Public bug reported: AppArmor denies libvirtd version 4.0.0-1ubuntu5 the ability to set the permissions of ZFS block storage devices:
-------------------------------------------------------------------------- Mar 18 23:11:23 adell kernel: [986012.140246] audit: type=1400 audit(1521432683.197:187): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-abe352fc-0470-4f6b-9791-6983b2807e41" pid=48874 comm="apparmor_parser" Mar 18 23:11:23 adell kernel: [986012.183996] audit: type=1400 audit(1521432683.241:188): apparmor="DENIED" operation="open" profile="libvirt-abe352fc-0470-4f6b-9791-6983b2807e41" name="/dev/zd80" pid=48876 comm="qemu-system-x86" requested_mas k="r" denied_mask="r" fsuid=106 ouid=106 Mar 18 23:11:23 adell kernel: [986012.184048] audit: type=1400 audit(1521432683.241:189): apparmor="DENIED" operation="open" profile="libvirt-abe352fc-0470-4f6b-9791-6983b2807e41" name="/dev/zd80" pid=48876 comm="qemu-system-x86" requested_mas k="wr" denied_mask="wr" fsuid=106 ouid=106 -------------------------------------------------------------------------- For each virtual machine that one tries to start, the libvirt profiles are deleted from `/etc/apparmor.d/libvirt`, but libvirt should actually be generating profiles in this directory. The error message observed by the client is as follows: -------------------------------------------------------------------------- # virsh start demo-vm error: Failed to start domain demo-vm error: internal error: process exited while connecting to monitor: 2018-03-19T04:03:09.710374Z qemu-system-x86_64: -drive file=/dev/zvol/rpool/demo-vm,format=raw,if=none,id=drive-ide0-0-0,cache=none,aio=native: Could not open '/dev/zvol/rpool/demo-vm': Permission denied -------------------------------------------------------------------------- (In the above output, `/dev/zvol/rpool/demo-vm` is a symbolic link to `/dev/zd80`.) Downgrading libvirt-daemon, libvirt0, libvirt-daemon-system, and libvirt-clients version 4.0.0-1ubuntu4 makes the issue disappear: -------------------------------------------------------------------------- # virsh start demo-vm Domain demo-vm started -------------------------------------------------------------------------- ** Affects: libvirt (Ubuntu) Importance: Undecided Status: New ** Tags: bionic ** Description changed: AppArmor denies libvirtd version 4.0.0-1ubuntu5 to ability to set the permissions of block storage devices: - -------------------------------------------------------------------------------- + -------------------------------------------------------------------------- Mar 18 23:11:23 adell kernel: [986012.140246] audit: type=1400 audit(1521432683.197:187): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-abe352fc-0470-4f6b-9791-6983b2807e41" pid=48874 comm="apparmor_parser" Mar 18 23:11:23 adell kernel: [986012.183996] audit: type=1400 audit(1521432683.241:188): apparmor="DENIED" operation="open" profile="libvirt-abe352fc-0470-4f6b-9791-6983b2807e41" name="/dev/zd80" pid=48876 comm="qemu-system-x86" requested_mas k="r" denied_mask="r" fsuid=106 ouid=106 Mar 18 23:11:23 adell kernel: [986012.184048] audit: type=1400 audit(1521432683.241:189): apparmor="DENIED" operation="open" profile="libvirt-abe352fc-0470-4f6b-9791-6983b2807e41" name="/dev/zd80" pid=48876 comm="qemu-system-x86" requested_mas k="wr" denied_mask="wr" fsuid=106 ouid=106 - -------------------------------------------------------------------------------- + -------------------------------------------------------------------------- For each virtual machine that one tries to start, the libvirt profiles are deleted from `/etc/apparmor.d/libvirt`. The error message observed by the client is as follows: - -------------------------------------------------------------------------------- + -------------------------------------------------------------------------- # virsh start demo-vm error: Failed to start domain demo-vm error: internal error: process exited while connecting to monitor: 2018-03-19T04:03:09.710374Z qemu-system-x86_64: -drive file=/dev/zvol/rpool/demo-vm,format=raw,if=none,id=drive-ide0-0-0,cache=none,aio=native: Could not open '/dev/zvol/rpool/demo-vm': Permission denied - -------------------------------------------------------------------------------- + -------------------------------------------------------------------------- (In the above output, `/dev/zvol/rpool/demo-vm` is a symbolic link to `/dev/zd80`.) Downgrading libvirt-daemon, libvirt0, libvirt-daemon-system, and libvirt-clients version 4.0.0-1ubuntu4 makes the issue disappear: - -------------------------------------------------------------------------------- - # virsh start demo-vm + -------------------------------------------------------------------------- + # virsh start demo-vm Domain demo-vm started - -------------------------------------------------------------------------------- + -------------------------------------------------------------------------- ** Description changed: AppArmor denies libvirtd version 4.0.0-1ubuntu5 to ability to set the permissions of block storage devices: -------------------------------------------------------------------------- Mar 18 23:11:23 adell kernel: [986012.140246] audit: type=1400 audit(1521432683.197:187): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-abe352fc-0470-4f6b-9791-6983b2807e41" pid=48874 comm="apparmor_parser" Mar 18 23:11:23 adell kernel: [986012.183996] audit: type=1400 audit(1521432683.241:188): apparmor="DENIED" operation="open" profile="libvirt-abe352fc-0470-4f6b-9791-6983b2807e41" name="/dev/zd80" pid=48876 comm="qemu-system-x86" requested_mas k="r" denied_mask="r" fsuid=106 ouid=106 Mar 18 23:11:23 adell kernel: [986012.184048] audit: type=1400 audit(1521432683.241:189): apparmor="DENIED" operation="open" profile="libvirt-abe352fc-0470-4f6b-9791-6983b2807e41" name="/dev/zd80" pid=48876 comm="qemu-system-x86" requested_mas k="wr" denied_mask="wr" fsuid=106 ouid=106 -------------------------------------------------------------------------- For each virtual machine that one tries to start, the libvirt profiles - are deleted from `/etc/apparmor.d/libvirt`. + are deleted from `/etc/apparmor.d/libvirt`, but libvirt should actually + be generating profiles in this directory. The error message observed by the client is as follows: -------------------------------------------------------------------------- # virsh start demo-vm error: Failed to start domain demo-vm error: internal error: process exited while connecting to monitor: 2018-03-19T04:03:09.710374Z qemu-system-x86_64: -drive file=/dev/zvol/rpool/demo-vm,format=raw,if=none,id=drive-ide0-0-0,cache=none,aio=native: Could not open '/dev/zvol/rpool/demo-vm': Permission denied -------------------------------------------------------------------------- (In the above output, `/dev/zvol/rpool/demo-vm` is a symbolic link to `/dev/zd80`.) Downgrading libvirt-daemon, libvirt0, libvirt-daemon-system, and libvirt-clients version 4.0.0-1ubuntu4 makes the issue disappear: -------------------------------------------------------------------------- # virsh start demo-vm Domain demo-vm started -------------------------------------------------------------------------- -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1756786 Title: Regression in libvirt-daemon 4.0.0-1ubuntu5 breaks AppArmor compatibility To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1756786/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs