[Bug 1393923] Re: postfix (2.11.0-1) does not LDAP table lookup since libp11-kit0 (0.20.2-2ubuntu2)

[Andreas Ntaflos]

Over a year later this problem still exists. It is impossible to run a
Postfix server that does (SSL/TLS secured) LDAP lookups on Ubuntu
14.04.3.

I wonder how is this not affecting more people?

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to postfix in Ubuntu.
https://bugs.launchpad.net/bugs/1393923

Title:
  postfix (2.11.0-1) does not LDAP table lookup since libp11-kit0
  (0.20.2-2ubuntu2)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1393923/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1414684] Re: bsd-mailx no longer supports sendmail options, thus breaking existing scripts (like Bootmail)

[Andreas Ntaflos]

FWIW, I am content with the updated USN and agree with Won't Fix. Just
wanted to raise the issue here in case I am not the only one bitten by
this change.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to bsd-mailx in Ubuntu.
https://bugs.launchpad.net/bugs/1414684

Title:
  bsd-mailx no longer supports sendmail options, thus breaking existing
  scripts (like Bootmail)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bsd-mailx/+bug/1414684/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1414684] Re: bsd-mailx no longer supports sendmail options, thus breaking existing scripts (like Bootmail)

[Andreas Ntaflos]

Bug against Bootmail is here:
https://bugs.launchpad.net/ubuntu/+source/bootmail/+bug/1414696

 What do you suggest instead?

I don't really have a suggestion and I am not disputing that this change
was necessary.

But the USN description doesn't even mention that specifying sendmail
options after -- is no longer supported. After some back and forth
(and seriously doubting my own sanity) I inferred that fact from the
changelog which mentions a 83-nosendmail.patch. I just wish the USN
advertised and documented this change and its full impact better.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to bsd-mailx in Ubuntu.
https://bugs.launchpad.net/bugs/1414684

Title:
  bsd-mailx no longer supports sendmail options, thus breaking existing
  scripts (like Bootmail)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bsd-mailx/+bug/1414684/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1414684] [NEW] bsd-mailx no longer supports sendmail options, thus breaking existing scripts (like Bootmail)

[Andreas Ntaflos]

Public bug reported:

The security update of bsd-mailx (8.1.2-0.2006cvs-1ubuntu0.1 on
Ubuntu 12.04) removes bsd-mailx's support for specifying sendmail
options after -- on the commandline.

This breaks any script that supplies classic sendmail options like -F or
-f on the mail commandline. A prominent example is Bootmail, which calls
mailx in the following way:

print_mail_text | sed -e s/[^[:print:]]//g | rootsign | mail -s
$subject $recipients -- -F Bootmail -f $FROM_MAIL

Here the options -F and -f are used to set the From: header in the
resulting mail message. This is now broken and results in error messages
like these in /var/log/mail.log (on systems that run Postfix):

Jan 26 16:20:09 example01 postfix/error[31885]: 4351640CB7:
to=-f...@web01.example.com, orig_to=-F, relay=none, delay=0.16,
delays=0.12/0/0/0.05, dsn=5.1.3, status=bounced (bad address syntax)

Is this change going to stay for good? In that case we need to report a
bug against the Bootmail package (and probably quite a few others) to
change the mail commandline to use the -a commandline switch for
specifying additional mail headers.

I find it disconcerting that a security update completely removes
functionality that has been available and expected for many years
without providing a proper compatibility layer. Is this really the way
to do this?

** Affects: bsd-mailx (Ubuntu)
 Importance: Undecided
 Status: New

** Description changed:

- The security update of bsd-mailx (8.1.2-0.2006cvs-1ubuntu0.1)
- removes bsd-mailx's support for specifying sendmail options after --
- on the commandline.
+ The security update of bsd-mailx (8.1.2-0.2006cvs-1ubuntu0.1 on
+ Ubuntu 12.04) removes bsd-mailx's support for specifying sendmail
+ options after -- on the commandline.
  
  This breaks any script that supplies classic sendmail options like -F or
  -f on the mail commandline. A prominent example is Bootmail, which calls
  mailx in the following way:
  
  print_mail_text | sed -e s/[^[:print:]]//g | rootsign | mail -s
  $subject $recipients -- -F Bootmail -f $FROM_MAIL
  
  Here the options -F and -f are used to set the From: header in the
  resulting mail message. This is now broken and results in error messages
  like these in /var/log/mail.log (on systems that run Postfix):
  
  Jan 26 16:20:09 example01 postfix/error[31885]: 4351640CB7:
  to=-f...@web01.example.com, orig_to=-F, relay=none, delay=0.16,
  delays=0.12/0/0/0.05, dsn=5.1.3, status=bounced (bad address syntax)
  
  Is this change going to stay for good? In that case we need to report a
  bug against the Bootmail package (and probably quite a few others) to
  change the mail commandline to use the -a commandline switch for
  specifying additional mail headers.
  
  I find it disconcerting that a security update completely removes
  functionality that has been available and expected for many years
  without providing a proper compatibility layer. Is this really the way
  to do this?

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to bsd-mailx in Ubuntu.
https://bugs.launchpad.net/bugs/1414684

Title:
  bsd-mailx no longer supports sendmail options, thus breaking existing
  scripts (like Bootmail)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bsd-mailx/+bug/1414684/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1325560] Re: kvm virtio netdevs lose network connectivity under enough load

[Andreas Ntaflos]

Installing 3.14.1 as per comment #17 fixed these connectivity issues for
us as well, but it doesn't look like the 3.14.1 kernel made it anywhere
near the 14.04.1 release. There is also no mention of this or any
related bugs in
https://wiki.ubuntu.com/TrustyTahr/ReleaseNotes/ChangeSummary/14.04.1.

What else can we do except manually install 3.14.1, which is obviously
not a proper solution?

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to qemu-kvm in Ubuntu.
https://bugs.launchpad.net/bugs/1325560

Title:
  kvm virtio netdevs lose network connectivity under enough load

To manage notifications about this bug go to:
https://bugs.launchpad.net/libvirt/+bug/1325560/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 989452] Re: oneiric's virt-viewer can't connect to console of precise's virtual machines

[Andreas Ntaflos]

Serge, at the moment it is a bit difficult but in a few weeks I could
have some spare machines available on which I could install Quantal.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to qemu-kvm in Ubuntu.
https://bugs.launchpad.net/bugs/989452

Title:
  oneiric's virt-viewer can't connect to console of precise's virtual
  machines

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/989452/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 989452] Re: oneiric's virt-viewer can't connect to console of precise's virtual machines

[Andreas Ntaflos]

There are currently multiple bugs that deal with virt-manager/virt-
viewer not being able to connect to a VNC console of a Libvirt/KVM
domain, such as #837275, #995320 and this one.

The problem remains, however. On a Precise server (12.04.1) where
/etc/libvirt/qemu.conf has set

vnc_listen = 0.0.0.0
vnc_tls = 0

no VNC connection is possible with neither virt-manager, nor virt-viewer
from a remote client. Virt-manager just displays the dreaded Error:
viewer connection to hypervisor host got refused or disconnected! and
virt-viewer says Unable to connect to the graphic server 0:5916 when
called like this:

virt-viewer -c qemu+tcp://kvmhost04/system domain01.example.com

Libvirt is configured to allow unencrypted TCP connections (because of
bug #1001798) so regular virt-manager interaction works, just not the
VNC console.

This must be a virt-manager, Libvirt or QEMU issue, because using a VNC
viewer like xtightvncviewer to connect to the domain's VNC port works
fine:

xtightvncviewer kvmhost04:5916

So what can we do? I see no interesting log entries anywhere that would
begin to explain what is going on here.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to qemu-kvm in Ubuntu.
https://bugs.launchpad.net/bugs/989452

Title:
  oneiric's virt-viewer can't connect to console of precise's virtual
  machines

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/989452/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 989452] Re: oneiric's virt-viewer can't connect to console of precise's virtual machines

[Andreas Ntaflos]

Addendum: All this with Precise machines (client and server), no Oneiric
or earlier involved.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to qemu-kvm in Ubuntu.
https://bugs.launchpad.net/bugs/989452

Title:
  oneiric's virt-viewer can't connect to console of precise's virtual
  machines

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/989452/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd

[Andreas Ntaflos]

Just to add something that has nothing to do directly with this bug, but
is related: we have been using SSSD for quite a while now, using Timo
Aaltonen's PPA https://launchpad.net/~sssd/+archive/updates and could
not be happier. In my opinion SSSD is the superior solution for all
things authn/authz, tying together LDAP, Kerberos and PAM. There are
still some minor Ubuntu-related issues with the ordering of the involved
PAM modules but everything works very well, apart from that.

