Public bug reported:
AppArmor denies libvirtd version 4.0.0-1ubuntu5 the ability to set the
permissions of ZFS block storage devices:
--------------------------------------------------------------------------
Mar 18 23:11:23 adell kernel: [986012.140246] audit: type=1400
audit(1521432683.197:187): apparmor="STATUS" operation="profile_replace"
profile="unconfined" name="libvirt-abe352fc-0470-4f6b-9791-6983b2807e41"
pid=48874 comm="apparmor_parser"
Mar 18 23:11:23 adell kernel: [986012.183996] audit: type=1400
audit(1521432683.241:188): apparmor="DENIED" operation="open"
profile="libvirt-abe352fc-0470-4f6b-9791-6983b2807e41" name="/dev/zd80"
pid=48876 comm="qemu-system-x86" requested_mas
k="r" denied_mask="r" fsuid=106 ouid=106
Mar 18 23:11:23 adell kernel: [986012.184048] audit: type=1400
audit(1521432683.241:189): apparmor="DENIED" operation="open"
profile="libvirt-abe352fc-0470-4f6b-9791-6983b2807e41" name="/dev/zd80"
pid=48876 comm="qemu-system-x86" requested_mas
k="wr" denied_mask="wr" fsuid=106 ouid=106
--------------------------------------------------------------------------
For each virtual machine that one tries to start, the libvirt profiles
are deleted from `/etc/apparmor.d/libvirt`, but libvirt should actually
be generating profiles in this directory.
The error message observed by the client is as follows:
--------------------------------------------------------------------------
# virsh start demo-vm
error: Failed to start domain demo-vm
error: internal error: process exited while connecting to monitor:
2018-03-19T04:03:09.710374Z qemu-system-x86_64: -drive
file=/dev/zvol/rpool/demo-vm,format=raw,if=none,id=drive-ide0-0-0,cache=none,aio=native:
Could not open '/dev/zvol/rpool/demo-vm': Permission denied
--------------------------------------------------------------------------
(In the above output, `/dev/zvol/rpool/demo-vm` is a symbolic link to
`/dev/zd80`.)
Downgrading libvirt-daemon, libvirt0, libvirt-daemon-system, and
libvirt-clients version 4.0.0-1ubuntu4 makes the issue disappear:
--------------------------------------------------------------------------
# virsh start demo-vm
Domain demo-vm started
--------------------------------------------------------------------------
** Affects: libvirt (Ubuntu)
Importance: Undecided
Status: New
** Tags: bionic
** Description changed:
AppArmor denies libvirtd version 4.0.0-1ubuntu5 to ability to set the
permissions of block storage devices:
-
--------------------------------------------------------------------------------
+ --------------------------------------------------------------------------
Mar 18 23:11:23 adell kernel: [986012.140246] audit: type=1400
audit(1521432683.197:187): apparmor="STATUS" operation="profile_replace"
profile="unconfined" name="libvirt-abe352fc-0470-4f6b-9791-6983b2807e41"
pid=48874 comm="apparmor_parser"
Mar 18 23:11:23 adell kernel: [986012.183996] audit: type=1400
audit(1521432683.241:188): apparmor="DENIED" operation="open"
profile="libvirt-abe352fc-0470-4f6b-9791-6983b2807e41" name="/dev/zd80"
pid=48876 comm="qemu-system-x86" requested_mas
k="r" denied_mask="r" fsuid=106 ouid=106
Mar 18 23:11:23 adell kernel: [986012.184048] audit: type=1400
audit(1521432683.241:189): apparmor="DENIED" operation="open"
profile="libvirt-abe352fc-0470-4f6b-9791-6983b2807e41" name="/dev/zd80"
pid=48876 comm="qemu-system-x86" requested_mas
k="wr" denied_mask="wr" fsuid=106 ouid=106
-
--------------------------------------------------------------------------------
+ --------------------------------------------------------------------------
For each virtual machine that one tries to start, the libvirt profiles
are deleted from `/etc/apparmor.d/libvirt`.
The error message observed by the client is as follows:
-
--------------------------------------------------------------------------------
+ --------------------------------------------------------------------------
# virsh start demo-vm
error: Failed to start domain demo-vm
error: internal error: process exited while connecting to monitor:
2018-03-19T04:03:09.710374Z qemu-system-x86_64: -drive
file=/dev/zvol/rpool/demo-vm,format=raw,if=none,id=drive-ide0-0-0,cache=none,aio=native:
Could not open '/dev/zvol/rpool/demo-vm': Permission denied
-
--------------------------------------------------------------------------------
+ --------------------------------------------------------------------------
(In the above output, `/dev/zvol/rpool/demo-vm` is a symbolic link to
`/dev/zd80`.)
Downgrading libvirt-daemon, libvirt0, libvirt-daemon-system, and
libvirt-clients version 4.0.0-1ubuntu4 makes the issue disappear:
-
--------------------------------------------------------------------------------
- # virsh start demo-vm
+ --------------------------------------------------------------------------
+ # virsh start demo-vm
Domain demo-vm started
-
--------------------------------------------------------------------------------
+ --------------------------------------------------------------------------
** Description changed:
AppArmor denies libvirtd version 4.0.0-1ubuntu5 to ability to set the
permissions of block storage devices:
--------------------------------------------------------------------------
Mar 18 23:11:23 adell kernel: [986012.140246] audit: type=1400
audit(1521432683.197:187): apparmor="STATUS" operation="profile_replace"
profile="unconfined" name="libvirt-abe352fc-0470-4f6b-9791-6983b2807e41"
pid=48874 comm="apparmor_parser"
Mar 18 23:11:23 adell kernel: [986012.183996] audit: type=1400
audit(1521432683.241:188): apparmor="DENIED" operation="open"
profile="libvirt-abe352fc-0470-4f6b-9791-6983b2807e41" name="/dev/zd80"
pid=48876 comm="qemu-system-x86" requested_mas
k="r" denied_mask="r" fsuid=106 ouid=106
Mar 18 23:11:23 adell kernel: [986012.184048] audit: type=1400
audit(1521432683.241:189): apparmor="DENIED" operation="open"
profile="libvirt-abe352fc-0470-4f6b-9791-6983b2807e41" name="/dev/zd80"
pid=48876 comm="qemu-system-x86" requested_mas
k="wr" denied_mask="wr" fsuid=106 ouid=106
--------------------------------------------------------------------------
For each virtual machine that one tries to start, the libvirt profiles
- are deleted from `/etc/apparmor.d/libvirt`.
+ are deleted from `/etc/apparmor.d/libvirt`, but libvirt should actually
+ be generating profiles in this directory.
The error message observed by the client is as follows:
--------------------------------------------------------------------------
# virsh start demo-vm
error: Failed to start domain demo-vm
error: internal error: process exited while connecting to monitor:
2018-03-19T04:03:09.710374Z qemu-system-x86_64: -drive
file=/dev/zvol/rpool/demo-vm,format=raw,if=none,id=drive-ide0-0-0,cache=none,aio=native:
Could not open '/dev/zvol/rpool/demo-vm': Permission denied
--------------------------------------------------------------------------
(In the above output, `/dev/zvol/rpool/demo-vm` is a symbolic link to
`/dev/zd80`.)
Downgrading libvirt-daemon, libvirt0, libvirt-daemon-system, and
libvirt-clients version 4.0.0-1ubuntu4 makes the issue disappear:
--------------------------------------------------------------------------
# virsh start demo-vm
Domain demo-vm started
--------------------------------------------------------------------------
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1756786
Title:
Regression in libvirt-daemon 4.0.0-1ubuntu5 breaks AppArmor
compatibility
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1756786/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
