[Bug 1227912] Re: instance fails to boot with qemu guest agent set in image metadata
The attachment Fix for seems to be a patch. If it isn't, please remove the patch flag from the attachment, remove the patch tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1227912 Title: instance fails to boot with qemu guest agent set in image metadata To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1227912/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1227912] Re: instance fails to boot with qemu guest agent set in image metadata
I had the same issue when AppArmor is active (default)
and when I try to enable qemu guest agent inside your
guest :
virsh start test
error: Failed to start domain test
error: internal error: process exited while connecting to monitor:
qemu-system-x86_64: -chardev
socket,id=charchannel0,path=/var/lib/libvirt/qemu/test-virtio.sock,server,nowait:
Failed to bind socket: Permission denied
qemu-system-x86_64: -chardev
socket,id=charchannel0,path=/var/lib/libvirt/qemu/test-virtio.sock,server,nowait:
chardev: opening backend socket failed
audit: type=1400 audit(...): apparmor=DENIED operation=mknod profile
=libvirt-74c30212-4631-4498-a684-c62db8b2dc21
name=/var/lib/libvirt/qemu/test-virtio.sock pid=10291 comm=qemu-
system-x86 requested_mask=c denied_mask=c fsuid=106 ouid=106
disk type='block' device='disk'
driver name='qemu' type='raw' cache='writeback' discard='unmap'/
source dev='/var/lib/libvirt/images/test.raw'/
target dev='sda' bus='scsi'/
address type='drive' controller='0' bus='0' target='0' unit='0'/
/disk
controller type='scsi' index='0' model='virtio-scsi'
/controller
console type='pty'
target type='serial' port='0'/
/console
channel type='unix'
source mode='bind' path='/var/lib/libvirt/qemu/test-virtio.sock'/
target type='virtio' name='org.qemu.guest_agent.0'/
address type='virtio-serial' controller='0' bus='0' port='1'/
/channel
I am using qemu guest agent to be able to call guest-fstrim
virsh qemu-agent-command domain '{execute:guest-fstrim}'
guest-fstrim is doing fstrim on all partitions if discard has been
enabled with virtio-scsi (free up deleted blocks)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1227912
Title:
instance fails to boot with qemu guest agent set in image metadata
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1227912/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1227912] Re: instance fails to boot with qemu guest agent set in image metadata
Is it possible to apply this patch to libvirt-bin package and allow to write to /var/lib/libvirt/qemu/ ? For me it makes sense because disabling AppArmor for OpenStack is not a good idea so you will be exposed to security issues like Venom https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/VENOM Additionally, the QEMU process is confined by an AppArmor profile that significantly lessens the impact of a vulnerability such as VENOM by reducing the host environment's attack surface $ dpkg -S /etc/apparmor.d/abstractions/libvirt-qemu libvirt-bin: /etc/apparmor.d/abstractions/libvirt-qemu ** Patch added: Fix for https://bugs.launchpad.net/nova/+bug/1227912/+attachment/4404897/+files/apparmor_libvirt-qemu.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1227912 Title: instance fails to boot with qemu guest agent set in image metadata To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1227912/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1227912] Re: instance fails to boot with qemu guest agent set in image metadata
MNLipp workaround moved me from the previous error to this one:
Unable to complete install: 'internal error: Process exited prior to exec:
libvirt: error : unable to set AppArmor profile
'libvirt-9a3f213c-b02e-45a1-8791-109f6300d200' for
'/usr/bin/qemu-system-x86_64': No such file or directory
'
Traceback (most recent call last):
File /usr/share/virt-manager/virtManager/asyncjob.py, line 91, in cb_wrapper
callback(asyncjob, *args, **kwargs)
File /usr/share/virt-manager/virtManager/create.py, line 1820, in do_install
guest.start_install(meter=meter)
File /usr/share/virt-manager/virtinst/guest.py, line 403, in start_install
noboot)
File /usr/share/virt-manager/virtinst/guest.py, line 467, in _create_guest
dom = self.conn.createLinux(start_xml or final_xml, 0)
File /usr/lib/python2.7/dist-packages/libvirt.py, line 3398, in createLinux
if ret is None:raise libvirtError('virDomainCreateLinux() failed',
conn=self)
libvirtError: internal error: Process exited prior to exec: libvirt: error :
unable to set AppArmor profile 'libvirt-9a3f213c-b02e-45a1-8791-109f6300d200'
for '/usr/bin/qemu-system-x86_64': No such file or directory
System details:
$ dpkg -S /usr/bin/qemu-system-x86_64
qemu-system-x86: /usr/bin/qemu-system-x86_64
$ COLUMNS=100 dpkg -l libvirt-bin|tail -1
ii libvirt-bin 1.2.8-0ubuntu1 amd64 programs for the
libvirt library
$ lsb_release -a
Setting security_driver=none and restarting libvirt-bin service at least
allowed me to continue.
No LSB modules are available.
Distributor ID: Ubuntu
Description:Ubuntu 14.10
Release:14.10
Codename: utopic
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1227912
Title:
instance fails to boot with qemu guest agent set in image metadata
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1227912/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1227912] Re: instance fails to boot with qemu guest agent set in image metadata
I have just encounter this problem in Ubuntu 14.04.1. Here's a workaround: # cd /var/lib/libvirtd/qemu # mkdir -p channel/target # chown -R libvirt-qemu:kvm channel/ (The path above is used by libvirt-manager when you create the channel.) In /etc/apparmor.d/abstractions/libvirt-qemu at the end add: /var/lib/libvirt/**/*.org.qemu.guest_agent.0 rwk, (Reload apparmor profiles). The line in libvirt-qemu could be generated in the domain specific file by virt-aa-helper to exactly match the name of the domain, but I cannot see a high security risk in being a bit unspecific here (allows one qemu to access the socket of another qemu). ** Also affects: ubuntu Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1227912 Title: instance fails to boot with qemu guest agent set in image metadata To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1227912/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1227912] Re: instance fails to boot with qemu guest agent set in image metadata
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: ubuntu Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1227912 Title: instance fails to boot with qemu guest agent set in image metadata To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1227912/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
