[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
** Changed in: cloud-archive/mitaka Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
** Changed in: cloud-archive/mitaka Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
For Mitaka, this bug will be included in UCA together with the fix for: https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1656480 When it becomes available. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
This bug was fixed in the package qemu - 1:2.5+dfsg-5ubuntu10.7 --- qemu (1:2.5+dfsg-5ubuntu10.7) xenial; urgency=medium [ Rafael David Tinoco ] * Fixed wrong migration blocker when vhost is used (LP: #1626972) - d/p/vhost_migration-blocker-only-if-shared-log-is-used.patch -- Christian EhrhardtTue, 22 Nov 2016 13:45:39 +0100 ** Changed in: qemu (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
Thanks Christian! Will do!! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
On Tue, Jan 24, 2017 at 1:52 AM, Rafael David Tinoco < rafael.tin...@canonical.com> wrote: > Christian, could you please move Xenial for me ? I have some > end users waiting for this. Thank you very much. > I can't - IIRC that is up to the SRU Team, I pinged the #ubuntu-release channel if one could take a look. You could do so again today if you want. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
For me we had enough tests already. Upstream development/tests, Zesty, Yakkety. Christian, could you please move Xenial for me ? I have some end users waiting for this. Thank you very much. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
Ping - we have the next fix for Xenial in the queue - all others are released now, has this one "baked" enough for Xenial SRU to migrate? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
This bug was fixed in the package qemu - 1:2.6.1+dfsg-0ubuntu5.2 --- qemu (1:2.6.1+dfsg-0ubuntu5.2) yakkety; urgency=medium [ Rafael David Tinoco ] * Fixed wrong migration blocker when vhost is used (LP: #1626972) - d/p/vhost_migration-blocker-only-if-shared-log-is-used.patch -- Christian EhrhardtTue, 22 Nov 2016 13:45:46 +0100 ** Changed in: qemu (Ubuntu Yakkety) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
Commit 0d34fbabc13 has been released with QEMU v2.8 ** Changed in: qemu Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
Yakkety Verification (with 3.13 kernel from Trusty since a <= 3.17 kernel is needed). This verifies that Ubuntu Cloud Archive repositories will be alright with this new packages (from Xenial / Yakkety). ## CURRENT inaddy@(ykvm01):~$ apt-cache policy qemu-kvm qemu-kvm: Installed: 1:2.6.1+dfsg-0ubuntu5.1 Candidate: 1:2.6.1+dfsg-0ubuntu5.1 ykvm01 (sender): Jan 11 11:34:35 ykvm01 kernel: type=1400 audit(1484141675.962:53): apparmor="DENIED" operation="mknod" profile="libvirt-7cdcb6c0-f85e-4639 -912b-c785bd5992d9" name="/tmp/memfd-bF8new" pid=1934 comm="qemu- system-x86" requested_mask="c" denied_mask="c" fsuid=111 ouid=111 inaddy@(ykvm01):~$ sudo virsh migrate --live guest qemu+ssh://ykvm02/system error: internal error: unable to execute QEMU command 'migrate': Migration disabled: failed to allocate shared memory ykvm02 (receiver): Jan 11 11:39:31 ykvm02 kernel: type=1400 audit(1484141971.526:53): apparmor="DENIED" operation="mknod" profile="libvirt-7cdcb6c0-f85e-4639 -912b-c785bd5992d9" name="/tmp/memfd-JZ6L9T" pid=2177 comm="qemu- system-x86" requested_mask="c" denied_mask="c" fsuid=111 ouid=111 OBS: The check was being done in the wrong place AND situation, like I showed in this bug. ## PROPOSED inaddy@(ykvm01):~$ apt-cache policy qemu-kvm qemu-kvm: Installed: 1:2.6.1+dfsg-0ubuntu5.2 Candidate: 1:2.6.1+dfsg-0ubuntu5.2 ykvm01 (sender): ykvm02 (receiver): inaddy@(ykvm02):~$ virsh list IdName State 1 guest running Its all good. verification-yakkety-done ** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
