-announce-self-rarp' chain='rarp' priority='-400'> <uuid>a9aa4ab0-a7e2-45fa-b900-98b9a3addf96</uuid> <rule action='accept' direction='out' priority='500'> <rarp srcmacaddr='$MAC' dstmacaddr='ff:ff:ff:ff:ff:ff' opcode='Request_Reverse' arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC' arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/> </rule> <rule action='accept' direction='in' priority='500'> <rarp dstmacaddr='ff:ff:ff:ff:ff:ff' opcode='Request_Reverse' arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC' arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/> </rule> </filter> /etc/libvirt/nwfilter/qemu-announce-self.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit qemu-announce-self or other application using the libvirt API. --> <filter name='qemu-announce-self' chain='root'> <uuid>c469548c-b4fa-4330-a26f-27288867e991</uuid> <rule action='accept' direction='out' priority='500'> <mac protocolid='0x835'/> </rule> <filterref filter='qemu-announce-self-rarp'/> <filterref filter='no-other-rarp-traffic'/> </filter> /etc/libvirt/qemu.conf changed: user = "oneadmin" group = "oneadmin" dynamic_ownership = 0 /etc/libvirt/qemu/networks/default.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh net-edit default or other application using the libvirt API. --> <network> <name>default</name> <uuid>cabd6c05-dc1e-427a-9024-16f1fd7e9457</uuid> <forward mode='nat'/> <bridge name='virbr0' stp='on' delay='0'/> <mac address='52:54:00:5d:7a:fc'/> <ip address='192.168.122.1' netmask='255.255.255.0'> <dhcp> <range start='192.168.122.2' end='192.168.122.254'/> </dhcp> </ip> </network> -- debconf information: libvirt-daemon-system/id_warning: true
signature.asc
Description: PGP signature
