[Group.of.nepali.translators] [Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution
This bug was fixed in the package libvirt - 1.3.1-1ubuntu10.6 --- libvirt (1.3.1-1ubuntu10.6) xenial; urgency=medium * d/apparmor/usr.lib.libvirt.virt-aa-helper: add missing rules for name resolution to virt-aa-helper Apparmor profile (LP: #1546674). -- Christian EhrhardtTue, 22 Nov 2016 09:39:18 +0100 ** Changed in: libvirt (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1546674 Title: virt-aa-helper Apparmor profile missing rules for name resolution Status in libvirt package in Ubuntu: Fix Released Status in libvirt source package in Xenial: Fix Released Bug description: [Impact] * Apparmor denies several hostname related accesses by libvirt causing severe slowdowns in some cases. [Test Case] * Note: while there are various ways to trigger it - many have seen the issue, but often it is unclear when exactly it will trigger or does no more. So some of the repo-cases have proven to be unreliable - thanks Simon for this Repro howto listed here. (simplified as it turned out zvols are not needed according to comment #22) 1) Sync Xenial cloud-image uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=xenial 2) Create a test guest with: uvt-kvm create --memory 2048 --cpu 4 --password=ubuntu xenial-kernel-test release=xenial arch=amd64 label=daily 3) strop it and add an extra volume in a way like this snippet $ virsh shutdown xenial-kernel-test $ virsh edit xenial-kernel-test 4) start the guest virsh start xenial-kernel-test 6) check for apparmor denial messages dmesg | tail | grep apparmor Without the fix, Apparmor would report denials when accessing /etc/nsswitch.conf, /etc/host.conf, /etc/gai.conf, /run/resolvconf/resolv.conf and /dev/zdX (where X corresponds to the zvol number). Starting the guest should be much slower than usual. With the fix in place no related Apparmor denials show up. [Regression Potential] * The fix is rather small and "only" opens up apparmor confinement a bit. That makes us assume that the potential for regression should be minimal. ### Original description: With libvirt-bin 1.3.1, starting a QEMU guest results in those AA denials: Feb 17 12:06:23 simon-laptop kernel: [15734.513696] audit: type=1400 audit(1455728783.639:73): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/nsswitch.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513718] audit: type=1400 audit(1455728783.639:74): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/host.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513734] audit: type=1400 audit(1455728783.639:75): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513885] audit: type=1400 audit(1455728783.639:76): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 virt-aa-helper's AA profile hasn't changed recently so it seems like the helper is doing more in this release. Additional information: $ lsb_release -rd Description: Ubuntu Xenial Xerus (development branch) Release: 16.04 $ apt-cache policy apparmor libvirt-bin apparmor: Installed: 2.10-3ubuntu1 Candidate: 2.10-3ubuntu1 Version table: *** 2.10-3ubuntu1 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status libvirt-bin: Installed: 1.3.1-1ubuntu1 Candidate: 1.3.1-1ubuntu1 Version table: *** 1.3.1-1ubuntu1 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: libvirt-bin 1.3.1-1ubuntu1 ProcVersionSignature: Ubuntu 4.4.0-5.20-generic 4.4.1 Uname: Linux 4.4.0-5-generic x86_64 NonfreeKernelModules: zfs zunicode zcommon znvpair zavl ApportVersion: 2.20-0ubuntu3 Architecture: amd64 CurrentDesktop: Unity Date: Wed Feb 17 13:08:04 2016 KernLog: SourcePackage: libvirt UpgradeStatus: No upgrade log present (probably fresh install) modified.conffile..etc.libvirt.qemu.conf:
[Group.of.nepali.translators] [Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution
This bug was fixed in the package libvirt - 2.1.0-1ubuntu14 --- libvirt (2.1.0-1ubuntu14) zesty; urgency=medium * d/p/u/apparmor-fix-name-resolution.patch rework the fix to base on the apparmor nameservice abstraction to be future proof (LP: #1546674). * d/p/ubuntu/apparmor-fix-new-devicetypes.patch add new block device types to virt-aa-helpers profile (LP: #1641618) * d/p/u/apparmor-fix-other-seclabels.patch refresh to the now upstream accepted solution (LP: #1633207). -- Christian EhrhardtThu, 24 Nov 2016 08:06:38 +0100 ** Changed in: libvirt (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1546674 Title: virt-aa-helper Apparmor profile missing rules for name resolution Status in libvirt package in Ubuntu: Fix Released Status in libvirt source package in Xenial: Triaged Bug description: [Impact] * Apparmor denies several hostname related accesses by libvirt causing severe slowdowns in some cases. [Test Case] * Note: while there are various ways to trigger it - many have seen the issue, but often it is unclear when exactly it will trigger or does no more. So some of the repo-cases have proven to be unreliable - thanks Simon for this Repro howto listed here. (simplified as it turned out zvols are not needed according to comment #22) 1) Sync Xenial cloud-image uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=xenial 2) Create a test guest with: uvt-kvm create --memory 2048 --cpu 4 --password=ubuntu xenial-kernel-test release=xenial arch=amd64 label=daily 3) strop it and add an extra volume in a way like this snippet $ virsh shutdown xenial-kernel-test $ virsh edit xenial-kernel-test 4) start the guest virsh start xenial-kernel-test 6) check for apparmor denial messages dmesg | tail | grep apparmor Without the fix, Apparmor would report denials when accessing /etc/nsswitch.conf, /etc/host.conf, /etc/gai.conf, /run/resolvconf/resolv.conf and /dev/zdX (where X corresponds to the zvol number). Starting the guest should be much slower than usual. With the fix in place no related Apparmor denials show up. [Regression Potential] * The fix is rather small and "only" opens up apparmor confinement a bit. That makes us assume that the potential for regression should be minimal. ### Original description: With libvirt-bin 1.3.1, starting a QEMU guest results in those AA denials: Feb 17 12:06:23 simon-laptop kernel: [15734.513696] audit: type=1400 audit(1455728783.639:73): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/nsswitch.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513718] audit: type=1400 audit(1455728783.639:74): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/host.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513734] audit: type=1400 audit(1455728783.639:75): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513885] audit: type=1400 audit(1455728783.639:76): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 virt-aa-helper's AA profile hasn't changed recently so it seems like the helper is doing more in this release. Additional information: $ lsb_release -rd Description: Ubuntu Xenial Xerus (development branch) Release: 16.04 $ apt-cache policy apparmor libvirt-bin apparmor: Installed: 2.10-3ubuntu1 Candidate: 2.10-3ubuntu1 Version table: *** 2.10-3ubuntu1 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status libvirt-bin: Installed: 1.3.1-1ubuntu1 Candidate: 1.3.1-1ubuntu1 Version table: *** 1.3.1-1ubuntu1 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: libvirt-bin 1.3.1-1ubuntu1 ProcVersionSignature: Ubuntu 4.4.0-5.20-generic 4.4.1 Uname: Linux 4.4.0-5-generic x86_64 NonfreeKernelModules: zfs zunicode zcommon znvpair zavl ApportVersion: 2.20-0ubuntu3
[Group.of.nepali.translators] [Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution
Not much that we can do about the conffile prompt indeed. However, I disagree with the actual patch. This should include abstractions/nameservice instead, which allows these files plus a lot more for other name service methods. We really want to avoid having to SRU a conffile change twice, and this is *definitively* not sufficient for 16.10 and up (as you e. g. also need to be able to talk to resolved). Please also fix this in zesty. Thanks! ** Changed in: libvirt (Ubuntu) Status: Fix Released => In Progress -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1546674 Title: virt-aa-helper Apparmor profile missing rules for name resolution Status in libvirt package in Ubuntu: In Progress Status in libvirt source package in Xenial: Triaged Bug description: [Impact] * Apparmor denies several hostname related accesses by libvirt causing severe slowdowns in some cases. [Test Case] * Note: while there are various ways to trigger it - many have seen the issue, but often it is unclear when exactly it will trigger or does no more. So some of the repo-cases have proven to be unreliable - thanks Simon for this Repro howto listed here. (simplified as it turned out zvols are not needed according to comment #22) 1) Sync Xenial cloud-image uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=xenial 2) Create a test guest with: uvt-kvm create --memory 2048 --cpu 4 --password=ubuntu xenial-kernel-test release=xenial arch=amd64 label=daily 3) strop it and add an extra volume in a way like this snippet $ virsh shutdown xenial-kernel-test $ virsh edit xenial-kernel-test 4) start the guest virsh start xenial-kernel-test 6) check for apparmor denial messages dmesg | tail | grep apparmor Without the fix, Apparmor would report denials when accessing /etc/nsswitch.conf, /etc/host.conf, /etc/gai.conf, /run/resolvconf/resolv.conf and /dev/zdX (where X corresponds to the zvol number). Starting the guest should be much slower than usual. With the fix in place no related Apparmor denials show up. [Regression Potential] * The fix is rather small and "only" opens up apparmor confinement a bit. That makes us assume that the potential for regression should be minimal. ### Original description: With libvirt-bin 1.3.1, starting a QEMU guest results in those AA denials: Feb 17 12:06:23 simon-laptop kernel: [15734.513696] audit: type=1400 audit(1455728783.639:73): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/nsswitch.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513718] audit: type=1400 audit(1455728783.639:74): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/host.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513734] audit: type=1400 audit(1455728783.639:75): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513885] audit: type=1400 audit(1455728783.639:76): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 virt-aa-helper's AA profile hasn't changed recently so it seems like the helper is doing more in this release. Additional information: $ lsb_release -rd Description: Ubuntu Xenial Xerus (development branch) Release: 16.04 $ apt-cache policy apparmor libvirt-bin apparmor: Installed: 2.10-3ubuntu1 Candidate: 2.10-3ubuntu1 Version table: *** 2.10-3ubuntu1 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status libvirt-bin: Installed: 1.3.1-1ubuntu1 Candidate: 1.3.1-1ubuntu1 Version table: *** 1.3.1-1ubuntu1 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: libvirt-bin 1.3.1-1ubuntu1 ProcVersionSignature: Ubuntu 4.4.0-5.20-generic 4.4.1 Uname: Linux 4.4.0-5-generic x86_64 NonfreeKernelModules: zfs zunicode zcommon znvpair zavl ApportVersion: 2.20-0ubuntu3 Architecture: amd64 CurrentDesktop: Unity Date: Wed Feb 17 13:08:04 2016 KernLog: SourcePackage: libvirt UpgradeStatus: No upgrade log present (probably
[Group.of.nepali.translators] [Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution
This bug was fixed in the package libvirt - 2.1.0-1ubuntu13 --- libvirt (2.1.0-1ubuntu13) zesty; urgency=medium * drop d/p/ubuntu/fix-ftbfs-for-gnutls-3-5-6.patch as the offending change in gnutls has been reverted (LP: #1641615) * Build depend on gnutls >= 3.5.6-4ubuntu2 to build after the gnutls fix migrated -- Christian EhrhardtThu, 17 Nov 2016 08:43:10 +0100 ** Changed in: libvirt (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1546674 Title: virt-aa-helper Apparmor profile missing rules for name resolution Status in libvirt package in Ubuntu: Fix Released Status in libvirt source package in Xenial: Triaged Bug description: Reproducing steps: 1) Sync Xenial cloud-image uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=xenial 2) Create a test guest with: uvt-kvm create --memory 2048 --cpu 4 --password=ubuntu xenial-kernel-test release=xenial arch=amd64 label=daily 3) Create a zvol zfs create -V 8G zlxd/xenial-kernel-test 4) Copy the qcow2 data to the zvol qemu-img convert -O raw \ /var/lib/uvtool/libvirt/images/xenial-kernel-test.qcow \ /dev/zvol/zlxd/xenial-kernel-test 5) Update the guest definition to use the zvol 6) boot the guest virsh start xenial-kernel-test 7) check for apparmor denial messages dmesg | tail | grep apparmor Without the fix, Apparmor would report denials when accessing /etc/nsswitch.conf, /etc/host.conf, /etc/gai.conf, /run/resolvconf/resolv.conf and /dev/zdX (where X corresponds to the zvol number). Starting the guest should be much slower than usual. With the fix in place, the only Apparmor denial would be about reading the /dev/zdx device (see LP: #1641618). This causes no visible problem nor slowdown. Original description: With libvirt-bin 1.3.1, starting a QEMU guest results in those AA denials: Feb 17 12:06:23 simon-laptop kernel: [15734.513696] audit: type=1400 audit(1455728783.639:73): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/nsswitch.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513718] audit: type=1400 audit(1455728783.639:74): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/host.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513734] audit: type=1400 audit(1455728783.639:75): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513885] audit: type=1400 audit(1455728783.639:76): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 virt-aa-helper's AA profile hasn't changed recently so it seems like the helper is doing more in this release. Additional information: $ lsb_release -rd Description: Ubuntu Xenial Xerus (development branch) Release: 16.04 $ apt-cache policy apparmor libvirt-bin apparmor: Installed: 2.10-3ubuntu1 Candidate: 2.10-3ubuntu1 Version table: *** 2.10-3ubuntu1 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status libvirt-bin: Installed: 1.3.1-1ubuntu1 Candidate: 1.3.1-1ubuntu1 Version table: *** 1.3.1-1ubuntu1 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: libvirt-bin 1.3.1-1ubuntu1 ProcVersionSignature: Ubuntu 4.4.0-5.20-generic 4.4.1 Uname: Linux 4.4.0-5-generic x86_64 NonfreeKernelModules: zfs zunicode zcommon znvpair zavl ApportVersion: 2.20-0ubuntu3 Architecture: amd64 CurrentDesktop: Unity Date: Wed Feb 17 13:08:04 2016 KernLog: SourcePackage: libvirt UpgradeStatus: No upgrade log present (probably fresh install) modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf'] modified.conffile..etc.libvirt.qemu.networks.default.xml: [deleted] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to :