** Description changed: ======================================= SRU Justification: 1. Impact: tunnelled migration fails 2. Development fix: adjust the apparmor security driver in libvirt to allow guests the access to the tunneled migration info 3. Stable fix: same as development fix 4. Test case: - 1. install libvirt-bin on two machines (sourcehost and targethost) sharing (nfs) storage - 2. set up a kvm guest on the shared storage, start it on sourcehost - 3. create rsa key on sourcehost, and put it into root's authorized_keys on targethost. - 4. virsh migrate --live --p2p --tunnelled guestvm qemu+ssh://targethost/system - 5. regression potential: if the policy change was bad, it could cause libvirt guests to receive too much privilege. + 1. install libvirt-bin on two machines (sourcehost and targethost) sharing (nfs) storage + 2. set up a kvm guest on the shared storage, start it on sourcehost + 3. create rsa key on sourcehost, and put it into root's authorized_keys on targethost. + 4. stop and start libvirt-bin on both hosts + 5. as root, ssh from sourcehost to targethost, then log out (to answer the known-host question which otherwise makes libvirt fail to connect) + 6. virsh migrate --live --p2p --tunnelled guestvm qemu+ssh://targethost/system + 7. regression potential: if the policy change was bad, it could cause libvirt guests to receive too much privilege. ======================================= While attempting a live migration the destination host (node1) logs this : Oct 5 17:13:56 node1 kernel: [ 1418.872987] type=1503 audit(1317849236.311:29): operation="mknod" pid=1975 parent=1 profile="libvirt-4aa60863-6b03-2f19-897f-4de6d12c96e1" requested_mask="c::" denied_mask="c::" fsuid=0 ouid=0 name="/var/ run/libvirt/qemu/qemu.tunnelmigrate.dest.guest1" The source system was running this command : root@node2:~# virsh migrate --live --p2p --tunnelled guest1 qemu+ssh://192.168.88.51/system Both systems are running the same distro and package versions : # lsb_release -rd Description: Ubuntu 10.04.3 LTS Release: 10.04 # apt-cache policy libvirt-bin libvirt-bin: Installed: 0.7.5-5ubuntu27.16 Candidate: 0.7.5-5ubuntu27.16 Version table: *** 0.7.5-5ubuntu27.16 0 500 http://archive.ubuntu.com/ubuntu/ lucid-updates/main Packages 500 http://archive.ubuntu.com/ubuntu/ lucid-security/main Packages 100 /var/lib/dpkg/status 0.7.5-5ubuntu27 0 500 http://archive.ubuntu.com/ubuntu/ lucid/main Packages
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/869553 Title: Apparmor prevents KVM tunnelled migration To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/869553/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
