This bug was fixed in the package libvirt - 1.3.1-1ubuntu10.8 --------------- libvirt (1.3.1-1ubuntu10.8) xenial; urgency=medium
* fix virsh nodecpumap output (LP: #1659769) * fix using type ethernet interfaces with user scripts (LP: #1620407) * add new block device types to virt-aa-helpers profile (LP: #1641618) -- Christian Ehrhardt <[email protected]> Mon, 06 Feb 2017 14:30:46 +0100 ** Changed in: libvirt (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1641618 Title: Apparmor denials caused by virt-aa-helper trying to read zvol devices (/dev/zdX) should be silenced Status in libvirt package in Ubuntu: Fix Released Status in libvirt source package in Xenial: Fix Released Bug description: When a qemu-kvm guest is using a zvol or a DRBD volume or a NVME partition, Apparmor denial messages are logged due to virt-aa-helper trying to access the volume/device. Those should be silenced as it's already done for Logical Volumes. [Impact] * libvirt driving guests on more recent backing devices floods logs and dmesg due to non critical apparmor denials. * those can distract from real issues and therefore (as with similar cases in the past) should be silenced by explicit denials. [Test Case] 1) Create a KVM guest 2) Edit the guest's XML profile to reference a zvol|DRBD volume|NVME partition <disk type='block' device='disk'> <driver name='qemu' type='raw' cache='none'/> <source dev='/dev/zvol/data/foo'/> <target dev='vda' bus='virtio'/> </disk> 3) Start the guest 4) Check dmesg for any Apparmor denials, there should be none with the patch *Without* the patch, one would see those (or similar) denials: audit: type=1400 audit(1479809919.223:4083): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/dev/zd0" pid=16715 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [Regression Potential] Adding a couple of explicit denials to the virt-aa-helper profile shouldn't cause no harm because Apparmor already denies those, this is just about silencing this. [Original description] Libvirt qemu-kvm guests backed by zvols (ZFS volumes) generate useless noise due to virt-aa-helper trying to read the backing device in the host (/dev/zdX). Other host's devs are already denied in virt-aa-helper's profile: # for hostdev /sys/devices/ r, /sys/devices/** r, /sys/bus/usb/devices/ r, /sys/bus/usb/devices/** r, deny /dev/sd* r, deny /dev/dm-* r, deny /dev/mapper/ r, deny /dev/mapper/* r, Adding "deny /dev/zd[0-9]* r," would silence Apparmor. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1641618/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : [email protected] Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
