Public bug reported:
Reproducible: Yes, every time.
Background:
When you create a virtual machine (VM) under KVM/Qemu in Ubuntu,
apparmor files are created as:
/etc/apparmor.d/libvirt/libvirt-<UUID>
and
/etc/apparmor.d/libvirt/libvirt-<UUID>.files
And in the file /etc/apparmor.d/libvirt/libvirt-<UUID>.files there is
the line
"PATH_to_BLOCK_DEVICE" rw,
where PATH_to_BLOCK_DEVICE is the full path name of the image. ( E.g. something
like /var/lib/libvirtd/images/asdf.qcow2)
and <UUID> is the UUID of the VM container.
The problem:
When creating a shapshot of a running VM under KVM/Qemu you run the
command
$ sudo virsh snapshot-create-as DOMAIN_NAME DESCRIPTION --no-
metadata --disk-only --atomic
which creates a new file and stops writing to the old VM block device.
However: the old PATH_to_BLOCK_DEVICE in /etc/apparmor.d/libvirt
/libvirt-UUID.files is deleted and replaced with the new block device
info BEFORE virsh is done creating the snapshot. So you get the error
error: internal error: unable to execute QEMU command 'transaction':
Could not open 'PATH_to_BLOCK_DEVICE': Could not open
'PATH_to_BLOCK_DEVICE': Permission denied: Permission denied
and in /var/log/syslog you get the error:
type=1400 audit(1449752104.054:539): apparmor="DENIED" operation="open"
profile="libvirt-<UUID>" name="PATH_to_BLOCK_DEVICE" pid=8710 comm
="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=106 ouid=106
When you look now at /etc/apparmor.d/libvirt/libvirt-<UUID>.files you
find that the line that was there
"PATH_to_BLOCK_DEVICE" rw,
has been replaced with
"PATH_to_BLOCK_DEVICE.DESCRIPTION" rw,
but you need BOTH LINES. in order for the command "virsh snapshot-
create-as" to work. (or at least have the old file have read
permissions)
-----
Workarounds:
1. Disable apparmor for libvirtd
or
2. Change /etc/apparmor.d/libvirt/libvirt-<UUID> to look like this
----------
#
# This profile is for the domain whose UUID matches this file.
#
#include <tunables/global>
profile libvirt-UUID {
#include <abstractions/libvirt-qemu>
#include <libvirt/libvirt-UUID.files>
"PATH_to_BLOCK_DEVICE*" rw,
}
-----------
(
So if the old line was
"/var/lib/libvirtd/images/asdf.qcow2" rw,
, the line you can add would read something like this
"/var/lib/libvirtd/images/asdf*" rw,
)
--------
Details on server:
# lsb_release -rd
Description: Ubuntu 14.04.3 LTS
Release: 14.04
# apt-cache policy apparmor
apparmor:
Installed: 2.8.95~2430-0ubuntu5.3
Candidate: 2.8.95~2430-0ubuntu5.3
Version table:
*** 2.8.95~2430-0ubuntu5.3 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64
Packages
100 /var/lib/dpkg/status
2.8.95~2430-0ubuntu5.1 0
500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64
Packages
2.8.95~2430-0ubuntu5 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
# apt-cache policy libvirt-bin
libvirt-bin:
Installed: 1.2.2-0ubuntu13.1.14
Candidate: 1.2.2-0ubuntu13.1.14
Version table:
*** 1.2.2-0ubuntu13.1.14 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64
Packages
100 /var/lib/dpkg/status
1.2.2-0ubuntu13.1.7 0
500 http://security.u buntu.com/ubuntu/ trusty-security/main amd64
Packages
1.2.2-0ubuntu13 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
-----
Apologies if this is the wrong place to submit this bug.
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Summary changed:
- virsh with apparmor misconfigures libvirtd-UUID files during snapshot
+ virsh with apparmor misconfigures libvirt-UUID files during snapshot
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1525310
Title:
virsh with apparmor misconfigures libvirt-UUID files during snapshot
Status in apparmor package in Ubuntu:
New
Bug description:
Reproducible: Yes, every time.
