This bug was fixed in the package libvirt - 4.6.0-2ubuntu3
---------------
libvirt (4.6.0-2ubuntu3) cosmic; urgency=medium
* d/p/ubuntu-aa/lp-1788603-fix-ptrace-rules-with-kernel-4.18.patch:
avoid issues with newer kernels >=4.18 (LP: #1788603)
-- Christian Ehrhardt <christian.ehrha...@canonical.com> Mon, 27 Aug
2018 10:57:57 +0200
** Changed in: libvirt (Ubuntu Cosmic)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1788603
Title:
libvirt fails with failure to open mount namespace
Status in libvirt package in Ubuntu:
Fix Released
Status in linux package in Ubuntu:
In Progress
Status in libvirt source package in Bionic:
Confirmed
Status in linux source package in Bionic:
New
Status in libvirt source package in Cosmic:
Fix Released
Status in linux source package in Cosmic:
In Progress
Bug description:
[Impact]
* Libvirt will no more be able to start guests with newer kernels
(>=4.18)
* We brought a fix upstream that we want to backport to potentially
affected releases (B+C)
[Test Case]
Note: This can but does not have to be tested in nested virtualization (Since
we need to change the kernel it is probably the preferred way to do it in
nested, so this is what I describe)
1. Get a KVM guest with the Release to test (Cosmic as an example) and give
it a size to be able to host a nested guest
$ sudo apt install uvtool-libvirt
$ uvt-simplestreams-libvirt --verbose sync --source
http://cloud-images.ubuntu.com/daily arch=amd64 release=cosmic label=daily
$ uvt-kvm create --cpu 8 --memory 4096 --password ubuntu c-nested-kvm-4.18
arch=amd64 release=cosmic label=daily
$ uvt-kvm ssh c-nested-kvm-4.18
2. In the guest set up another guest
$ uvt-kvm ssh c-nested-kvm-4.18
$ uvt-simplestreams-libvirt --verbose sync --source
http://cloud-images.ubuntu.com/daily arch=amd64 release=cosmic label=daily
$ uvt-kvm create --password ubuntu c-nested-guest arch=amd64 release=cosmic
label=daily
$ sudo apt install uvtool-libvirt
3. The above will work, now get a kernel >=4.18 e.g. the mainline kernels at
https://wiki.ubuntu.com/Kernel/MainlineBuilds
$ wget (link of the day)
$ sudo dpkg -i *.deb
4. reboot into the 4.18 kernel
$ sudo reboot
5. Start the guest again
$ virsh start c-nested-guest
Without fix this will fail like:
error: Failed to start domain c-nested-guest
error: internal error: child reported: Kernel does not provide mount
namespace: Permission denied
And an associated Dmesg/Apparmor entry:
[ 519.529760] audit: type=1400 audit(1535364820.976:27): apparmor="DENIED"
operation="ptrace" profile="/usr/sbin/libvirtd" pid=1692 comm="libvirtd"
requested_mask="read" denied_mask="read"
peer="libvirt-4ae5dbbe-641c-4934-ae7c-956bcc8b9e2f"
6. In the guest update from PPA/Proposed that you want to test to bring in
the libvirt package with the updated rules (Example with the PPA).
$ sudo add-apt-repository ppa:ci-train-ppa-service/3381
$ sudo apt upgrade
7. Start the guest again and it will now work
$ virsh start c-nested-guest
[Regression Potential]
* The change is "only" opening up the apparmor profile for libvirt a
little bit for the access now being reported as read in addition.
That should in itself be rather regression free, but in addition it has
an ack of Jamie Strandboge to be sure from Securities POV (you can
follow the upstreaming thread at to check:
https://www.redhat.com/archives/libvir-list/2018-August/msg01597.html
[Other Info]
* This is no issue "yet" but would be one when the Cosmic Kernel becomes
available as HWE kernel. We'd want to have the apparmor profile in libvirt
ready at the time so that we never have users see this error in the Field on a
Released Ubuntu version.
---
$ virsh start cosmic-i386
error: Failed to start domain cosmic-i386
error: internal error: child reported: Kernel does not provide mount
namespace: Permission denied
Happens with 4.18 only, 4.17 is fine.
27013 openat(AT_FDCWD, "/proc/27012/ns/mnt", O_RDONLY) = -1 EACCES
(Permission denied)
Opening a self or parent mount namespace works fine as tested with cat
/proc/self/ns/mnt and cat /proc/self/$$/mnt. Still investigating.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1788603/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