I think Ubuntu would do well to properly integrate and incorporate SSSD,
especially in the Server edition.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/423252

Title:
  NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2
  suexec, and atd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 350936] Re: Should shut down domains on system shutdown

[Andreas Ntaflos]

So is there any way the proper fix will make it into Lucid? Or has that
ship sailed?

In the meantime I have applied Sebastian Marsching's method which works
quite well. Thanks for that, Sebastian.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to kvm in Ubuntu.
https://bugs.launchpad.net/bugs/350936

Title:
  Should shut down domains on system shutdown

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kvm/+bug/350936/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 350936] Re: Should shut down domains on system shutdown

[Andreas Ntaflos]

Clint, great to hear, thanks. We have many Lucid servers in production,
but no Maverick or Natty, so the fix getting into Lucid is most
important for us. But if time and resources allow it, backporting the
fix to Maverick and Natty would certainly be nice.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in Ubuntu.
https://bugs.launchpad.net/bugs/350936

Title:
  Should shut down domains on system shutdown

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kvm/+bug/350936/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 350936] Re: Should shut down domains on system shutdown

[Andreas Ntaflos]

Orticio, this is an English-speaking forum. Please stop asking people to
speak Spanish.

Translated by Google:

Este es un foro de habla Inglés. Por favor, deje de pedir a la gente a
hablar español.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to kvm in ubuntu.
https://bugs.launchpad.net/bugs/350936

Title:
  Should shut down domains on system shutdown

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 81242] Re: postfix-ldap is linked against gnuTLS

[Andreas Ntaflos]

For what it's worth this is still a problem in 10.04.1 and Postfix
2.7.0-1. Manually copying /dev/random and /dev/urandom to
/var/spool/postfix/dev works around the problem.

I also find it quite strange that this doesn't affect more people. In
fact this bug seems to have been completely forgotten. Is nobody using
Postfix, LDAP and SSL/TLS on Ubuntu?

-- 
postfix-ldap is linked against gnuTLS
https://bugs.launchpad.net/bugs/81242
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to postfix in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 495394] Re: autostart almost always fails on boot time host

[Andreas Ntaflos]

Thanks for the new patch! I tested it just now and it seems to work, but
it's always hard to tell when dealing with race conditions. I'll keep
testing.

Out of interest, the only change (apart from the more verbose way of
testing the $interface variable) is the added break statement, right?
I am not familiar enough with the Upstart boot process but why does this
change make the job work correctly? I also have not found any info on
what exactly ifquery does. Does it just read /etc/network/interfaces and
extract the interface names?

Anyway, thanks again!

-- 
autostart almost always fails on boot time host
https://bugs.launchpad.net/bugs/495394
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 495394] Re: autostart almost always fails on boot time host

[Andreas Ntaflos]

Mika, thank you for the patch and new upstart job. We are trying it out
here and find that the bridged-network job seems to be waiting forever
for a net-device-up signal to be emitted, thus keeping libvirtd-bin
from starting.

I only now have begun reading up on upstart but so far I can't find any
obvious flaws in your job definition. Waiting on the net-device-up
signal which is emitted every time a network interface comes up
(/etc/network/if-up.d/upstart) and then checking the status of the
bridges seems the correct way but it doesn't work for us.

Did you take any additional steps in order to get this upstart job to
work correctly?

-- 
autostart almost always fails on boot time host
https://bugs.launchpad.net/bugs/495394
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 578332] [NEW] AppArmor blocks hot-attaching of USB devices

[Andreas Ntaflos]

Public bug reported:

On Ubuntu 10.04 server, after applying the fixes to Libvirt's AppArmor
profiles as discussed in bug 545795 the hot-attachment of USB devices is
blocked/denied by AppArmor. Hot-attachment means: a KVM-based VM is
running and a USB devices connected to the underlying host is to be
attached/passed-through to the VM while it is running. This can be
accomplished by using virt-manager:

1. Open the Details window of the virtual machine in question
2. Klick Add Hardware
3. Select Physical Host Device, Next
4. Select USB device and choose the device to be attached (in our case a USB 
card reader), Next
5. Finish

The logfile for the machine in question immediately shows:

usb_create: no bus specified, using usb.0 for usb-host
husb: open device 5.2
/dev/bus/usb/005/002: Permission denied
husb: open device 5.2
/dev/bus/usb/005/002: Permission denied
husb: open device 5.2
/dev/bus/usb/005/002: Permission denied
husb: open device 5.2

/var/log/kern.log accordingly shows

kernel: [79029.932635] type=1503 audit(1272985279.341:1009):
operation=open pid=23782 parent=1 profile=libvirt-959806d1-327a-cd14
-6b3f-ddeee8a19d0e requested_mask=rw:: denied_mask=rw:: fsuid=0
ouid=0 name=/dev/bus/usb/005/002

This happens because AppArmor doesn't allow Libvirt access to
/dev/bus/usb/**. Note that this works fine when the machine in question
is shut down prior to attaching the USB device but that is exactly not
the desired behaviour of hot-attaching devices.

This can be fixed quite simply by allowing read-write access to
/dev/bus/usb/**. I don't know if that needs to be added to the profile
abstractions/libvirt-qemu or usr.lib.libvirt.virt-aa-helper. I believe
it is the latter, but I am not sure.

apparmor: 2.5-0ubuntu3
libvirt-bin: 0.7.5-5ubuntu27
Description:Ubuntu 10.04 LTS
Release:10.04

** Affects: libvirt (Ubuntu)
 Importance: Undecided
 Status: New

-- 
AppArmor blocks hot-attaching of USB devices
https://bugs.launchpad.net/bugs/578332
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 578332] Re: AppArmor blocks hotplugging of USB devices

[Andreas Ntaflos]

** Summary changed:

- AppArmor blocks hot-attaching of USB devices
+ AppArmor blocks hotplugging of USB devices

** Description changed:

  On Ubuntu 10.04 server, after applying the fixes to Libvirt's AppArmor
- profiles as discussed in bug 545795 the hot-attachment of USB devices is
- blocked/denied by AppArmor. Hot-attachment means: a KVM-based VM is
- running and a USB devices connected to the underlying host is to be
- attached/passed-through to the VM while it is running. This can be
- accomplished by using virt-manager:
+ profiles as discussed in bug 545795 the hotplugging of USB devices is
+ blocked/denied by AppArmor. Hotplugging means: a KVM-based VM is running
+ and a USB devices connected to the underlying host is to be attached
+ /passed-through to the VM while it is running. This can be accomplished
+ by using virt-manager:
  
  1. Open the Details window of the virtual machine in question
  2. Klick Add Hardware
  3. Select Physical Host Device, Next
  4. Select USB device and choose the device to be attached (in our case a 
USB card reader), Next
  5. Finish
  
  The logfile for the machine in question immediately shows:
  
  usb_create: no bus specified, using usb.0 for usb-host
  husb: open device 5.2
  /dev/bus/usb/005/002: Permission denied
  husb: open device 5.2
  /dev/bus/usb/005/002: Permission denied
  husb: open device 5.2
  /dev/bus/usb/005/002: Permission denied
  husb: open device 5.2
  
  /var/log/kern.log accordingly shows
  
  kernel: [79029.932635] type=1503 audit(1272985279.341:1009):
  operation=open pid=23782 parent=1 profile=libvirt-959806d1-327a-cd14
  -6b3f-ddeee8a19d0e requested_mask=rw:: denied_mask=rw:: fsuid=0
  ouid=0 name=/dev/bus/usb/005/002
  
  This happens because AppArmor doesn't allow Libvirt access to
  /dev/bus/usb/**. Note that this works fine when the machine in question
  is shut down prior to attaching the USB device but that is exactly not
  the desired behaviour of hot-attaching devices.
  
  This can be fixed quite simply by allowing read-write access to
  /dev/bus/usb/**. I don't know if that needs to be added to the profile
  abstractions/libvirt-qemu or usr.lib.libvirt.virt-aa-helper. I believe
  it is the latter, but I am not sure.
  
  apparmor: 2.5-0ubuntu3
  libvirt-bin: 0.7.5-5ubuntu27
  Description:Ubuntu 10.04 LTS
  Release:10.04

-- 
AppArmor blocks hotplugging of USB devices
https://bugs.launchpad.net/bugs/578332
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 545795] Re: apparmor driver blocks access to hostdev and pcidev devices

[Andreas Ntaflos]

Looks like I found it. The VM in my case is trying to access

/sys/devices/pci:00/:00:1e.0/:01:04.4/usb6/devnum

but the abstractions/libvirt-qemu profile only allows

  /sys/bus/usb/devices/ r,
  /sys/devices/*/*/usb[0-9]*/** r,

when it should (also) allow

  /sys/devices/*/*/*/usb[0-9]*/** r,

With this line added the guest boots fine and immediately gets access to
the USB device.

I have attached a patch for this one-line fix, hope it helps.

** Patch added: One-line fix for hostdev access to USB devices
   http://launchpadlibrarian.net/47796844/libvirt-qemu.patch

-- 
apparmor driver blocks access to hostdev and pcidev devices
https://bugs.launchpad.net/bugs/545795
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 545795] Re: apparmor driver blocks access to hostdev and pcidev devices

[Andreas Ntaflos]

Jamie, yes this fixes it. thank you!

I notice however some redundancies between abstractions/libvirt-qemu and
usr.lib.libvirt.virt-aa-helper? At least the line /sys/bus/usb/devices/
r, appears in both, don't know if that matters any, though. So that's
good :)

But now I have discovered something else. When booting a VM that has a
USB device included in its XML definition (like here:
https://daff.pseudoterminal.org/files/vm-usb.txt) now thanks to this fix
works fine. *However* trying to attach a USB device while the VM is
running (using virt-manager in my case) results in these messages in
/var/log/libvirt/qemu/vm.log:

usb_create: no bus specified, using usb.0 for usb-host
husb: open device 5.2
/dev/bus/usb/005/002: Permission denied
husb: open device 5.2
/dev/bus/usb/005/002: Permission denied
husb: open device 5.2

And in /var/log/kern.log:

May  4 17:01:19 TESTHOST kernel: [79029.932635] type=1503
audit(1272985279.341:1009):  operation=open pid=23782 parent=1 profile
=libvirt-959806d1-327a-cd14-6b3f-ddeee8a19d0e requested_mask=rw::
denied_mask=rw:: fsuid=0 ouid=0 name=/dev/bus/usb/005/002

So it seems that access to /dev/bus/usb/** is needed as well?

-- 
apparmor driver blocks access to hostdev and pcidev devices
https://bugs.launchpad.net/bugs/545795
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 545795] Re: apparmor driver blocks access to hostdev and pcidev devices

[Andreas Ntaflos]

Oh and it seems that disconnecting/detaching an USB device from the
running VM doesn't work at all? virt-manager complains:

Device could not be removed from the running machine.
This change will take effect after the next VM reboot

But this has probably nothing to do with AppArmor and may just be a
shortcoming of Libvirt? Just pointing it out here since it seems to fit.

-- 
apparmor driver blocks access to hostdev and pcidev devices
https://bugs.launchpad.net/bugs/545795
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 545795] Re: apparmor driver blocks access to hostdev and pcidev devices

[Andreas Ntaflos]

I'm sorry to post to this bug that has a status of Fix released but I
am not sure it is really fixed. I have a situation similar too the
original poster's concerning a USB card reader that won't make it past
AppArmor it seems. Using libvirt-bin 0.7.5-5ubuntu27.

Situation: one of our servers was upgraded from Ubuntu 9.10 to 10.04
today. The server runs a few Ubuntu 9.10 VMs, nothing fancy or out of
the ordinary. These VMs were defined and installed a few weeks ago,
prior to the release of and update to Ubuntu 10.04 (if that matters at
all).

We've had problems with AppArmor and Libvirt/KVM before so we disabled
AppArmor and pass-through of the USB card readers worked fine this way.
This situation was not ideal from a security point-of-view but since the
host and guests are strictly for internal test and development purposes
we went with it. Now I see that a lot has happened with regards to
AppArmor, USB and PCI pass-through and Libvirt, so tried again enabling
AppArmor. Alas, when starting a VM dmesg and /var/log/kern.log show
these entries, repeating every second it seems:

May  3 19:44:18 TESTHOST kernel: [ 2407.509182] type=1503
audit(1272908658.618:785):  operation=open pid=1532 parent=1 profile
=libvirt-959806d1-327a-cd14-6b3f-ddeee8a19d0e requested_mask=r::
denied_mask=r:: fsuid=0 ouid=0
name=/sys/devices/pci:00/:00:1e.0/:01:04.4/usb6/devnum

The guest of course does not get to see anything of the USB device in
question. Please find the XML definition of the guest in question here:
https://daff.pseudoterminal.org/files/vm-usb.txt

After disabling AppArmor (/etc/init.d/apparmor stop) the USB device is
again visible in the guest.

Why would this happen? The file /etc/apparmor.d/usr.lib.libvirt.virt-aa-
helper explicitly states that access to /sys/devices/** should be
allowed. Am I missing anything? I can experiment and run tests on this
server for the next week or so, so please tell me if I can help
debugging anything.

-- 
apparmor driver blocks access to hostdev and pcidev devices
https://bugs.launchpad.net/bugs/545795
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 303882] Re: python-vm-builder --raw doesn't set size correctly

[Andreas Ntaflos]

Would also like to see this fixed for karmic. Using python-vmbuilder
0.11.3-0ubuntu1 and the same error occurs when trying to use a 10G LVM
volume as a --raw device. I assume this is the same bug.

sudo vmbuilder kvm ubuntu --debug --verbose -m 2048 --raw=/dev/mapper/vg
--storage-lv--chat_root --rootsize=8G --swapsize=2G --suite=karmic ...

Traceback (most recent call last):
  File /usr/bin/vmbuilder, line 29, in module
VMBuilder.run()
  File /usr/lib/python2.6/dist-packages/VMBuilder/__init__.py, line 65, in run
frontend.run()
  File /usr/lib/python2.6/dist-packages/VMBuilder/plugins/cli/__init__.py, 
line 66, in run
self.set_disk_layout(vm)
  File /usr/lib/python2.6/dist-packages/VMBuilder/plugins/cli/__init__.py, 
line 105, in set_disk_layout
disk.add_part(offset, vm.swapsize, 'swap', 'swap')
  File /usr/lib/python2.6/dist-packages/VMBuilder/disk.py, line 189, in 
add_part
raise Exception('Partition is out of bounds. start=%d, end=%d, disksize=%d' 
% (begin,end,self.size))
Exception: Partition is out of bounds. start=8192, end=10239, disksize=5120

-- 
python-vm-builder --raw doesn't set size correctly
https://bugs.launchpad.net/bugs/303882
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to vm-builder in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 517067] Re: Using virtio for block devices makes disks and partitions disappear in KVM/QEMU (using vmbuilder and libvirt)

[Andreas Ntaflos]

You are right of course, /etc/fstab on the guest contains /dev/sdXY
entries. These get generated by
/usr/share/pyshared/VMBuilder/plugins/ubuntu/feisty.py as you mentioned.
After changing all /dev/sdXY to /dev/vdXY I can indeed boot happily
:)

What threw me off was that QEMU did not (and does not) see these virtio-
based drives when booting (see screenshots) and that changing the target
device name in the domain definition (target dev='vda' bus='virtio'/
to target dev='sda' bus='virtio'/ and vice versa) does nothing. I
suppose this has to do with the snippet of documentation I quoted
previously and probably with the fact that the virtio driver is
paravirtualized so QEMU doesn't do any of the emulation it would do with
IDE- or SCSI-based buses. Should have thought of that earlier.

So creating guests in the manner I described in my original post using
vmbuilder works after applying your one-line fix to
/usr/share/pyshared/VMBuilder/plugins/ubuntu/feisty.py.

I am not sure where this bug lies since I am just getting to know the
more advanced aspects of libvirt but I suppose vmbuider is to blame.
That's understandable given that it is still somewhat young and cannot
consider all possible combinations and varieties of libvirt options. Too
bad virt-install is mostly useless for quickly creating and deploying
guests for testing purposes.

I like your solution b.) but doesn't that add yet another level of
indirection and complicates guest setup even more?

-- 
Using virtio for block devices makes disks and partitions disappear in KVM/QEMU 
(using vmbuilder and libvirt)
https://bugs.launchpad.net/bugs/517067
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to vm-builder in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 517067] Re: Using virtio for block devices makes disks and partitions disappear in KVM/QEMU (using vmbuilder and libvirt)

[Andreas Ntaflos]

Thanks for the comment, but how do you figure? I did not change anything
after the fact, I modified the template used for installation and setup
of the guest domain.

First, it seems to depend on the bus type whether the virtual disks are
at all visible to QEMU, as can be seen from the screenshots. At that
point logical device names are of no consequence, yet, because the
kernel isn't even booted.

Second, it does not matter whether the disks are called vda or hda
(the default) in the libvirt domain definition. From the documentation:
The dev attribute indicates the logical device name. The actual
device name specified is not guaranteed to map to the device name in the
guest OS. Treat it as a device ordering hint. This is further supported
by the fact that upon switching the bus type to ide the disks are
visible both to QEMU and to the booted guest Linux kernel but the
logical device name in the domain definition is still vda-based.

Third, the logical device name is defined and set early during
installation/setup of the guest since it looks at the modified template
in /etc/vmbuilder/libvirt. So the installation procedure is aware that
disks are named vda in the definition and takes that into account (or
should take that into account). It does not matter whether it is hda
oder vda there (I tried both, multiple times), /etc/fstab will always
have /dev/sdX* set.

So I don't think that is the problem here, but I will try again. Thanks
for the comment, again!

-- 
Using virtio for block devices makes disks and partitions disappear in KVM/QEMU 
(using vmbuilder and libvirt)
https://bugs.launchpad.net/bugs/517067
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 517067] [NEW] Using virtio for block devices makes disks and partitions disappear in KVM/QEMU (using vmbuilder and libvirt)

[Andreas Ntaflos]

Public bug reported:

Binary package hint: libvirt-bin

I can reproduce that trying to use bus='virtio' for virtual disks in the
definition of a libvirt domain makes virtual disks thus defined
disappear in the eyes of KVM/QEMU. This leads to error messages like the
following when booting, as well as disappearance of all partitions on
that virtual disk, except for the root partition (that means especially
that no swap space will be enabled):

One or more of the mounts listed in /etc/fstab cannot yet be mounted:
(ESC for recovery shell)
swap: waiting for /dev/sda2
/opt: waiting for /dev/sda3

A screenshot is available here:
https://daff.pseudoterminal.org/misc/mountfailed.png

It also appears, just after starting the guest, that QEMU doesn't even
recognize that there are hard disk drives present, it only sees the DVD
drive. See the following screenshots for comparison.

bus='ide' in virtual disk domain definition: 
https://daff.pseudoterminal.org/misc/bus_ide.png
bus='virtio' in virtual disk domain definition: 
https://daff.pseudoterminal.org/misc/bus_virtio.png

The result is that only the root partition, probably because of
initramfs/initrd and GRUB magic, will be available to the guest when
using virtio, and only when no partitions other than a swap partition
have been defined during setup or installation of the guest. When only a
swap partition is present the boot process succeeds but still complains
that it is waiting for the swap partition to become available. When
there are any other partitions the boot process just hangs with the
error message described above.