Background:
When you create a virtual machine (VM) under KVM/Qemu in Ubuntu,
apparmor files are created as:
/etc/apparmor.d/libvirt/libvirt-<UUID>
and
/etc/apparmor.d/libvirt/libvirt-<UUID>.files
And in the file /etc/apparmor.d/libvirt/libvirt-<UUID>.files there is
the line
"PATH_to_BLOCK_DEVICE" rw,
where PATH_to_BLOCK_DEVICE is the full path name of the image. ( E.g.
something like /var/lib/libvirtd/images/asdf.qcow2)
and <UUID> is the UUID of the VM container.
The problem:
When creating a shapshot of a running VM under KVM/Qemu you run the
command
$ sudo virsh snapshot-create-as DOMAIN_NAME DESCRIPTION --no-
metadata --disk-only --atomic
which creates a new file and stops writing to the old VM block device.
However: the old PATH_to_BLOCK_DEVICE in /etc/apparmor.d/libvirt
/libvirt-UUID.files is deleted and replaced with the new block device
info BEFORE virsh is done creating the snapshot. So you get the error
error: internal error: unable to execute QEMU command 'transaction':
Could not open 'PATH_to_BLOCK_DEVICE': Could not open
'PATH_to_BLOCK_DEVICE': Permission denied: Permission denied
and in /var/log/syslog you get the error:
type=1400 audit(1449752104.054:539): apparmor="DENIED"
operation="open" profile="libvirt-<UUID>" name="PATH_to_BLOCK_DEVICE"
pid=8710 comm="qemu-system-x86" requested_mask="r" denied_mask="r"
fsuid=106 ouid=106
When you look now at /etc/apparmor.d/libvirt/libvirt-<UUID>.files you
find that the line that was there
"PATH_to_BLOCK_DEVICE" rw,
has been replaced with
"PATH_to_BLOCK_DEVICE.DESCRIPTION" rw,
but you need BOTH LINES. in order for the command "virsh snapshot-
create-as" to work. (or at least have the old file have read
permissions)
-----
Workarounds:
1. Disable apparmor for libvirtd
or
2. Change /etc/apparmor.d/libvirt/libvirt-<UUID> to look like this
----------
#
# This profile is for the domain whose UUID matches this file.
#
#include <tunables/global>
profile libvirt-UUID {
#include <abstractions/libvirt-qemu>
#include <libvirt/libvirt-UUID.files>
"PATH_to_BLOCK_DEVICE*" rw,
}
-----------
(
So if the old line was
"/var/lib/libvirtd/images/asdf.qcow2" rw,
, the line you can add would read something like this
"/var/lib/libvirtd/images/asdf*" rw,
)
--------
Details on server:
# lsb_release -rd
Description: Ubuntu 14.04.3 LTS
Release: 14.04
# apt-cache policy apparmor
apparmor:
Installed: 2.8.95~2430-0ubuntu5.3
Candidate: 2.8.95~2430-0ubuntu5.3
Version table:
*** 2.8.95~2430-0ubuntu5.3 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64
Packages
100 /var/lib/dpkg/status
2.8.95~2430-0ubuntu5.1 0
500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64
Packages
2.8.95~2430-0ubuntu5 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
# apt-cache policy libvirt-bin
libvirt-bin:
Installed: 1.2.2-0ubuntu13.1.14
Candidate: 1.2.2-0ubuntu13.1.14
Version table:
*** 1.2.2-0ubuntu13.1.14 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64
Packages
100 /var/lib/dpkg/status
1.2.2-0ubuntu13.1.7 0
500 http://security.u buntu.com/ubuntu/ trusty-security/main amd64
Packages
1.2.2-0ubuntu13 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
-----
Apologies if this is the wrong place to submit this bug.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1525310/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
