** Description changed: + ======================================= + SRU Justification: + 1. Impact: tunnelled migration fails + 2. Development fix: adjust the apparmor security driver in libvirt to allow guests the access to the tunneled migration info + 3. Stable fix: same as development fix + 4. Test case: + 1. install libvirt-bin on two machines (sourcehost and targethost) sharing (nfs) storage + 2. set up a kvm guest on the shared storage, start it on sourcehost + 3. create rsa key on sourcehost, and put it into root's authorized_keys on targethost. + 4. virsh migrate --live --p2p --tunnelled guestvm qemu+ssh://targethost/system + 5. regression potential: if the policy change was bad, it could cause libvirt guests to receive too much privilege. + ======================================= + While attempting a live migration the destination host (node1) logs this : Oct 5 17:13:56 node1 kernel: [ 1418.872987] type=1503 audit(1317849236.311:29): operation="mknod" pid=1975 parent=1 profile="libvirt-4aa60863-6b03-2f19-897f-4de6d12c96e1" requested_mask="c::" denied_mask="c::" fsuid=0 ouid=0 name="/var/ run/libvirt/qemu/qemu.tunnelmigrate.dest.guest1" The source system was running this command : root@node2:~# virsh migrate --live --p2p --tunnelled guest1 qemu+ssh://192.168.88.51/system Both systems are running the same distro and package versions : # lsb_release -rd Description: Ubuntu 10.04.3 LTS Release: 10.04 # apt-cache policy libvirt-bin libvirt-bin: - Installed: 0.7.5-5ubuntu27.16 - Candidate: 0.7.5-5ubuntu27.16 - Version table: - *** 0.7.5-5ubuntu27.16 0 - 500 http://archive.ubuntu.com/ubuntu/ lucid-updates/main Packages - 500 http://archive.ubuntu.com/ubuntu/ lucid-security/main Packages - 100 /var/lib/dpkg/status - 0.7.5-5ubuntu27 0 - 500 http://archive.ubuntu.com/ubuntu/ lucid/main Packages + Installed: 0.7.5-5ubuntu27.16 + Candidate: 0.7.5-5ubuntu27.16 + Version table: + *** 0.7.5-5ubuntu27.16 0 + 500 http://archive.ubuntu.com/ubuntu/ lucid-updates/main Packages + 500 http://archive.ubuntu.com/ubuntu/ lucid-security/main Packages + 100 /var/lib/dpkg/status + 0.7.5-5ubuntu27 0 + 500 http://archive.ubuntu.com/ubuntu/ lucid/main Packages
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/869553 Title: Apparmor prevents KVM tunnelled migration To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/869553/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
