Re: [Bug 579584] Re: setgid, setuid needed by /etc/apparmor.d/abstractions/libvirt-qemu
Jamie, Attached, but it appears to be all comments. Thanks, Jeff On Thu, May 27, 2010 at 9:41 AM, Jamie Strandboge ja...@ubuntu.com wrote: s450r1, can you attach your /etc/libvirt/qemu.conf file? -- setgid, setuid needed by /etc/apparmor.d/abstractions/libvirt-qemu https://bugs.launchpad.net/bugs/579584 You received this bug notification because you are a direct subscriber of the bug. Status in “libvirt” package in Ubuntu: Incomplete Bug description: I couldn't boot any guest VMs with virsh until I modified /etc/apparmor.d/abstractions/libvirt-qemu: j...@kvmhost:~$ sudo bzr diff /etc/apparmor.d/ === modified file 'apparmor.d/abstractions/libvirt-qemu' --- apparmor.d/abstractions/libvirt-qemu 2010-04-30 15:33:20 + +++ apparmor.d/abstractions/libvirt-qemu 2010-05-12 17:26:56 + @@ -8,6 +8,8 @@ capability dac_override, capability dac_read_search, capability chown, + capability setgid, + capability setuid, # this is needed with libcap-ng support, however it breaks a lot of things # atm, so just silence the denial until libcap-ng works right. LP: #522845 ... and restarted apparmor and libvirtd. Without `capability setgid`, the qemu guest log file contained: LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin QEMU_ AUDIO_DRV=none /usr/bin/kvm -S -M pc-0.11 -enable-kvm -m 512 -smp 1 -name dm1 -u uid 79d03a71-3be6-19df-1070-791239480888 -chardev socket,id=monitor,path=/var/li b/libvirt/qemu/dm1.monitor,server,nowait -monitor chardev:monitor -boot c -drive file=/var/vm/dm1/disk0.qcow2,if=ide,index=0,boot=on -drive file=/var/vm/dm1/disk1.qcow2,if=ide,index=1 -net nic,macaddr=52:54:00:bf:75:90,vlan=0,model=virtio,name=virtio.0 -net tap,fd=50,vlan=0,name=tap.0 -serial none -parallel none -usb -vnc 127.0.0.1:0 -vga cirrus libvir: QEMU error : cannot change to '109' group: Operation not permitted Without `capability setuid`, the qemu guest log file contained: LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin QEMU_AUDIO_DRV=none /usr/bin/kvm -S -M pc-0.11 -enable-kvm -m 512 -smp 1 -name dm1 -uuid 79d03a71-3be6-19df-1070-791239480888 -chardev socket,id=monitor,path=/var/lib/libvirt/qemu/dm1.monitor,server,nowait -monitor chardev:monitor -boot c -drive file=/var/vm/dm1/disk0.qcow2,if=ide,index=0,boot=on -drive file=/var/vm/dm1/disk1.qcow2,if=ide,index=1 -net nic,macaddr=52:54:00:bf:75:90,vlan=0,model=virtio,name=virtio.0 -net tap,fd=50,vlan=0,name=tap.0 -serial none -parallel none -usb -vnc 127.0.0.1:0 -vga cirrus libvir: QEMU error : cannot change to '104' user: Operation not permitted I don't really know if these changes were the right thing to do, but it did allow me to boot the VMs with virsh. j...@kvmhost:~$ lsb_release -rd Description: Ubuntu 10.04 LTS Release: 10.04 j...@kvmhost:~$ apt-cache policy libvirt-bin kvm qemu-kvm libvirt-bin: Installed: 0.7.5-5ubuntu27 Candidate: 0.7.5-5ubuntu27 Version table: *** 0.7.5-5ubuntu27 0 500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages 100 /var/lib/dpkg/status kvm: Installed: 1:84+dfsg-0ubuntu16+0.12.3+noroms+0ubuntu9 Candidate: 1:84+dfsg-0ubuntu16+0.12.3+noroms+0ubuntu9 Version table: *** 1:84+dfsg-0ubuntu16+0.12.3+noroms+0ubuntu9 0 500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages 100 /var/lib/dpkg/status qemu-kvm: Installed: 0.12.3+noroms-0ubuntu9 Candidate: 0.12.3+noroms-0ubuntu9 Version table: *** 0.12.3+noroms-0ubuntu9 0 500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages 100 /var/lib/dpkg/status To unsubscribe from this bug, go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/579584/+subscribe ** Attachment added: qemu.conf http://launchpadlibrarian.net/49276652/qemu.conf -- setgid, setuid needed by /etc/apparmor.d/abstractions/libvirt-qemu https://bugs.launchpad.net/bugs/579584 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 579584] Re: setgid, setuid needed by /etc/apparmor.d/abstractions/libvirt-qemu
Mathias, The complete command line to start virsh was `sudo virsh`. Here's the guest description for one of the guests: j...@kvmhost:~$ sudo virsh dumpxml couchdb1 domain type='kvm' id='1' namecouchdb1/name uuid57861152-9d28-c67d-87c6-a0295a418121/uuid memory2097152/memory currentMemory2097152/currentMemory vcpu3/vcpu os type arch='x86_64' machine='pc-0.11'hvm/type boot dev='hd'/ /os features acpi/ /features clock offset='utc'/ on_poweroffdestroy/on_poweroff on_rebootrestart/on_reboot on_crashdestroy/on_crash devices emulator/usr/bin/kvm/emulator disk type='file' device='disk' source file='/var/vm/couchdb1/disk0.qcow2'/ target dev='hda' bus='ide'/ /disk disk type='file' device='disk' source file='/var/vm/couchdb1/disk1.qcow2'/ target dev='hdb' bus='ide'/ /disk interface type='bridge' mac address='52:54:00:c8:8c:c5'/ source bridge='br0'/ target dev='vnet0'/ model type='virtio'/ /interface input type='mouse' bus='ps2'/ graphics type='vnc' port='5900' autoport='yes' listen='127.0.0.1'/ video model type='cirrus' vram='9216' heads='1'/ /video /devices seclabel type='dynamic' model='apparmor' labellibvirt-57861152-9d28-c67d-87c6-a0295a418121/label imagelabellibvirt-57861152-9d28-c67d-87c6-a0295a418121/imagelabel /seclabel /domain -- setgid, setuid needed by /etc/apparmor.d/abstractions/libvirt-qemu https://bugs.launchpad.net/bugs/579584 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 579584] [NEW] setgid, setuid needed by /etc/apparmor.d/abstractions/libvirt-qemu
Public bug reported: I couldn't boot any guest VMs with virsh until I modified /etc/apparmor.d/abstractions/libvirt-qemu: j...@kvmhost:~$ sudo bzr diff /etc/apparmor.d/ === modified file 'apparmor.d/abstractions/libvirt-qemu' --- apparmor.d/abstractions/libvirt-qemu2010-04-30 15:33:20 + +++ apparmor.d/abstractions/libvirt-qemu2010-05-12 17:26:56 + @@ -8,6 +8,8 @@ capability dac_override, capability dac_read_search, capability chown, + capability setgid, + capability setuid, # this is needed with libcap-ng support, however it breaks a lot of things # atm, so just silence the denial until libcap-ng works right. LP: #522845 ... and restarted apparmor and libvirtd. Without `capability setgid`, the qemu guest log file contained: LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin QEMU_ AUDIO_DRV=none /usr/bin/kvm -S -M pc-0.11 -enable-kvm -m 512 -smp 1 -name dm1 -u uid 79d03a71-3be6-19df-1070-791239480888 -chardev socket,id=monitor,path=/var/li b/libvirt/qemu/dm1.monitor,server,nowait -monitor chardev:monitor -boot c -drive file=/var/vm/dm1/disk0.qcow2,if=ide,index=0,boot=on -drive file=/var/vm/dm1/disk1.qcow2,if=ide,index=1 -net nic,macaddr=52:54:00:bf:75:90,vlan=0,model=virtio,name=virtio.0 -net tap,fd=50,vlan=0,name=tap.0 -serial none -parallel none -usb -vnc 127.0.0.1:0 -vga cirrus libvir: QEMU error : cannot change to '109' group: Operation not permitted Without `capability setuid`, the qemu guest log file contained: LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin QEMU_AUDIO_DRV=none /usr/bin/kvm -S -M pc-0.11 -enable-kvm -m 512 -smp 1 -name dm1 -uuid 79d03a71-3be6-19df-1070-791239480888 -chardev socket,id=monitor,path=/var/lib/libvirt/qemu/dm1.monitor,server,nowait -monitor chardev:monitor -boot c -drive file=/var/vm/dm1/disk0.qcow2,if=ide,index=0,boot=on -drive file=/var/vm/dm1/disk1.qcow2,if=ide,index=1 -net nic,macaddr=52:54:00:bf:75:90,vlan=0,model=virtio,name=virtio.0 -net tap,fd=50,vlan=0,name=tap.0 -serial none -parallel none -usb -vnc 127.0.0.1:0 -vga cirrus libvir: QEMU error : cannot change to '104' user: Operation not permitted I don't really know if these changes were the right thing to do, but it did allow me to boot the VMs with virsh. j...@kvmhost:~$ lsb_release -rd Description:Ubuntu 10.04 LTS Release:10.04 j...@kvmhost:~$ apt-cache policy libvirt-bin kvm qemu-kvm libvirt-bin: Installed: 0.7.5-5ubuntu27 Candidate: 0.7.5-5ubuntu27 Version table: *** 0.7.5-5ubuntu27 0 500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages 100 /var/lib/dpkg/status kvm: Installed: 1:84+dfsg-0ubuntu16+0.12.3+noroms+0ubuntu9 Candidate: 1:84+dfsg-0ubuntu16+0.12.3+noroms+0ubuntu9 Version table: *** 1:84+dfsg-0ubuntu16+0.12.3+noroms+0ubuntu9 0 500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages 100 /var/lib/dpkg/status qemu-kvm: Installed: 0.12.3+noroms-0ubuntu9 Candidate: 0.12.3+noroms-0ubuntu9 Version table: *** 0.12.3+noroms-0ubuntu9 0 500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages 100 /var/lib/dpkg/status ** Affects: libvirt (Ubuntu) Importance: Undecided Status: New ** Tags: apparmor -- setgid, setuid needed by /etc/apparmor.d/abstractions/libvirt-qemu https://bugs.launchpad.net/bugs/579584 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs