[Bug 1004606] Re: virsh create-snapshot fails to create external snapshot (blockdev-snapshot-sync fails in json monitor)
Thanks. So in your case, because there is a separate directory fo rimages for your domain, it would be safe to add /var/lib/libvirt/images/jam1/*.qcow2 rw, to your /etc/apparmor.d/libvirt/libvirt-dafd2c09-a81d-4ee3-a95c- beb50aecf4e8.files However, in cases where the domain's disk image is a file under /var/lib/libvirt/images/ itself, this is not safe. Can you confirm that adding the above line to that file works around the issue for you? ** Changed in: libvirt (Ubuntu) Status: Fix Released = Triaged -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in Ubuntu. https://bugs.launchpad.net/bugs/1004606 Title: virsh create-snapshot fails to create external snapshot (blockdev- snapshot-sync fails in json monitor) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1004606/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1004606] Re: virsh create-snapshot fails to create external snapshot (blockdev-snapshot-sync fails in json monitor)
I believe this is fixed at least in trusty (have not tried elsewhere). At least I can create external snapshots of a stopped domain, then start the domain. (The snapshot image is listed in /etc/apparmor.d/libvirt/libvirt-$uuid.files). I will mark this fix committed, if it is still broken for (in trusty) you then please reply. I will mark it as affecting precise. If there are other releases where it is still valid please let me know. ** No longer affects: qemu-kvm (Ubuntu) ** Also affects: libvirt (Ubuntu Precise) Importance: Undecided Status: New ** Changed in: libvirt (Ubuntu) Status: Confirmed = Fix Released ** Changed in: libvirt (Ubuntu) Importance: Undecided = Medium ** Changed in: libvirt (Ubuntu Precise) Importance: Undecided = Medium ** Changed in: libvirt (Ubuntu Precise) Status: New = Triaged -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in Ubuntu. https://bugs.launchpad.net/bugs/1004606 Title: virsh create-snapshot fails to create external snapshot (blockdev- snapshot-sync fails in json monitor) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1004606/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1004606] Re: virsh create-snapshot fails to create external snapshot (blockdev-snapshot-sync fails in json monitor)
** Tags added: precise -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in Ubuntu. https://bugs.launchpad.net/bugs/1004606 Title: virsh create-snapshot fails to create external snapshot (blockdev- snapshot-sync fails in json monitor) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1004606/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1004606] Re: virsh create-snapshot fails to create external snapshot (blockdev-snapshot-sync fails in json monitor)
In the /etc/apparmor.d/local/usr.sbin.libvirtd file I just created one
rule to give libvirtd read'n'write access to the images in my storage
pool with the following line:
/var/lib/libvirt/images/*.img rw,
As preliminary: I have created my own naming convention for my overlays,
these are used for incremental backups to another server. This
convention can be found in my abstractation and has to be adjusted to
your own needs.
First of all I've created my own abstraction as /etc/apparmor.d/local
/abstraction-libvirt-storage. This file gives the clients access to the
important images like that:
/var/lib/libvirt/images/*.base.imgrw,
/var/lib/libvirt/images/*.base.imgrw,
/var/lib/libvirt/images/*.stable_overlay.img rw,
/var/lib/libvirt/images/*.running.img rw,
The /etc/apparmor.d/libvirt/TEMPLATE file is a source for all rule files
in /etc/apparmor.d/libvirt/. There you need to source the abstraction-
libvirt-storage so the TEMPLATE looks similar to this one (adjust to
your own needs):
profile LIBVIRT_TEMPLATE {
#include abstractions/libvirt-qemu
#include local/abstractation-libvirt-storage
}
It is also possible to put the information of the abstraction-libvirt-
storage file directly into the TEMPLATE but a change on some of the
rules would require to edit multiple files ( /etc/apparmor.d/libvirt/*)
I hope this will help. This adjustments should be fine for safety
requirement, because the host should still be secured against guests and
thats the only thing you can do with libvirt+apparmor.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to qemu-kvm in Ubuntu.
https://bugs.launchpad.net/bugs/1004606
Title:
virsh create-snapshot fails to create external snapshot (blockdev-
snapshot-sync fails in json monitor)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1004606/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1004606] Re: virsh create-snapshot fails to create external snapshot (blockdev-snapshot-sync fails in json monitor)
** Tags added: 13.04 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in Ubuntu. https://bugs.launchpad.net/bugs/1004606 Title: virsh create-snapshot fails to create external snapshot (blockdev- snapshot-sync fails in json monitor) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1004606/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1004606] Re: virsh create-snapshot fails to create external snapshot (blockdev-snapshot-sync fails in json monitor)
Yes Theodor, please share your apparmor-rules :) For the moment i am following this guide to disable just the libvirt- apparmor-profile: http://cloudstack.apache.org/docs/en- US/Apache_CloudStack/4.0.2/html/Installation_Guide/hypervisor-kvm- install-flow.html#hypervisor-host-install-security-policies Configure Apparmor (Ubuntu) $ sudo ln -s /etc/apparmor.d/usr.sbin.libvirtd /etc/apparmor.d/disable/ $ sudo ln -s /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper /etc/apparmor.d/disable/ $ sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.libvirtd $ sudo apparmor_parser -R /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper Stop running virtual machines. $ sudo service apparmor restart $ sudo apparmor_status Start machines again. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in Ubuntu. https://bugs.launchpad.net/bugs/1004606 Title: virsh create-snapshot fails to create external snapshot (blockdev- snapshot-sync fails in json monitor) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1004606/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1004606] Re: virsh create-snapshot fails to create external snapshot (blockdev-snapshot-sync fails in json monitor)
Theodor, can you please tell the rules that you added under TEMPLATE and /etc/apparmor.d/local/usr.sbin.libvirt? Thanks ! -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in Ubuntu. https://bugs.launchpad.net/bugs/1004606 Title: virsh create-snapshot fails to create external snapshot (blockdev- snapshot-sync fails in json monitor) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1004606/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1004606] Re: virsh create-snapshot fails to create external snapshot (blockdev-snapshot-sync fails in json monitor)
I found a that looks better than deactivating apparmor. I found here ( http://libvirt.org/drvqemu.html#securitysvirtaa ) the information that Apparmor is „just“ used for protecting the vm host and that there is a TEMPLATE under /etc/apparmor.d/libvirt/ that can be modified. In that TEMPLATE I included one of my own rules and under /etc/apparmor.d/local/usr.sbin.libvirtd i added a similar rule. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in Ubuntu. https://bugs.launchpad.net/bugs/1004606 Title: virsh create-snapshot fails to create external snapshot (blockdev- snapshot-sync fails in json monitor) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1004606/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1004606] Re: virsh create-snapshot fails to create external snapshot (blockdev-snapshot-sync fails in json monitor)
Is there any bugfix in sight or work around known except for disabling apparmor? -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in Ubuntu. https://bugs.launchpad.net/bugs/1004606 Title: virsh create-snapshot fails to create external snapshot (blockdev- snapshot-sync fails in json monitor) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1004606/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 1004606] Re: virsh create-snapshot fails to create external snapshot (blockdev-snapshot-sync fails in json monitor)
i don't know others work around 2013/5/17 Theodor van Nahl 1004...@bugs.launchpad.net Is there any bugfix in sight or work around known except for disabling apparmor? -- You received this bug notification because you are subscribed to a duplicate bug report (1096125). https://bugs.launchpad.net/bugs/1004606 Title: virsh create-snapshot fails to create external snapshot (blockdev- snapshot-sync fails in json monitor) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1004606/+subscriptions -- Riccardo Casatta -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in Ubuntu. https://bugs.launchpad.net/bugs/1004606 Title: virsh create-snapshot fails to create external snapshot (blockdev- snapshot-sync fails in json monitor) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1004606/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 1004606] Re: virsh create-snapshot fails to create external snapshot (blockdev-snapshot-sync fails in json monitor)
affects ubuntu/libvirt status confirmed priority medium -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in Ubuntu. https://bugs.launchpad.net/bugs/1004606 Title: virsh create-snapshot fails to create external snapshot (blockdev- snapshot-sync fails in json monitor) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1004606/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1004606] Re: virsh create-snapshot fails to create external snapshot (blockdev-snapshot-sync fails in json monitor)
also present in Ubuntu 13.04 Raring -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in Ubuntu. https://bugs.launchpad.net/bugs/1004606 Title: virsh create-snapshot fails to create external snapshot (blockdev- snapshot-sync fails in json monitor) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qemu-kvm/+bug/1004606/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1004606] Re: virsh create-snapshot fails to create external snapshot (blockdev-snapshot-sync fails in json monitor)
also present in Ubuntu 12.10 Quantal -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in Ubuntu. https://bugs.launchpad.net/bugs/1004606 Title: virsh create-snapshot fails to create external snapshot (blockdev- snapshot-sync fails in json monitor) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qemu-kvm/+bug/1004606/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1004606] Re: virsh create-snapshot fails to create external snapshot (blockdev-snapshot-sync fails in json monitor)
Thanks, Davide, cann you tell us the paths of the snapshot files which need to be whitelisted? -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in Ubuntu. https://bugs.launchpad.net/bugs/1004606 Title: virsh create-snapshot fails to create external snapshot (blockdev- snapshot-sync fails in json monitor) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qemu-kvm/+bug/1004606/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1004606] Re: virsh create-snapshot fails to create external snapshot (blockdev-snapshot-sync fails in json monitor)
The path, excluding extension, is the same as the original image. Unfortunately the extension can be chosen by the user: Name The name for this snapshot. If the name is specified when initially creating the snapshot, then the snapshot will have that particular name. If the name is omitted when initially creating the snapshot, then libvirt will make up a name for the snapshot, based on the time when it was created. (from http://libvirt.org/formatsnapshot.html) with the name parameter) Assuming my_dom disk image is stored under /nfs/diskimages/my_dom.img, a command like the following: # snapshot-create-as my_dom my_snap --disk-only will create /nfs/diskimages/my_dom.my_snap changing domain definition XML to use this file instead of /nfs/diskimages/my_dom.img (/nfs/diskimages/my_dom.img will be a backing file for /nfs/diskimages/my_dom.my_snap) However I fear it's not that simple because even if I try to use a snapshot name like mysnap.img, snaphot still fails because the original image name is removed from the apparmour profile dinamically created/maintained by libvirt under /etc/apparmor.d/libvirt. The original filename is replaced with the new image name. So, to sum up, I think the following might be needed in order to make disk-only snapshot work 1) virt-aa-helper (/etc/apparmor.d/usr.lib.libvirt.virt-aa-helper) should be able to read virtual machine image files even if the extension isn't imq/qcow2/... 2) dynamically created profiles for libvirt (/etc/apparmor.d/libvirt/libvirt-.files) should retain the old image filename Please, be aware that after the snapshot-create command fails, the corresponding profile under /etc/apparmor.d/libvirt/ isn't coherent anymore with the real filename for virtual images. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in Ubuntu. https://bugs.launchpad.net/bugs/1004606 Title: virsh create-snapshot fails to create external snapshot (blockdev- snapshot-sync fails in json monitor) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qemu-kvm/+bug/1004606/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1004606] Re: virsh create-snapshot fails to create external snapshot (blockdev-snapshot-sync fails in json monitor)
** Tags added: apparmor -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in Ubuntu. https://bugs.launchpad.net/bugs/1004606 Title: virsh create-snapshot fails to create external snapshot (blockdev- snapshot-sync fails in json monitor) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qemu-kvm/+bug/1004606/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1004606] Re: virsh create-snapshot fails to create external snapshot (blockdev-snapshot-sync fails in json monitor)
Thanks Murrayy, actually it's apparmour the problem: the --disk-only option of snapshot-create[-as] only supports external snapshot so it tries to create a new file which name matches no apparmour regexps in the corresponding profile. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in Ubuntu. https://bugs.launchpad.net/bugs/1004606 Title: virsh create-snapshot fails to create external snapshot (blockdev- snapshot-sync fails in json monitor) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qemu-kvm/+bug/1004606/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1004606] Re: virsh create-snapshot fails to create external snapshot (blockdev-snapshot-sync fails in json monitor)
I think it's apparmor, I had an similar error and it went away by deactivating the corresponding apparmor profile. Check your syslog for apparmor messages please. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in Ubuntu. https://bugs.launchpad.net/bugs/1004606 Title: virsh create-snapshot fails to create external snapshot (blockdev- snapshot-sync fails in json monitor) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qemu-kvm/+bug/1004606/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