Xenial Verification (with 3.13 kernel from Trusty since a <= 3.17 kernel is needed). This verifies that Ubuntu Cloud Archive repositories will be alright with this new packages (from Xenial / Yakkety). ## CURRENT inaddy@(xkvm01):~$ apt-cache policy qemu-kvm qemu-kvm: Installed: 1:2.5+dfsg-5ubuntu10.6 Candidate: 1:2.5+dfsg-5ubuntu10.6 xkvm01 (sender): Jan 11 01:07:54 xkvm01 kernel: type=1400 audit(1484104074.014:13): apparmor="DENIED" operation="mknod" profile="libvirt-7cdcb6c0-f85e-4639 -912b-c785bd5992d9" name="/tmp/memfd-Jh5UhR" pid=2535 comm="qemu- system-x86" requested_mask="c" denied_mask="c" fsuid=112 ouid=112 $ sudo virsh migrate --live guest qemu+ssh://xkvm02/system error: internal error: unable to execute QEMU command 'migrate': Migration disabled: failed to allocate shared memory xkvm02 (receiver): Jan 11 01:08:23 xkvm02 kernel: type=1400 audit(1484104103.888:53): apparmor="DENIED" operation="mknod" profile="libvirt-7cdcb6c0-f85e-4639 -912b-c785bd5992d9" name="/tmp/memfd-fc9rij" pid=2000 comm="qemu- system-x86" requested_mask="c" denied_mask="c" fsuid=112 ouid=112 OBS: The check was being done in the wrong place AND situation, like I showed in this bug. ## PROPOSED inaddy@(xkvm01):~$ apt-cache policy qemu-kvm qemu-kvm: Installed: 1:2.5+dfsg-5ubuntu10.7 Candidate: 1:2.5+dfsg-5ubuntu10.7 xkvm01 (sender): xkvm02 (receiver): inaddy@(xkvm02):~$ virsh list IdName State 1 guest running Its all good. verification-xenial-done -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
Hello Antonio (@arcimboldo) The fix only makes sense for newer QEMUs (>= Xenial, like the one from Mitaka Ubuntu Cloud Archive). OBS: The "migration check" is done in VHOST initialization functions when the devices are virtually attached to the virtual machine. If you are using kernel 3.13 and have apparmor enabled, then all the running instances have the "migration blocker" ON - because of this buggy migration check - and won't be able to live migration. Unfortunately there is a "in-memory" linked list telling qemu that is has a blocker (with the reason). This blocker was added during instance startup and will be checked/used only when instance is live-migrated. Check this: http://pastebin.ubuntu.com/23517175/ If you started the instance in a host not running apparmor (or not having libvirt profile loaded, for example) it won't block the creation of /tmp/memfd-XXX files during instance initialization. That won't trigger the "blocker flag" inside the running program and, if/when needed, the live migration will be able to occur. This means that, after installing the new package, if you're using apparmor, yes, you would have to RESTART running instances that were affected by this bug in order to live migrating them. Sorry for the bad news! Even if you remove the apparmor rules, the migration blocker is already set. Hacking your process virtual memory would jeopardize the contents of the virtual memory (could be catastrophic specially for a virtual machine). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
@jamespage, @cpaelzer, I'll verify this fix in couple of days so it can be released. Thank you! Rafael -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
** Also affects: cloud-archive/mitaka Importance: Undecided Status: New ** Changed in: cloud-archive/mitaka Status: New => Fix Committed ** Changed in: cloud-archive Status: Fix Released => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
** Also affects: cloud-archive/mitaka Importance: Undecided Status: New ** Changed in: cloud-archive/mitaka Status: New => Fix Committed ** Changed in: cloud-archive Status: Fix Released => Invalid -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
Hi all, I am facing this issue too, and although I can confirm the patch can be easily backported to Trusty (we run Mitaka on Trusty), some of our customers have VMs started with the old qemu and I cannot live migrate anymore or update qemu without stopping and starting the VM. Do you have any suggestion on how to allow the live migration of VMs currently running with qemu pre-patch and kernel 3.13? Thank you in advance -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
Hello Rafael, or anyone else affected, Accepted qemu into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/qemu/1:2.6.1+dfsg- 0ubuntu5.2 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: qemu (Ubuntu Yakkety) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
This bug was fixed in the package qemu - 1:2.6.1+dfsg-0ubuntu7~cloud0 --- qemu (1:2.6.1+dfsg-0ubuntu7~cloud0) xenial-ocata; urgency=medium . * New update for the Ubuntu Cloud Archive. . qemu (1:2.6.1+dfsg-0ubuntu7) zesty; urgency=medium . [ Rafael David Tinoco ] * Fixed wrong migration blocker when vhost is used (LP: #1626972) - d/p/vhost_migration-blocker-only-if-shared-log-is-used.patch ** Changed in: cloud-archive Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