Background: I like to take advantage of the paravirtualized IO drivers
offered for KVM-based guests. Using virtio as bus for block devices or
model type for network interfaces in the right places in a libvirt
domain definition enables those drivers. To facilitate and automate this
when creating guests I edited the libvirt template for vmbuilder to
automatically use virtio. Notice the target line:

#for $disk in $disks
disk type='file' device='disk'
  source file='$disk.filename' /
  target dev='vd$disk.devletters()' bus='virtio' /
/disk
#end for

Now for creating a guest using vmbuilder, as per the Ubuntu Server
Guide:

# vmbuilder kvm ubuntu --dest=/storage/vms/foo -m 2048 --rootsize=4000
--optsize=4000 --hostname=foo --suite=karmic --bridge=br0 --overwrite
--libvirt=qemu:///system --flavour=virtual --arch=amd64
--mirror=http://host:/ubuntu

Here a root and an /opt partition are defined, both 4GB in size. Swap is
defined automatically and defaults to 1GB. This works fine and results
in the attached foo.xml libvirt domain definition. In particular the
disk definition looks like this (again, notice the target line):

disk type='file' device='disk'
  source file='/storage/vms/foo/disk0.qcow2'/
  target dev='vda' bus='virtio'/
/disk

This is what the libvirt and KVM documentation pages suggest. After
starting this domain the results are as described above, i.e. either a
hanging boot process or a missing swap partition.

When changing the target bus definition to bus='ide' everything works
correctly. The domain boots as expected and contains all partitions
defined during setup. This has been completely reproducible for me and I
can switch between a working guest domain and a non-working by changing
bus='virtio' to bus='ide' in the domain definition.

This is on a Ubuntu Server Edition installation. I have no idea if this
is a libvirt problem or a problem with KVM or QEMU or something else
entirely. More information follows and please also see the attached
files. If there is anything else I can provide please tell me.

lsb_release -rd:
Description:Ubuntu 9.10
Release:9.10

apt-cache policy libvirt-bin
libvirt-bin:
  Installed: 0.7.0-1ubuntu13.1
  Candidate: 0.7.0-1ubuntu13.1
  Version table:
 *** 0.7.0-1ubuntu13.1 0
500 http://at.archive.ubuntu.com karmic-updates/main Packages
100 /var/lib/dpkg/status
 0.7.0-1ubuntu13 0
500 http://at.archive.ubuntu.com karmic/main Packages

uname -a:
Linux dhcp155 2.6.31-17-server #54-Ubuntu SMP Thu Dec 10 18:06:56 UTC 2009 
x86_64 GNU/Linux

** Affects: libvirt (Ubuntu)
 Importance: Undecided
 Status: New

-- 
Using virtio for block devices makes disks and partitions disappear in KVM/QEMU 
(using vmbuilder and libvirt)
https://bugs.launchpad.net/bugs/517067
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 517067] Re: Using virtio for block devices makes disks and partitions disappear in KVM/QEMU (using vmbuilder and libvirt)

[Andreas Ntaflos]

** Attachment added: Domain definition for guest foo, using virtio for block 
devices
   http://launchpadlibrarian.net/38748978/foo.xml

-- 
Using virtio for block devices makes disks and partitions disappear in KVM/QEMU 
(using vmbuilder and libvirt)
https://bugs.launchpad.net/bugs/517067
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 368962] Re: [Jaunty] Can't reboot kvm virtual machines using virsh

[Andreas Ntaflos]

This bug doesn't seem to have gotten much attention since July last year
but I can report that the issue still exists on Karmic using libvirt-bin
0.7.0-1ubuntu13.1:

$ virsh reboot foo1
Connecting to uri: qemu:///system
error: Failed to reboot domain foo1
error: this function is not supported by the hypervisor: virDomainReboot

The stack trace printed by virt-manager says the same:

Traceback (most recent call last):
  File /usr/share/virt-manager/virtManager/engine.py, line 523, in 
reboot_domain
vm.reboot()
  File /usr/share/virt-manager/virtManager/domain.py, line 554, in reboot
self.vm.reboot(0)
  File /usr/lib/python2.6/dist-packages/libvirt.py, line 398, in reboot
if ret == -1: raise libvirtError ('virDomainReboot() failed', dom=self)
libvirtError: this function is not supported by the hypervisor: virDomainReboot

Anything we users can or should do here?

-- 
[Jaunty] Can't reboot kvm virtual machines using virsh
https://bugs.launchpad.net/bugs/368962
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs