[Group.of.nepali.translators] [Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2017-01-12 Thread Launchpad Bug Tracker 
This bug was fixed in the package libvirt - 1.3.1-1ubuntu10.6

---
libvirt (1.3.1-1ubuntu10.6) xenial; urgency=medium

  * d/apparmor/usr.lib.libvirt.virt-aa-helper: add missing rules for name
resolution to virt-aa-helper Apparmor profile (LP: #1546674).

 -- Christian Ehrhardt   Tue, 22 Nov
2016 09:39:18 +0100

** Changed in: libvirt (Ubuntu Xenial)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

Status in libvirt package in Ubuntu:
  Fix Released
Status in libvirt source package in Xenial:
  Fix Released

Bug description:
  [Impact]

   * Apparmor denies several hostname related accesses by libvirt causing 
 severe slowdowns in some cases.

  [Test Case]

  * Note: while there are various ways to trigger it - many have seen the 
issue, but often it is unclear when exactly it will trigger or does no 
more. So some of the repo-cases have proven to be unreliable - thanks 
Simon for this Repro howto listed here. (simplified as it turned out 
zvols are not needed according to comment #22)

  1) Sync Xenial cloud-image
  uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily 
arch=amd64 label=daily release=xenial

  2) Create a test guest with:
  uvt-kvm create --memory 2048 --cpu 4 --password=ubuntu xenial-kernel-test 
release=xenial arch=amd64 label=daily

  3) strop it and add an extra volume in a way like this snippet
 $ virsh shutdown xenial-kernel-test
 $ virsh edit xenial-kernel-test
  



  

  4) start the guest
  virsh start xenial-kernel-test

  6) check for apparmor denial messages
  dmesg | tail | grep apparmor

  Without the fix, Apparmor would report denials when accessing
  /etc/nsswitch.conf, /etc/host.conf, /etc/gai.conf,
  /run/resolvconf/resolv.conf and /dev/zdX (where X corresponds to the
  zvol number). Starting the guest should be much slower than usual.

  With the fix in place no related Apparmor denials show up.

  [Regression Potential]

   * The fix is rather small and "only" opens up apparmor confinement a bit. 
 That makes us assume that the potential for regression should be 
 minimal.

  ###

  Original description:

  With libvirt-bin 1.3.1, starting a QEMU guest results in those AA
  denials:

  Feb 17 12:06:23 simon-laptop kernel: [15734.513696] audit: type=1400 
audit(1455728783.639:73): apparmor="DENIED" operation="open" 
profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/nsswitch.conf" pid=23156 
comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Feb 17 12:06:23 simon-laptop kernel: [15734.513718] audit: type=1400 
audit(1455728783.639:74): apparmor="DENIED" operation="open" 
profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/host.conf" pid=23156 
comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Feb 17 12:06:23 simon-laptop kernel: [15734.513734] audit: type=1400 
audit(1455728783.639:75): apparmor="DENIED" operation="open" 
profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" 
pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 
ouid=0
  Feb 17 12:06:23 simon-laptop kernel: [15734.513885] audit: type=1400 
audit(1455728783.639:76): apparmor="DENIED" operation="open" 
profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" 
pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 
ouid=0

  virt-aa-helper's AA profile hasn't changed recently so it seems like
  the helper is doing more in this release.

  Additional information:

  $ lsb_release -rd
  Description:  Ubuntu Xenial Xerus (development branch)
  Release:  16.04

  $ apt-cache policy apparmor libvirt-bin
  apparmor:
    Installed: 2.10-3ubuntu1
    Candidate: 2.10-3ubuntu1
    Version table:
   *** 2.10-3ubuntu1 500
  500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
  100 /var/lib/dpkg/status
  libvirt-bin:
    Installed: 1.3.1-1ubuntu1
    Candidate: 1.3.1-1ubuntu1
    Version table:
   *** 1.3.1-1ubuntu1 500
  500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
  100 /var/lib/dpkg/status

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: libvirt-bin 1.3.1-1ubuntu1
  ProcVersionSignature: Ubuntu 4.4.0-5.20-generic 4.4.1
  Uname: Linux 4.4.0-5-generic x86_64
  NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
  ApportVersion: 2.20-0ubuntu3
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Wed Feb 17 13:08:04 2016
  KernLog:

  SourcePackage: libvirt
  UpgradeStatus: No upgrade log present (probably fresh install)
  modified.conffile..etc.libvirt.qemu.conf:

[Group.of.nepali.translators] [Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-11-30 Thread Launchpad Bug Tracker 
This bug was fixed in the package libvirt - 2.1.0-1ubuntu14

---
libvirt (2.1.0-1ubuntu14) zesty; urgency=medium

  * d/p/u/apparmor-fix-name-resolution.patch rework the fix to base
on the apparmor nameservice abstraction to be future proof (LP: #1546674).
  * d/p/ubuntu/apparmor-fix-new-devicetypes.patch add new block device types to
virt-aa-helpers profile (LP: #1641618)
  * d/p/u/apparmor-fix-other-seclabels.patch refresh to the now upstream
accepted solution (LP: #1633207).

 -- Christian Ehrhardt   Thu, 24 Nov
2016 08:06:38 +0100

** Changed in: libvirt (Ubuntu)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

Status in libvirt package in Ubuntu:
  Fix Released
Status in libvirt source package in Xenial:
  Triaged

Bug description:
  [Impact]

   * Apparmor denies several hostname related accesses by libvirt causing 
 severe slowdowns in some cases.

  [Test Case]

  * Note: while there are various ways to trigger it - many have seen the 
issue, but often it is unclear when exactly it will trigger or does no 
more. So some of the repo-cases have proven to be unreliable - thanks 
Simon for this Repro howto listed here. (simplified as it turned out 
zvols are not needed according to comment #22)

  1) Sync Xenial cloud-image
  uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily 
arch=amd64 label=daily release=xenial

  2) Create a test guest with:
  uvt-kvm create --memory 2048 --cpu 4 --password=ubuntu xenial-kernel-test 
release=xenial arch=amd64 label=daily

  3) strop it and add an extra volume in a way like this snippet
 $ virsh shutdown xenial-kernel-test
 $ virsh edit xenial-kernel-test
  



  

  4) start the guest
  virsh start xenial-kernel-test

  6) check for apparmor denial messages
  dmesg | tail | grep apparmor

  Without the fix, Apparmor would report denials when accessing
  /etc/nsswitch.conf, /etc/host.conf, /etc/gai.conf,
  /run/resolvconf/resolv.conf and /dev/zdX (where X corresponds to the
  zvol number). Starting the guest should be much slower than usual.

  With the fix in place no related Apparmor denials show up.

  [Regression Potential]

   * The fix is rather small and "only" opens up apparmor confinement a bit. 
 That makes us assume that the potential for regression should be 
 minimal.

  ###

  Original description:

  With libvirt-bin 1.3.1, starting a QEMU guest results in those AA
  denials:

  Feb 17 12:06:23 simon-laptop kernel: [15734.513696] audit: type=1400 
audit(1455728783.639:73): apparmor="DENIED" operation="open" 
profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/nsswitch.conf" pid=23156 
comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Feb 17 12:06:23 simon-laptop kernel: [15734.513718] audit: type=1400 
audit(1455728783.639:74): apparmor="DENIED" operation="open" 
profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/host.conf" pid=23156 
comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Feb 17 12:06:23 simon-laptop kernel: [15734.513734] audit: type=1400 
audit(1455728783.639:75): apparmor="DENIED" operation="open" 
profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" 
pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 
ouid=0
  Feb 17 12:06:23 simon-laptop kernel: [15734.513885] audit: type=1400 
audit(1455728783.639:76): apparmor="DENIED" operation="open" 
profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" 
pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 
ouid=0

  virt-aa-helper's AA profile hasn't changed recently so it seems like
  the helper is doing more in this release.

  Additional information:

  $ lsb_release -rd
  Description:  Ubuntu Xenial Xerus (development branch)
  Release:  16.04

  $ apt-cache policy apparmor libvirt-bin
  apparmor:
    Installed: 2.10-3ubuntu1
    Candidate: 2.10-3ubuntu1
    Version table:
   *** 2.10-3ubuntu1 500
  500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
  100 /var/lib/dpkg/status
  libvirt-bin:
    Installed: 1.3.1-1ubuntu1
    Candidate: 1.3.1-1ubuntu1
    Version table:
   *** 1.3.1-1ubuntu1 500
  500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
  100 /var/lib/dpkg/status

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: libvirt-bin 1.3.1-1ubuntu1
  ProcVersionSignature: Ubuntu 4.4.0-5.20-generic 4.4.1
  Uname: Linux 4.4.0-5-generic x86_64
  NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
  ApportVersion: 2.20-0ubuntu3

[Group.of.nepali.translators] [Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-11-23 Thread Martin Pitt 
Not much that we can do about the conffile prompt indeed. However, I
disagree with the actual patch. This should include
abstractions/nameservice instead, which allows these files plus a lot
more for other name service methods. We really want to avoid having to
SRU a conffile change twice, and this is *definitively* not sufficient
for 16.10 and up (as you e. g. also need to be able to talk to
resolved). Please also fix this in zesty. Thanks!

** Changed in: libvirt (Ubuntu)
   Status: Fix Released => In Progress

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

Status in libvirt package in Ubuntu:
  In Progress
Status in libvirt source package in Xenial:
  Triaged

Bug description:
  [Impact]

   * Apparmor denies several hostname related accesses by libvirt causing 
 severe slowdowns in some cases.

  [Test Case]

  * Note: while there are various ways to trigger it - many have seen the 
issue, but often it is unclear when exactly it will trigger or does no 
more. So some of the repo-cases have proven to be unreliable - thanks 
Simon for this Repro howto listed here. (simplified as it turned out 
zvols are not needed according to comment #22)

  1) Sync Xenial cloud-image
  uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily 
arch=amd64 label=daily release=xenial

  2) Create a test guest with:
  uvt-kvm create --memory 2048 --cpu 4 --password=ubuntu xenial-kernel-test 
release=xenial arch=amd64 label=daily

  3) strop it and add an extra volume in a way like this snippet
 $ virsh shutdown xenial-kernel-test
 $ virsh edit xenial-kernel-test
  



  

  4) start the guest
  virsh start xenial-kernel-test

  6) check for apparmor denial messages
  dmesg | tail | grep apparmor

  Without the fix, Apparmor would report denials when accessing
  /etc/nsswitch.conf, /etc/host.conf, /etc/gai.conf,
  /run/resolvconf/resolv.conf and /dev/zdX (where X corresponds to the
  zvol number). Starting the guest should be much slower than usual.

  With the fix in place no related Apparmor denials show up.

  [Regression Potential]

   * The fix is rather small and "only" opens up apparmor confinement a bit. 
 That makes us assume that the potential for regression should be 
 minimal.

  ###

  Original description:

  With libvirt-bin 1.3.1, starting a QEMU guest results in those AA
  denials:

  Feb 17 12:06:23 simon-laptop kernel: [15734.513696] audit: type=1400 
audit(1455728783.639:73): apparmor="DENIED" operation="open" 
profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/nsswitch.conf" pid=23156 
comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Feb 17 12:06:23 simon-laptop kernel: [15734.513718] audit: type=1400 
audit(1455728783.639:74): apparmor="DENIED" operation="open" 
profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/host.conf" pid=23156 
comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Feb 17 12:06:23 simon-laptop kernel: [15734.513734] audit: type=1400 
audit(1455728783.639:75): apparmor="DENIED" operation="open" 
profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" 
pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 
ouid=0
  Feb 17 12:06:23 simon-laptop kernel: [15734.513885] audit: type=1400 
audit(1455728783.639:76): apparmor="DENIED" operation="open" 
profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" 
pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 
ouid=0

  virt-aa-helper's AA profile hasn't changed recently so it seems like
  the helper is doing more in this release.

  Additional information:

  $ lsb_release -rd
  Description:  Ubuntu Xenial Xerus (development branch)
  Release:  16.04

  $ apt-cache policy apparmor libvirt-bin
  apparmor:
    Installed: 2.10-3ubuntu1
    Candidate: 2.10-3ubuntu1
    Version table:
   *** 2.10-3ubuntu1 500
  500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
  100 /var/lib/dpkg/status
  libvirt-bin:
    Installed: 1.3.1-1ubuntu1
    Candidate: 1.3.1-1ubuntu1
    Version table:
   *** 1.3.1-1ubuntu1 500
  500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
  100 /var/lib/dpkg/status

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: libvirt-bin 1.3.1-1ubuntu1
  ProcVersionSignature: Ubuntu 4.4.0-5.20-generic 4.4.1
  Uname: Linux 4.4.0-5-generic x86_64
  NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
  ApportVersion: 2.20-0ubuntu3
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Wed Feb 17 13:08:04 2016
  KernLog:

  SourcePackage: libvirt
  UpgradeStatus: No upgrade log present (probably

[Group.of.nepali.translators] [Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-11-21 Thread Launchpad Bug Tracker 
This bug was fixed in the package libvirt - 2.1.0-1ubuntu13

---
libvirt (2.1.0-1ubuntu13) zesty; urgency=medium

  * drop d/p/ubuntu/fix-ftbfs-for-gnutls-3-5-6.patch as the offending change
in gnutls has been reverted (LP: #1641615)
  * Build depend on gnutls >= 3.5.6-4ubuntu2 to build after the gnutls fix
migrated

 -- Christian Ehrhardt   Thu, 17 Nov
2016 08:43:10 +0100

** Changed in: libvirt (Ubuntu)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

Status in libvirt package in Ubuntu:
  Fix Released
Status in libvirt source package in Xenial:
  Triaged

Bug description:
  Reproducing steps:

  1) Sync Xenial cloud-image
  uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily 
arch=amd64 label=daily release=xenial

  2) Create a test guest with:
  uvt-kvm create --memory 2048 --cpu 4 --password=ubuntu xenial-kernel-test 
release=xenial arch=amd64 label=daily

  3) Create a zvol
  zfs create -V 8G zlxd/xenial-kernel-test

  4) Copy the qcow2 data to the zvol
  qemu-img convert -O raw \
    /var/lib/uvtool/libvirt/images/xenial-kernel-test.qcow \
    /dev/zvol/zlxd/xenial-kernel-test

  5) Update the guest definition to use the zvol
    
  
  
  
    

  6) boot the guest
  virsh start xenial-kernel-test

  7) check for apparmor denial messages
  dmesg | tail | grep apparmor

  Without the fix, Apparmor would report denials when accessing
  /etc/nsswitch.conf, /etc/host.conf, /etc/gai.conf,
  /run/resolvconf/resolv.conf and /dev/zdX (where X corresponds to the
  zvol number). Starting the guest should be much slower than usual.

  With the fix in place, the only Apparmor denial would be about reading
  the /dev/zdx device (see LP: #1641618). This causes no visible problem
  nor slowdown.

  
  Original description:

  With libvirt-bin 1.3.1, starting a QEMU guest results in those AA
  denials:

  Feb 17 12:06:23 simon-laptop kernel: [15734.513696] audit: type=1400 
audit(1455728783.639:73): apparmor="DENIED" operation="open" 
profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/nsswitch.conf" pid=23156 
comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Feb 17 12:06:23 simon-laptop kernel: [15734.513718] audit: type=1400 
audit(1455728783.639:74): apparmor="DENIED" operation="open" 
profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/host.conf" pid=23156 
comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Feb 17 12:06:23 simon-laptop kernel: [15734.513734] audit: type=1400 
audit(1455728783.639:75): apparmor="DENIED" operation="open" 
profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" 
pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 
ouid=0
  Feb 17 12:06:23 simon-laptop kernel: [15734.513885] audit: type=1400 
audit(1455728783.639:76): apparmor="DENIED" operation="open" 
profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" 
pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 
ouid=0

  virt-aa-helper's AA profile hasn't changed recently so it seems like
  the helper is doing more in this release.

  Additional information:

  $ lsb_release -rd
  Description:  Ubuntu Xenial Xerus (development branch)
  Release:  16.04

  $ apt-cache policy apparmor libvirt-bin
  apparmor:
    Installed: 2.10-3ubuntu1
    Candidate: 2.10-3ubuntu1
    Version table:
   *** 2.10-3ubuntu1 500
  500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
  100 /var/lib/dpkg/status
  libvirt-bin:
    Installed: 1.3.1-1ubuntu1
    Candidate: 1.3.1-1ubuntu1
    Version table:
   *** 1.3.1-1ubuntu1 500
  500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
  100 /var/lib/dpkg/status

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: libvirt-bin 1.3.1-1ubuntu1
  ProcVersionSignature: Ubuntu 4.4.0-5.20-generic 4.4.1
  Uname: Linux 4.4.0-5-generic x86_64
  NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
  ApportVersion: 2.20-0ubuntu3
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Wed Feb 17 13:08:04 2016
  KernLog:

  SourcePackage: libvirt
  UpgradeStatus: No upgrade log present (probably fresh install)
  modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] 
Permission denied: '/etc/libvirt/qemu.conf']
  modified.conffile..etc.libvirt.qemu.networks.default.xml: [deleted]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to :