This bug was fixed in the package qemu - 1:2.6.1+dfsg-0ubuntu7~cloud0 --- qemu (1:2.6.1+dfsg-0ubuntu7~cloud0) xenial-ocata; urgency=medium . * New update for the Ubuntu Cloud Archive. . qemu (1:2.6.1+dfsg-0ubuntu7) zesty; urgency=medium . [ Rafael David Tinoco ] * Fixed wrong migration blocker when vhost is used (LP: #1626972) - d/p/vhost_migration-blocker-only-if-shared-log-is-used.patch ** Changed in: cloud-archive Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
** Changed in: cloud-archive Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
** Changed in: cloud-archive Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
Commit 0d34fbabc13 is upstream, so setting this to "Fix committed", too. ** Changed in: qemu Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
Hello Rafael, or anyone else affected, Accepted qemu into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/qemu/1:2.5+dfsg- 5ubuntu10.7 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: qemu (Ubuntu Xenial) Status: In Progress => Fix Committed ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
Ok, update into Zesty has passed and you already supplied the SRU Template. Uploaded to Xenial and Yakkety queues for the SRU Team to consider your Fix. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
This bug was fixed in the package qemu - 1:2.6.1+dfsg-0ubuntu7 --- qemu (1:2.6.1+dfsg-0ubuntu7) zesty; urgency=medium [ Rafael David Tinoco ] * Fixed wrong migration blocker when vhost is used (LP: #1626972) - d/p/vhost_migration-blocker-only-if-shared-log-is-used.patch -- Christian EhrhardtTue, 22 Nov 2016 13:45:52 +0100 ** Changed in: qemu (Ubuntu Zesty) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
Some other stages of my extra tests are currently WIP, but those that work worked fine on the ppa I built of your debdiffs. That covers: - migration with various workloads - different types of migrations (live, offline, postcopy) - upgrading onto the new qemu version - migration into the upgraded version I'll attach the log and upload your changes, thanks for your work. I see you already set the SRU Teamplate for the SRU Team to review then - thanks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
Uploaded into Zesty - per SRU policy (and experience that always something happens at the last minute at LP build/tests) waiting with the SRU uploads until that fully migrated. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
** Attachment added: "Collection of extra test logs if we have to search for anything in them later on." https://bugs.launchpad.net/qemu/+bug/1626972/+attachment/4781992/+files/bug-1626972-migration-fix-tinoco-sts-extraverifications.tgz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
Thanks Rafael - the upstream work on this is excellent! I already built all those fine and I'm now looking into some regression checks before considering/doing an upload to Dev-Release & SRU-queue -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
** Patch added: "zesty_qemu_2.6.1+dfsg-0ubuntu7.debdiff" https://bugs.launchpad.net/qemu/+bug/1626972/+attachment/4781485/+files/zesty_qemu_2.6.1+dfsg-0ubuntu7.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
On Tue, Nov 22, 2016 at 1:02 PM, Rafael David Tinoco < rafael.tin...@canonical.com> wrote: > Right now Zesty is behind Yakkety because of a Security Update. Not sure > you need me to attach a debdiff for Zesty as well. Let me know. > Arr - bad timing It got an upload about 5 minutes ago. So yes a Zesty debdiff would be nice. -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
** Description changed: - And, when libvirt starts using apparmor, and creating apparmor profiles - for every virtual machine created in the compute nodes, mitaka qemu (2.5 - - and upstream also) uses a fallback mechanism for creating shared - memory for live-migrations. This fall back mechanism, on kernels 3.13 - - that don't have memfd_create() system-call, try to create files on /tmp/ + [Impact] + + * Updated QEMU (from UCA) live migration doesn't work with 3.13 kernels. + * QEMU code checks if it can create /tmp/memfd-XXX files wrongly. + * Apparmor will block access to /tmp/ and QEMU will fail migrating. + + [Test Case] + + * Install 2 Ubuntu Trusty (3.13) + UCA Mitaka + apparmor rules. + * Try to live-migration from one to another. + * Apparmor will block creation of /tmp/memfd-XXX files. + + [Regression Potential] + + Pros: + * Exhaustively tested this. + * Worked with upstream on this fix. + * I'm implementing new vhost log mechanism for upstream. + * One line change to a blocker that is already broken. + + Cons: + * To break live migration in other circumstances. + + [Other Info] + + * Christian Ehrhardt has been following this. + + ORIGINAL DESCRIPTION: + + When libvirt starts using apparmor, and creating apparmor profiles for + every virtual machine created in the compute nodes, mitaka qemu (2.5 - + and upstream also) uses a fallback mechanism for creating shared memory + for live-migrations. This fall back mechanism, on kernels 3.13 - that + don't have memfd_create() system-call, try to create files on /tmp/ directory and fails.. causing live-migration not to work. Trusty with kernel 3.13 + Mitaka with qemu 2.5 + apparmor capability = can't live migrate. From qemu 2.5, logic is on : void *qemu_memfd_alloc(const char *name, size_t size, unsigned int seals, int *fd) { - if (memfd_create)... ### only works with HWE kernels + if (memfd_create)... ### only works with HWE kernels - else ### 3.13 kernels, gets blocked by apparmor -tmpdir = g_get_tmp_dir -... -mfd = mkstemp(fname) + else ### 3.13 kernels, gets blocked by apparmor + tmpdir = g_get_tmp_dir + ... + mfd = mkstemp(fname) } And you can see the errors: From the host trying to send the virtual machine: 2016-08-15 16:36:26.160 1974 ERROR nova.virt.libvirt.driver [req-0cac612b-8d53-4610-b773-d07ad6bacb91 691a581cfa7046278380ce82b1c38ddd 133ebc3585c041aebaead8c062cd6511 - - -] [instance: 2afa1131-bc8c-43d2-9c4a-962c1bf7723e] Migration operation has aborted 2016-08-15 16:36:26.248 1974 ERROR nova.virt.libvirt.driver [req-0cac612b-8d53-4610-b773-d07ad6bacb91 691a581cfa7046278380ce82b1c38ddd 133ebc3585c041aebaead8c062cd6511 - - -] [instance: 2afa1131-bc8c-43d2-9c4a-962c1bf7723e] Live Migration failure: internal error: unable to execute QEMU command 'migrate': Migration disabled: failed to allocate shared memory From the host trying to receive the virtual machine: Aug 15 16:36:19 tkcompute01 kernel: [ 1194.356794] type=1400 audit(1471289779.791:72): apparmor="STATUS" operation="profile_load" profile="unconfined" name="libvirt-2afa1131-bc8c-43d2-9c4a-962c1bf7723e" pid=12565 comm="apparmor_parser" Aug 15 16:36:19 tkcompute01 kernel: [ 1194.357048] type=1400 audit(1471289779.791:73): apparmor="STATUS" operation="profile_load" profile="unconfined" name="qemu_bridge_helper" pid=12565 comm="apparmor_parser" Aug 15 16:36:20 tkcompute01 kernel: [ 1194.877027] type=1400 audit(1471289780.311:74): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-2afa1131-bc8c-43d2-9c4a-962c1bf7723e" pid=12613 comm="apparmor_parser" Aug 15 16:36:20 tkcompute01 kernel: [ 1194.904407] type=1400 audit(1471289780.343:75): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="qemu_bridge_helper" pid=12613 comm="apparmor_parser" Aug 15 16:36:20 tkcompute01 kernel: [ 1194.973064] type=1400 audit(1471289780.407:76): apparmor="DENIED" operation="mknod" profile="libvirt-2afa1131-bc8c-43d2-9c4a-962c1bf7723e" name="/tmp/memfd-tNpKSj" pid=12625 comm="qemu-system-x86" requested_mask="c" denied_mask="c" fsuid=107 ouid=107 Aug 15 16:36:20 tkcompute01 kernel: [ 1194.979871] type=1400 audit(1471289780.411:77): apparmor="DENIED" operation="open" profile="libvirt-2afa1131-bc8c-43d2-9c4a-962c1bf7723e" name="/tmp/" pid=12625 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=107 ouid=0 Aug 15 16:36:20 tkcompute01 kernel: [ 1194.979881] type=1400 audit(1471289780.411:78): apparmor="DENIED" operation="open" profile="libvirt-2afa1131-bc8c-43d2-9c4a-962c1bf7723e" name="/var/tmp/" pid=12625 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=107 ouid=0 When leaving libvirt without apparmor capabilities (thus not confining virtual machines on compute nodes, the live migration works as expected, so, clearly, apparmor is stepping into the live
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
Right now Zesty is behind Yakkety because of a Security Update. Not sure you need me to attach a debdiff for Zesty as well. Let me know. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
Took some more time here because of LP: #1621269. ** Patch added: "yakkety_qemu_2.6.1+dfsg-0ubuntu5.2.debdiff" https://bugs.launchpad.net/qemu/+bug/1626972/+attachment/4781464/+files/yakkety_qemu_2.6.1+dfsg-0ubuntu5.2.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
Thanks Christian, Then I'll finish this SRU first. Will work in the vhost mmap log file right after. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
** Patch added: "xenial_qemu_2.5+dfsg-5ubuntu10.7.debdiff" https://bugs.launchpad.net/qemu/+bug/1626972/+attachment/4781425/+files/xenial_qemu_2.5+dfsg-5ubuntu10.7.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
** Changed in: cloud-archive Status: New => In Progress ** Changed in: cloud-archive Assignee: (unassigned) => Rafael David Tinoco (inaddy) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
** Also affects: cloud-archive Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
On Fri, Nov 18, 2016 at 11:21 AM, Rafael David Tinoco < rafael.tin...@canonical.com> wrote: > With customers using vhost-user that might > still cause migration problems, but, likely, those are the vast > minority. > It is and has migration issues in general atm anyway - see: https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg03026.html https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg03223.html So that needs more work and is not in your current scope IMHO. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
For Ubuntu Xenial (Mitaka), Yakkety (Newton), Zesty: Commit 0d34fbabc1 fixes the issue for vhost-net kernel. Vhost-net kernel doesn't use shared log so the verification is not used and apparmor profiles won't block the live migration. With customers using vhost-user that might still cause migration problems, but, likely, those are the vast minority. commit 0d34fbabc13891da41582b0823867dc5733fffef Author: Rafael David TinocoDate: Mon Oct 24 15:35:03 2016 + vhost: migration blocker only if shared log is used Commit 31190ed7 added a migration blocker in vhost_dev_init() to check if memfd would succeed. It is better if this blocker first checks if vhost backend requires shared log. This will avoid a situation where a blocker is added inappropriately (e.g. shared log allocation fails when vhost backend doesn't support it). Signed-off-by: Rafael David Tinoco Reviewed-by: Marc-André Lureau Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c index 131f164..25bf67f 100644 --- a/hw/virtio/vhost.c +++ b/hw/virtio/vhost.c @@ -1122,7 +1122,7 @@ int vhost_dev_init(struct vhost_dev *hdev, void *opaque, if (!(hdev->features & (0x1ULL << VHOST_F_LOG_ALL))) { error_setg(>migration_blocker, "Migration disabled: vhost lacks VHOST_F_LOG_ALL feature."); - } else if (!qemu_memfd_check()) { + } else if (vhost_dev_log_is_shared(hdev) && !qemu_memfd_check()) { error_setg(>migration_blocker, "Migration disabled: failed to allocate shared memory"); } The "final" fix for upstream fix is being finished by me, but, might not be suitable for SRU since it will add features in qemu (and likely to libvirt) in order for the vhost log file to be passed (by using an already opened file descriptor). This will require changes in libvirt and nova-compute but this change will, finally, allow security driver to apply rules to vhost log file for shared logs (mostly for vhost-user drivers). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
** Also affects: qemu (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: qemu (Ubuntu Zesty) Importance: Undecided Assignee: Rafael David Tinoco (inaddy) Status: In Progress ** Also affects: qemu (Ubuntu Xenial) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
** Changed in: qemu (Ubuntu Xenial) Status: New => In Progress ** Changed in: qemu (Ubuntu Yakkety) Status: New => In Progress ** Changed in: qemu (Ubuntu Xenial) Assignee: (unassigned) => Rafael David Tinoco (inaddy) ** Changed in: qemu (Ubuntu Yakkety) Assignee: (unassigned) => Rafael David Tinoco (inaddy) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers
** Also affects: qemu (Ubuntu) Importance: Undecided Status: New ** Changed in: qemu (Ubuntu) Status: New => In Progress ** Changed in: qemu (Ubuntu) Assignee: (unassigned) => Rafael David Tinoco (inaddy) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1626972 Title: QEMU memfd_create fallback mechanism change for security drivers To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1626972/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs