[Bug 1227912] Re: instance fails to boot with qemu guest agent set in image metadata
The attachment Fix for seems to be a patch. If it isn't, please remove the patch flag from the attachment, remove the patch tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1227912 Title: instance fails to boot with qemu guest agent set in image metadata To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1227912/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1227912] Re: instance fails to boot with qemu guest agent set in image metadata
I had the same issue when AppArmor is active (default) and when I try to enable qemu guest agent inside your guest : virsh start test error: Failed to start domain test error: internal error: process exited while connecting to monitor: qemu-system-x86_64: -chardev socket,id=charchannel0,path=/var/lib/libvirt/qemu/test-virtio.sock,server,nowait: Failed to bind socket: Permission denied qemu-system-x86_64: -chardev socket,id=charchannel0,path=/var/lib/libvirt/qemu/test-virtio.sock,server,nowait: chardev: opening backend socket failed audit: type=1400 audit(...): apparmor=DENIED operation=mknod profile =libvirt-74c30212-4631-4498-a684-c62db8b2dc21 name=/var/lib/libvirt/qemu/test-virtio.sock pid=10291 comm=qemu- system-x86 requested_mask=c denied_mask=c fsuid=106 ouid=106 disk type='block' device='disk' driver name='qemu' type='raw' cache='writeback' discard='unmap'/ source dev='/var/lib/libvirt/images/test.raw'/ target dev='sda' bus='scsi'/ address type='drive' controller='0' bus='0' target='0' unit='0'/ /disk controller type='scsi' index='0' model='virtio-scsi' /controller console type='pty' target type='serial' port='0'/ /console channel type='unix' source mode='bind' path='/var/lib/libvirt/qemu/test-virtio.sock'/ target type='virtio' name='org.qemu.guest_agent.0'/ address type='virtio-serial' controller='0' bus='0' port='1'/ /channel I am using qemu guest agent to be able to call guest-fstrim virsh qemu-agent-command domain '{execute:guest-fstrim}' guest-fstrim is doing fstrim on all partitions if discard has been enabled with virtio-scsi (free up deleted blocks) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1227912 Title: instance fails to boot with qemu guest agent set in image metadata To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1227912/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1227912] Re: instance fails to boot with qemu guest agent set in image metadata
Is it possible to apply this patch to libvirt-bin package and allow to write to /var/lib/libvirt/qemu/ ? For me it makes sense because disabling AppArmor for OpenStack is not a good idea so you will be exposed to security issues like Venom https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/VENOM Additionally, the QEMU process is confined by an AppArmor profile that significantly lessens the impact of a vulnerability such as VENOM by reducing the host environment's attack surface $ dpkg -S /etc/apparmor.d/abstractions/libvirt-qemu libvirt-bin: /etc/apparmor.d/abstractions/libvirt-qemu ** Patch added: Fix for https://bugs.launchpad.net/nova/+bug/1227912/+attachment/4404897/+files/apparmor_libvirt-qemu.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1227912 Title: instance fails to boot with qemu guest agent set in image metadata To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1227912/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1227912] Re: instance fails to boot with qemu guest agent set in image metadata
MNLipp workaround moved me from the previous error to this one: Unable to complete install: 'internal error: Process exited prior to exec: libvirt: error : unable to set AppArmor profile 'libvirt-9a3f213c-b02e-45a1-8791-109f6300d200' for '/usr/bin/qemu-system-x86_64': No such file or directory ' Traceback (most recent call last): File /usr/share/virt-manager/virtManager/asyncjob.py, line 91, in cb_wrapper callback(asyncjob, *args, **kwargs) File /usr/share/virt-manager/virtManager/create.py, line 1820, in do_install guest.start_install(meter=meter) File /usr/share/virt-manager/virtinst/guest.py, line 403, in start_install noboot) File /usr/share/virt-manager/virtinst/guest.py, line 467, in _create_guest dom = self.conn.createLinux(start_xml or final_xml, 0) File /usr/lib/python2.7/dist-packages/libvirt.py, line 3398, in createLinux if ret is None:raise libvirtError('virDomainCreateLinux() failed', conn=self) libvirtError: internal error: Process exited prior to exec: libvirt: error : unable to set AppArmor profile 'libvirt-9a3f213c-b02e-45a1-8791-109f6300d200' for '/usr/bin/qemu-system-x86_64': No such file or directory System details: $ dpkg -S /usr/bin/qemu-system-x86_64 qemu-system-x86: /usr/bin/qemu-system-x86_64 $ COLUMNS=100 dpkg -l libvirt-bin|tail -1 ii libvirt-bin 1.2.8-0ubuntu1 amd64 programs for the libvirt library $ lsb_release -a Setting security_driver=none and restarting libvirt-bin service at least allowed me to continue. No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 14.10 Release:14.10 Codename: utopic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1227912 Title: instance fails to boot with qemu guest agent set in image metadata To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1227912/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1227912] Re: instance fails to boot with qemu guest agent set in image metadata
I have just encounter this problem in Ubuntu 14.04.1. Here's a workaround: # cd /var/lib/libvirtd/qemu # mkdir -p channel/target # chown -R libvirt-qemu:kvm channel/ (The path above is used by libvirt-manager when you create the channel.) In /etc/apparmor.d/abstractions/libvirt-qemu at the end add: /var/lib/libvirt/**/*.org.qemu.guest_agent.0 rwk, (Reload apparmor profiles). The line in libvirt-qemu could be generated in the domain specific file by virt-aa-helper to exactly match the name of the domain, but I cannot see a high security risk in being a bit unspecific here (allows one qemu to access the socket of another qemu). ** Also affects: ubuntu Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1227912 Title: instance fails to boot with qemu guest agent set in image metadata To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1227912/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1227912] Re: instance fails to boot with qemu guest agent set in image metadata
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: ubuntu Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1227912 Title: instance fails to boot with qemu guest agent set in image metadata To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1227912/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs