[Bug 632696] Re: libvirt won't start a VM with serial or console when apparmor is enabled
Based on Thomas' assessment, should the title of this bug be adjusted and the apparmor tag removed? -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in Ubuntu. https://bugs.launchpad.net/bugs/632696 Title: libvirt won't start a VM with serial or console when apparmor is enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/632696/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 632696] Re: libvirt won't start a VM with serial or console when apparmor is enabled
Quoting Jamie Strandboge (ja...@ubuntu.com): Based on Thomas' assessment, should the title of this bug be adjusted and the apparmor tag removed? Since disabling apparmor works around the problem, I don't think so. I'm going to have to install a maverick partition on a physical laptop to test several bugs, and will try to reproduce and get to the bottom of this one then. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in Ubuntu. https://bugs.launchpad.net/bugs/632696 Title: libvirt won't start a VM with serial or console when apparmor is enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/632696/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 632696] Re: libvirt won't start a VM with serial or console when apparmor is enabled
Serge, but comment #25 by Thomas said he is having the problem even with AppArmor disabled... -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in Ubuntu. https://bugs.launchpad.net/bugs/632696 Title: libvirt won't start a VM with serial or console when apparmor is enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/632696/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 632696] Re: libvirt won't start a VM with serial or console when apparmor is enabled
Jamie,
sorry, I thought his latest comment mentioned that as a working
workaround, but I must have seen it in the description.
So yes, removing the tag seems good.
** Description changed:
I get the error:
Error starting domain: internal error Process exited while reading
console log output: chardev: opening backend pty failed
-
Traceback (most recent call last):
- File /usr/share/virt-manager/virtManager/engine.py, line 814, in
run_domain
- vm.startup()
- File /usr/share/virt-manager/virtManager/domain.py, line 1296, in startup
- self._backend.create()
- File /usr/lib/python2.6/dist-packages/libvirt.py, line 333, in create
- if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
+ File /usr/share/virt-manager/virtManager/engine.py, line 814, in
run_domain
+ vm.startup()
+ File /usr/share/virt-manager/virtManager/domain.py, line 1296, in startup
+ self._backend.create()
+ File /usr/lib/python2.6/dist-packages/libvirt.py, line 333, in create
+ if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirtError: internal error Process exited while reading console log output:
chardev: opening backend pty failed
-
- Turning off apparmor fixes it. Re-enabling it stops libvirt from creating
VMs again.
+ It was originally thought that turning off apparmor fixes it, and re-
+ enabling apparmor stops libvirt from creating VMs again. Later reports
+ claim this is not the case.
ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: libvirt-bin 0.8.3-1ubuntu9
ProcVersionSignature: Ubuntu 2.6.35-19.28-generic 2.6.35.3
Uname: Linux 2.6.35-19-generic x86_64
NonfreeKernelModules: nvidia
Architecture: amd64
Date: Tue Sep 7 16:05:19 2010
InstallationMedia: Ubuntu 10.10 Maverick Meerkat - Alpha amd64 (20100820)
ProcEnviron:
- PATH=(custom, user)
- LANG=en_US.utf8
- SHELL=/bin/bash
+ PATH=(custom, user)
+ LANG=en_US.utf8
+ SHELL=/bin/bash
SourcePackage: libvirt
** Summary changed:
- libvirt won't start a VM with serial or console when apparmor is enabled
+ libvirt won't start a VM with serial or console
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in Ubuntu.
https://bugs.launchpad.net/bugs/632696
Title:
libvirt won't start a VM with serial or console
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/632696/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 632696] Re: libvirt won't start a VM with serial or console when apparmor is enabled
The only real fix is not to use lxc/kvm on one hardware in parallel. As long as you use *only* kvm/lxc you'll not see this error any more. This is because most lxc-tools do not use libvirtd for operations. At least with version 0.8.8-1ubuntu6.5 (available from the mainline repositories) some other errors are fixed mdash; this one is not. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in Ubuntu. https://bugs.launchpad.net/bugs/632696 Title: libvirt won't start a VM with serial or console when apparmor is enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/632696/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 632696] Re: libvirt won't start a VM with serial or console when apparmor is enabled
@Thomas, could you tell us which testing ppa version of kvm fixes it? Do you knwo which upstream commit fixes it? We should be able to push this fix back into maverick. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in Ubuntu. https://bugs.launchpad.net/bugs/632696 Title: libvirt won't start a VM with serial or console when apparmor is enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/632696/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 632696] Re: libvirt won't start a VM with serial or console when apparmor is enabled
** Changed in: libvirt (Ubuntu Maverick) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in Ubuntu. https://bugs.launchpad.net/bugs/632696 Title: libvirt won't start a VM with serial or console when apparmor is enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/632696/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 632696] Re: libvirt won't start a VM with serial or console when apparmor is enabled
Looks like it is fixed with libvirt 0.8.8. Unfortunately this package is only available from a testing ppa -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in Ubuntu. https://bugs.launchpad.net/bugs/632696 Title: libvirt won't start a VM with serial or console when apparmor is enabled -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 632696] Re: libvirt won't start a VM with serial or console when apparmor is enabled
I see this error since today. Even stopping apparmor, then tearing down all profiles, trying to start a kvm host gives: root@vh01:~# service apparmor stop * Clearing AppArmor profiles cache [ OK ] All profile caches have been cleared, but no profiles have been unloaded. Unloading profiles will leave already running processes permanently unconfined, which can lead to unexpected situations. To set a process to complain mode, use the command line tool 'aa-complain'. To really tear down all profiles, run the init script with the 'teardown' option. root@vh01:~# service apparmor teardown * Unloading AppArmor profiles [ OK ] root@vh01:~# virsh start ns1 error: Failed to start domain ns1 error: internal error Process exited while reading console log output: chardev: opening backend pty failed Looks like this is related to latest apparmor updates, but these do not fix the error. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/632696 Title: libvirt won't start a VM with serial or console when apparmor is enabled -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 632696] Re: libvirt won't start a VM with serial or console when apparmor is enabled
I've ran into this issue twice now today. I can be creating VMs just fine and then go to create another one and it fails with this error. Rebooting fixed the issue the first time and I was able to create VMs again like normal but then for seemingly no reason I started getting the error again. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/632696 Title: libvirt won't start a VM with serial or console when apparmor is enabled -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 632696] Re: libvirt won't start a VM with serial or console when apparmor is enabled
I've not been able to reproduce this since the ninth, so I'd like to mark it invalid. Jamie, is that ok with you? -- libvirt won't start a VM with serial or console when apparmor is enabled https://bugs.launchpad.net/bugs/632696 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 632696] Re: libvirt won't start a VM with serial or console when apparmor is enabled
I have never been able to reproduce. I've certainly known libvirt to right itself after a full reboot, so maybe something weird was going on. Feel free to re-open if you can reproduce. ** Changed in: libvirt (Ubuntu Maverick) Status: New = Invalid ** Changed in: libvirt (Ubuntu Maverick) Assignee: Jamie Strandboge (jdstrand) = (unassigned) -- libvirt won't start a VM with serial or console when apparmor is enabled https://bugs.launchpad.net/bugs/632696 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 632696] Re: libvirt won't start a VM with serial or console when apparmor is enabled
** Tags added: server-mrs -- libvirt won't start a VM with serial or console when apparmor is enabled https://bugs.launchpad.net/bugs/632696 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 632696] Re: libvirt won't start a VM with serial or console when apparmor is enabled
Fascinating, today the problem is back. -- libvirt won't start a VM with serial or console when apparmor is enabled https://bugs.launchpad.net/bugs/632696 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 632696] Re: libvirt won't start a VM with serial or console when apparmor is enabled
I chowned and chmoded /srv/libvirt-storage-pool-1 to be se...@sergelap:~/ $ ls -ld /srv/libvirt-storage-pool-1/ drwxr-x--- 2 root kvm 4096 2010-09-03 09:45 /srv/libvirt-storage-pool-1/ and made sure to be in the kvm group, but this still did not suffice. The errors in the log are as usual: [ 2844.242158] type=1400 audit(1284123328.335:34): apparmor=DENIED operation=open parent=1006 profile=libvirt-4b49b0f2-18e7-ef59-f9c6-d37703a6ca21 name=/proc/1011/fd/ pid=1011 comm=kvm requested_mask=r denied_mask=r fsuid=117 ouid=117 [ 2844.242322] type=1400 audit(1284123328.335:35): apparmor=DENIED operation=exec parent=1006 profile=libvirt-4b49b0f2-18e7-ef59-f9c6-d37703a6ca21 name=/usr/lib/pt_chown pid=1011 comm=kvm requested_mask=x denied_mask=x fsuid=117 ouid=0 I did an apt-get dist-upgrade yesterday, don't know if that's what re- caused the error. I re-added the 3 lines to /etc/apparmor.d/abstractions/libvirt-qemu and did 'sudo /etc/init.d/apparmor restart; sudo restart libvirt-bin', after which it still failed but with the error: [ 3056.875668] type=1400 audit(1284123541.145:53): apparmor=DENIED operation=capable parent=6063 profile=libvirt- 4b49b0f2-18e7-ef59-f9c6-d37703a6ca21 pid=6065 comm=pt_chown capability=3 capname=fowner It's not clear to me if there is an easy (and safe) way to hand cap_fowner to pt_chown there? ** Changed in: libvirt (Ubuntu Maverick) Status: Incomplete = New -- libvirt won't start a VM with serial or console when apparmor is enabled https://bugs.launchpad.net/bugs/632696 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 632696] Re: libvirt won't start a VM with serial or console when apparmor is enabled
We can create a child profile for pt_chown so only it would get
cap_fowner. Can you try the following in /etc/apparmor.d/abstractions
/libvirt-qemu:
owner @{PROC}/[0-9]*/fd/ r,
owner @{PROC}/[0-9]*/fd/3 r,
/usr/lib/pt_chown cix - libvirt_pt_chown,
profile libvirt_pt_chown {
capability fowner,
}
--
libvirt won't start a VM with serial or console when apparmor is enabled
https://bugs.launchpad.net/bugs/632696
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 632696] Re: libvirt won't start a VM with serial or console when apparmor is enabled
Quoting Jamie Strandboge (ja...@ubuntu.com):
We can create a child profile for pt_chown so only it would get
cap_fowner. Can you try the following in /etc/apparmor.d/abstractions
/libvirt-qemu:
owner @{PROC}/[0-9]*/fd/ r,
owner @{PROC}/[0-9]*/fd/3 r,
/usr/lib/pt_chown cix - libvirt_pt_chown,
profile libvirt_pt_chown {
capability fowner,
}
I had rebooted (no choice, having to reboot frequently). This time,
even before adding this ruleset, I could start the hosts.
So either the recipe:
/etc/init.d/apparmor restart
restart libvirt-bin
does not suffice to clear out the rules, or this is a very funky
random bug that only happens sometimes. I'll try to get some time
dedicated to testing this this afternoon.
--
libvirt won't start a VM with serial or console when apparmor is enabled
https://bugs.launchpad.net/bugs/632696
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 632696] Re: libvirt won't start a VM with serial or console when apparmor is enabled
I cannot reproduce with the m2.xml file using qemu:///system on the local machine. I used virt-manager to create the /srv/libvirt-storage- pool-1/maverick2.img image (but I had to 'chmod 750 /srv/libvirt- storage-pool-1 ; chgrp kvm /srv/libvirt-storage-pool-1' to make this work). Can you provide exact steps to reproduce, including any non-default configuration for libvirt (ie, /etc/libvirt/*)? -- libvirt won't start a VM with serial or console when apparmor is enabled https://bugs.launchpad.net/bugs/632696 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 632696] Re: libvirt won't start a VM with serial or console when apparmor is enabled
Quoting Jamie Strandboge (ja...@ubuntu.com): I cannot reproduce with the m2.xml file using qemu:///system on the local machine. I used virt-manager to create the /srv/libvirt-storage- pool-1/maverick2.img image (but I had to 'chmod 750 /srv/libvirt- storage-pool-1 ; chgrp kvm /srv/libvirt-storage-pool-1' to make this work). Can you provide exact steps to reproduce, including any non-default configuration for libvirt (ie, /etc/libvirt/*)? Hm, today it's working fine... FWIW here is my /etc/libvirt/storage/libvirt-storage-pool-1.xml: pool type='dir' namelibvirt-storage-pool-1/name uuid088fb527-21da-5cfe-899c-0c785342fffe/uuid capacity0/capacity allocation0/allocation available0/available source /source target path/srv/libvirt-storage-pool-1/path permissions mode0700/mode owner-1/owner group-1/group /permissions /target /pool but # ls -dl /srv/libvirt-storage-pool-1/ drwxr-xr-x 2 root root 4096 2010-09-03 09:45 /srv/libvirt-storage-pool-1/ Since I can't reproduce at the moment, I've got no problem with marking this Invalid for the moment, and I'll re-open if (when) it happens again? Weird. (Especially since I did not apt-get update today) -- libvirt won't start a VM with serial or console when apparmor is enabled https://bugs.launchpad.net/bugs/632696 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 632696] Re: libvirt won't start a VM with serial or console when apparmor is enabled
Quoting Jamie Strandboge (ja...@ubuntu.com):
Serge, do you still have the following in your
/etc/apparmor.d/abstractions/libvirt-qemu:
/usr/lib/pt_chown ix,
owner @{PROC}/[0-9]*/fd/ r,
owner @{PROC}/[0-9]*/fd/3 r,
Right, I pulled those out since they weren't working anyway.
I didn't see it in your attached libvirt-qemu file either, so I am
slightly confused. Updating that file will require a full shutdown of
the guest with the profile unloaded on guest shutdown (use 'sudo aa-
status' to see). If you do have the above, then that could be why you
aren't seeing the issue today (though, like I said, I could not
reproduce).
When I added those lines, I then shut down the VMs, and did
/etc/init.d/apparmor restart
restart libvirt-bin
and then restarted the VMs. So pretty sure I was testing the
rules.
--
libvirt won't start a VM with serial or console when apparmor is enabled
https://bugs.launchpad.net/bugs/632696
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 632696] Re: libvirt won't start a VM with serial or console when apparmor is enabled
Can you attach your /etc/apparmor.d/abstractions/libvirt-qemu file? ** Summary changed: - libvirt won't start a VM when apparmor is enabled + libvirt won't start a VM with serial or console when apparmor is enabled -- libvirt won't start a VM with serial or console when apparmor is enabled https://bugs.launchpad.net/bugs/632696 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 632696] Re: libvirt won't start a VM with serial or console when apparmor is enabled
** Attachment added: libvirt-qemu https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/632696/+attachment/1555814/+files/libvirt-qemu -- libvirt won't start a VM with serial or console when apparmor is enabled https://bugs.launchpad.net/bugs/632696 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
