[Bug 799997] Re: Error generating apparmor profile when hostname contains spaces
This bug was fixed in the package libvirt - 4.0.0-1ubuntu1
---
libvirt (4.0.0-1ubuntu1) bionic; urgency=medium
* Merged with Debian unstable (4.0)
This closes several bugs:
- Error generating apparmor profile when hostname contains spaces
(LP: #77)
- qemu 2.10 locks files, libvirt shared now sets share-rw=on (LP: #1716028)
- libvirt usb passthrough throws apparmor denials related to
/run/udev/data/+usb (LP: #1727311)
- AppArmor denies access to /sys/block/*/queue/max_segments (LP: #1729626)
- iohelper improvements to let bypass-cache work without opening up the
apparmor isolation (LP: #1719579)
- nodeinfo on s390x to contain more CPU info (LP: #1733688)
- Upgrade libvirt >= 4.0 (LP: #1745934)
* Remaining changes:
- Disable libssh2 support (universe dependency)
- Disable firewalld support (universe dependency)
- Disable selinux
- Set qemu-group to kvm (for compat with older ubuntu)
- Additional apport package-hook
- Modifications to adapt for our delayed switch away from libvirt-bin (can
be dropped >18.04).
+ d/p/ubuntu/libvirtd-service-add-bin-alias.patch: systemd: define alias
to old service name so that old references work
+ d/p/ubuntu/libvirtd-init-add-bin-alias.patch: sysv init: define alias
to old service name so that old references work
+ d/control: transitional package with the old name and maintainer
scripts to handle the transition
- Backwards compatible handling of group rename (can be dropped >18.04).
- config details and autostart of default bridged network. Creating that is
now the default in general, yet our solution provides the following on
top as of today:
+ autostart the default network by default
+ do not autostart if subnet is already taken (e.g. in guests).
- d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is
the group based access to libvirt functions as it was used in Ubuntu
for quite long.
+ d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests
due to the group access change.
- ubuntu/parallel-shutdown.patch: set parallel shutdown by default.
- d/p/ubuntu/enable-kvm-spice.patch: compat with older Ubuntu qemu/kvm
which provided a separate kvm-spice.
- d/p/ubuntu/ubuntu-libxl-qemu-path.patch: this change was split. The
section that adapts the path of the emulator to the Debian/Ubuntu
packaging is kept.
- d/p/ubuntu/ubuntu-libxl-Fix-up-VRAM-to-minimum-requirements.patch: auto
set VRAM to minimum requirements
- d/p/ubuntu/xen-default-uri.patch: set default URI on xen hosts
- Add libxl log directory
- libvirt-uri.sh: Automatically switch default libvirt URI for users on
Xen dom0 via user profile (was missing on changelogs before)
- d/p/ubuntu/apibuild-skip-libvirt-common.h: drop libvirt-common.h from
included_files to avoid build failures due to duplicate definitions.
- Update README.Debian with Ubuntu changes
- Convert libvirt0, libnss_libvirt and libvirt-dev to multi-arch.
- Enable some additional features on ppc64el and s390x (for arch parity)
+ systemtap, zfs, numa and numad on s390x.
+ systemtap on ppc64el.
- fix conffile upgrade handling to avoid obsolete files
and inactive duplicates (LP 1694159)
- d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making
vmlinuz available and accessible (Debian bug 848314)
- d/test/smoke-lxc workaround for debbug 848317/867379
- d/t/control, d/t/smoke-lxc: fix up lxc smoke test (Debian bug 848317)
- Add dnsmasq configuration to work with system wide dnsmasq (drop >18.04,
no more UCA onto Xenial then which has global dnsmasq by default).
- d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx
- conffile handling of files dropped in 3.5 (can be dropped >18.04)
+ /etc/init.d/virtlockd was sysv init only
+ /etc/apparmor.d/local/usr.sbin.libvirtd and
/etc/apparmor.d/local/usr.lib.libvirt.virt-aa-helper are now generated
by dh_apparmor as needed
- Reworked apparmor Delta, especially the more complex delta is dropped
now, also our former delta is now split into logical pieces, has
improved comments and is part of a continuous upstreaming effort.
Listing related remaining changes:
+ d/p/0001-apparmor-Allow-pygrub-to-run-on-Debian-Ubuntu.patch: apparmor:
Allow pygrub to run on Debian/Ubuntu
+ d/p/0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch:
apparmor, libvirt-qemu: Allow read access to overcommit_memory
+ d/p/0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO.patch:
apparmor, libvirt-qemu: Allow owner read access to @{PROC}/*/auxv
+ d/p/0017-apparmor-virt-aa-helper-Allow-access-to-tmp-director.patch:
apparmor, virt-aa-helper:
[Bug 799997] Re: Error generating apparmor profile when hostname contains spaces
Actually this one has to wait for BB, not SRU worthy (especially after all the time hard to argument), but hey it will be resolved on the next merge for sure being upstream now. ** Tags added: libvirt-18.04 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/77 Title: Error generating apparmor profile when hostname contains spaces To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/77/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 799997] Re: Error generating apparmor profile when hostname contains spaces
Related changes upstream now, will be picked no next merge. Likely consider picking in advance as soon as BB opens up. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/77 Title: Error generating apparmor profile when hostname contains spaces To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/77/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 799997] Re: Error generating apparmor profile when hostname contains spaces
Did some experiments and dropping the space from the bad chars makes it work for me as well. Added a change for that and also enqueued the addition of quotes to the static rules. I still expect issues with spaces down the road in some parts of libvirt, but if spaces are going to be forbidden it is not virt-aa-helper to do so - instead it would be a per HVM type check and/or the xml schema. I will submit all that upstream together with some other virt-aa-helper changes I work on in a few days. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/77 Title: Error generating apparmor profile when hostname contains spaces To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/77/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 799997] Re: Error generating apparmor profile when hostname contains spaces
** Tags removed: server-next -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/77 Title: Error generating apparmor profile when hostname contains spaces To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/77/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 799997] Re: Error generating apparmor profile when hostname contains spaces
** Tags added: server-next ** Tags added: virt-aa-helper -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/77 Title: Error generating apparmor profile when hostname contains spaces To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/77/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 799997] Re: Error generating apparmor profile when hostname contains spaces
@jdstrand indeed dropping space from the list in valid_name seems to fix it and work. i can virsh define/start/console/destroy with no problems. Do you have any suggestions for additional testing? This will have to wait until 16.10 opens so there's no real hurry... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/77 Title: Error generating apparmor profile when hostname contains spaces To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/77/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 799997] Re: Error generating apparmor profile when hostname contains spaces
Still occurs on Ubuntu 14.04 using libvirt 1.2.2 . Here are my reproduction steps. Try with " " in : $ tar -xvf my-vm.tar.gz my-vm/ my-vm/my-vm-data.qcow2.md5 my-vm/my-vm.xml $ cd my-vm/ # has space $ grep -Fe '' -- my-vm.xml My VM $ sudo virsh define my-vm.xml Domain My VM defined from my-vm.xml # BUG: fails to start $ sudo virsh start "My VM" error: Failed to start domain My VM error: internal error: cannot load AppArmor profile 'libvirt-1a2ef3c1-a758-40f6-a238-c84ef3e8c9d6' Remove bad KVM: $ sudo virsh undefine "My VM" Domain My VM has been undefined Try again without " ", use "-": $ vim my-vm.xml # without spaces $ grep -Fe '' -- my-vm.xml My-VM $ sudo virsh define my-vm.xml Domain My-VM defined from my-vm.xml # starts $ sudo virsh start "My-VM" Using software versions $ sudo dpkg -l | grep libvirt ii libvirt-bin 1.2.2-0ubuntu13.1.16amd64programs for the libvirt library ii libvirt0 1.2.2-0ubuntu13.1.16amd64library for interfacing with different virtualization systems ii python-libvirt1.2.2-0ubuntu2 amd64libvirt Python bindings $ sudo uname -a Linux localhost 3.13.0-77-generic #121-Ubuntu SMP Wed Jan 20 10:50:42 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux $ lsb_release -a Description:Ubuntu 14.04.3 LTS -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/77 Title: Error generating apparmor profile when hostname contains spaces To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/77/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 799997] Re: Error generating apparmor profile when hostname contains spaces
Well, while that may long-term be a good thing to look into, since effectively noone could have been using vms with spaces in the names successfully until now anyway, perhaps patching our libvirt to bail out earlier on spaces in vm names would be the better+safer approach. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/77 Title: Error generating apparmor profile when hostname contains spaces To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/77/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 799997] Re: Error generating apparmor profile when hostname contains spaces
The reason why it didn't allow it is because libvirt didn't handle spaces in the names well at the time. If libvirt handles it ok, then it would be ok to allow it in virt-aa-helper.c since libvirt quotes all its file rule paths in the .files (except I just noticed /dev/vhost-net-- it should probably be fixed to do that). You would definitely want to thoroughly test this because, as mentioned, libvirt itself had issues with this in the past. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/77 Title: Error generating apparmor profile when hostname contains spaces To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/77/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 799997] Re: Error generating apparmor profile when hostname contains spaces
@jdstrand virt-aa-helper.c explicitly refuses to allow a space in the vm name (in valid_name()). Is there any way that would be relaxed, or is that deemed to dangerous/exploitable? If it can't be relaxed, then we should bail earlier / with a clearer message in libvirt. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/77 Title: Error generating apparmor profile when hostname contains spaces To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/77/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 799997] Re: Error generating apparmor profile when hostname contains spaces
I've seen other problems with spaces in vm names. We could convert spaces to '-' in apparmor profiles, but I'm tempted to say let's just refuse to allow spaces in vm names. What do people think? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/77 Title: Error generating apparmor profile when hostname contains spaces To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/77/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 799997] Re: Error generating apparmor profile when hostname contains spaces
Note that for lxd we've specifically disallowed anything that can cause problems with some dns servers (no '.', no ' '. no leading '-') -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/77 Title: Error generating apparmor profile when hostname contains spaces To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/77/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 799997] Re: Error generating apparmor profile when hostname contains spaces
** Summary changed: - error happen when using virsh to start a vm internal error cannot generate AppArmor profile + Error generating apparmor profile when hostname contains spaces ** Changed in: libvirt (Ubuntu) Importance: High = Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/77 Title: Error generating apparmor profile when hostname contains spaces To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/77/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
