** Description changed: + [Impact] + + * Due to an upstream change in libvirt 2.0 users of libvirt >=2.0 + (that is >=Yakkety) can't use non apparmor security labels anymore. + + * That means old guest definitions that should still work fail to start + now + + * The issue was in virt-aa-helper, the proposed fix was tested and then + brought upstream. This is a backport of the upstream accepted fix. + + [Test Case] + + * Testcase with virt-aa-helper on a minimal xml: + $ cat << EOF > /tmp/test.xml + <domain type='kvm'> + <name>test-seclabel</name> + <uuid>12345678-9abc-def1-2345-6789abcdef00</uuid> + <memory unit='KiB'>1</memory> + <os><type arch='x86_64'>hvm</type></os> + <seclabel type='dynamic' model='apparmor' relabel='yes'/> + <seclabel type='dynamic' model='dac' relabel='yes'/> + </domain> + EOF + $ /usr/lib/libvirt/virt-aa-helper -d -r -p 0 \ + -u libvirt-12345678-9abc-def1-2345-6789abcdef00 < /tmp/test.xml + + Current Result: + virt-aa-helper: error: could not parse XML + virt-aa-helper: error: could not get VM definition + Expected Result is to emit a valid apparmor profile + + * The more complex test is to create a guest (whatever way you like) and + add an empty dac security label (as shown above) to then start the + guest. + + Current Result: + error: Failed to start domain yakkety-doubleseclabel + error: internal error: cannot load AppArmor profile 'libvirt-8746b00d-aad1-4346-8784-2d4331465153' + Expected Result: + properly staring the guest + + [Regression Potential] + + * The change is in the parsing of domain info in domain.conf. While no + local nor upstream tests broke anything one could think of very special + xml configuation that now might fail parsing. OTOH the new change now + skips some of the parsing, so even if we miss to consider something it + shouldn't fail, but instead "forget" to read some data correctly. The + part that we skip are seclabels which are created dynamically anyway. + + * Also the changed flag is local to virt-aa-helper.c so and guarded by + that flag in domain_conf.c so it should be a no-op to anybody but virt- + aa-helper for sure. + + [Other Info] + + * Anything else you think is useful to include + * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board + * and address these questions in advance + + ---Problem Description--- VM fails to start with dac security driver added - + ---uname output--- Linux ltc-test-ci1 4.4.0-9136-generic #55-Ubuntu SMP Fri Aug 26 05:56:24 UTC 2016 ppc64le ppc64le ppc64le GNU/Linux - - Machine Type = power 8 ppc64le - + + Machine Type = power 8 ppc64le + ---Steps to Reproduce--- - + VM fails to start with dac security driver added - 1. Define a VM with both apparmor and dac security driver( Used XML as below) + 1. Define a VM with both apparmor and dac security driver( Used XML as below) #virsh dumpxml virt-tests-vm1 <domain type='kvm'> - <name>virt-tests-vm1</name> - <uuid>0491f0cd-eb14-4992-be4c-53a1adf1d314</uuid> - <memory unit='KiB'>33554432</memory> - <currentMemory unit='KiB'>33554432</currentMemory> - <vcpu placement='static'>32</vcpu> - <resource> - <partition>/machine</partition> - </resource> - <os> - <type arch='ppc64le' machine='pseries-2.6'>hvm</type> - <boot dev='hd'/> - </os> - <cpu> - <topology sockets='1' cores='32' threads='1'/> - </cpu> - <clock offset='utc'/> - <on_poweroff>destroy</on_poweroff> - <on_reboot>restart</on_reboot> - <on_crash>restart</on_crash> - <devices> - <emulator>/usr/bin/kvm</emulator> - <disk type='file' device='disk'> - <driver name='qemu' type='qcow2'/> - <source file='/var/lib/libvirt/images/sath/avocado-fvt-wrapper/data/avocado-vt/images/ubuntu-16.10-ppc64le.qcow2'/> - <target dev='sda' bus='scsi'/> - <address type='drive' controller='0' bus='0' target='0' unit='0'/> - </disk> - <controller type='usb' index='0'> - <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/> - </controller> - <controller type='pci' index='0' model='pci-root'/> - <controller type='scsi' index='0'> - <address type='spapr-vio' reg='0x2000'/> - </controller> - <interface type='bridge'> - <mac address='52:54:00:e2:e3:e4'/> - <source bridge='virbr0'/> - <model type='virtio'/> - <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/> - </interface> - <serial type='pty'> - <target port='0'/> - <address type='spapr-vio' reg='0x30000000'/> - </serial> - <console type='pty'> - <target type='serial' port='0'/> - <address type='spapr-vio' reg='0x30000000'/> - </console> - <memballoon model='virtio'> - <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> - </memballoon> - <panic model='pseries'/> - </devices> - <seclabel type='dynamic' model='apparmor' relabel='yes'/> - <seclabel type='dynamic' model='dac' relabel='yes'/> + <name>virt-tests-vm1</name> + <uuid>0491f0cd-eb14-4992-be4c-53a1adf1d314</uuid> + <memory unit='KiB'>33554432</memory> + <currentMemory unit='KiB'>33554432</currentMemory> + <vcpu placement='static'>32</vcpu> + <resource> + <partition>/machine</partition> + </resource> + <os> + <type arch='ppc64le' machine='pseries-2.6'>hvm</type> + <boot dev='hd'/> + </os> + <cpu> + <topology sockets='1' cores='32' threads='1'/> + </cpu> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>restart</on_crash> + <devices> + <emulator>/usr/bin/kvm</emulator> + <disk type='file' device='disk'> + <driver name='qemu' type='qcow2'/> + <source file='/var/lib/libvirt/images/sath/avocado-fvt-wrapper/data/avocado-vt/images/ubuntu-16.10-ppc64le.qcow2'/> + <target dev='sda' bus='scsi'/> + <address type='drive' controller='0' bus='0' target='0' unit='0'/> + </disk> + <controller type='usb' index='0'> + <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/> + </controller> + <controller type='pci' index='0' model='pci-root'/> + <controller type='scsi' index='0'> + <address type='spapr-vio' reg='0x2000'/> + </controller> + <interface type='bridge'> + <mac address='52:54:00:e2:e3:e4'/> + <source bridge='virbr0'/> + <model type='virtio'/> + <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/> + </interface> + <serial type='pty'> + <target port='0'/> + <address type='spapr-vio' reg='0x30000000'/> + </serial> + <console type='pty'> + <target type='serial' port='0'/> + <address type='spapr-vio' reg='0x30000000'/> + </console> + <memballoon model='virtio'> + <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> + </memballoon> + <panic model='pseries'/> + </devices> + <seclabel type='dynamic' model='apparmor' relabel='yes'/> + <seclabel type='dynamic' model='dac' relabel='yes'/> </domain> 2. virsh start virt-tests-vm1 #virsh start virt-tests-vm1 error: Failed to start domain virt-tests-vm1 error: internal error: cannot load AppArmor profile 'libvirt-0491f0cd-eb14-4992-be4c-53a1adf1d314'------NOK - 3. After removing dac line from xml(<seclabel type='dynamic' model='dac' relabel='yes'/>) VM started fine #virsh start virt-tests-vm1 Domain virt-tests-vm1 started + Userspace tool common name: ii libvirt-bin + 2.1.0-1ubuntu5 ppc64el programs for the + libvirt library - - Userspace tool common name: ii libvirt-bin 2.1.0-1ubuntu5 ppc64el programs for the libvirt library - - The userspace tool has the following bit modes: both + The userspace tool has the following bit modes: both Userspace package: ii libvirt-bin 2.1.0-1ubuntu5 ppc64el programs for the libvirt library
** Description changed: [Impact] - * Due to an upstream change in libvirt 2.0 users of libvirt >=2.0 - (that is >=Yakkety) can't use non apparmor security labels anymore. + * Due to an upstream change in libvirt 2.0 users of libvirt >=2.0 + (that is >=Yakkety) can't use non apparmor security labels anymore. - * That means old guest definitions that should still work fail to start - now + * That means old guest definitions that should still work fail to start + now - * The issue was in virt-aa-helper, the proposed fix was tested and then - brought upstream. This is a backport of the upstream accepted fix. + * The issue was in virt-aa-helper, the proposed fix was tested and then + brought upstream. This is a backport of the upstream accepted fix. [Test Case] - * Testcase with virt-aa-helper on a minimal xml: - $ cat << EOF > /tmp/test.xml - <domain type='kvm'> - <name>test-seclabel</name> - <uuid>12345678-9abc-def1-2345-6789abcdef00</uuid> - <memory unit='KiB'>1</memory> - <os><type arch='x86_64'>hvm</type></os> - <seclabel type='dynamic' model='apparmor' relabel='yes'/> - <seclabel type='dynamic' model='dac' relabel='yes'/> - </domain> - EOF - $ /usr/lib/libvirt/virt-aa-helper -d -r -p 0 \ - -u libvirt-12345678-9abc-def1-2345-6789abcdef00 < /tmp/test.xml + * Testcase with virt-aa-helper on a minimal xml: + $ cat << EOF > /tmp/test.xml + <domain type='kvm'> + <name>test-seclabel</name> + <uuid>12345678-9abc-def1-2345-6789abcdef00</uuid> + <memory unit='KiB'>1</memory> + <os><type arch='x86_64'>hvm</type></os> + <seclabel type='dynamic' model='apparmor' relabel='yes'/> + <seclabel type='dynamic' model='dac' relabel='yes'/> + </domain> + EOF + $ /usr/lib/libvirt/virt-aa-helper -d -r -p 0 \ + -u libvirt-12345678-9abc-def1-2345-6789abcdef00 < /tmp/test.xml - Current Result: - virt-aa-helper: error: could not parse XML - virt-aa-helper: error: could not get VM definition - Expected Result is to emit a valid apparmor profile + Current Result: + virt-aa-helper: error: could not parse XML + virt-aa-helper: error: could not get VM definition + Expected Result is to emit a valid apparmor profile - * The more complex test is to create a guest (whatever way you like) and - add an empty dac security label (as shown above) to then start the - guest. - - Current Result: - error: Failed to start domain yakkety-doubleseclabel - error: internal error: cannot load AppArmor profile 'libvirt-8746b00d-aad1-4346-8784-2d4331465153' - Expected Result: - properly staring the guest + * The more complex test is to create a guest (whatever way you like) and + add an empty dac security label (as shown above) to then start the + guest. + + Current Result: + error: Failed to start domain yakkety-doubleseclabel + error: internal error: cannot load AppArmor profile 'libvirt-8746b00d-aad1-4346-8784-2d4331465153' + Expected Result: + properly staring the guest [Regression Potential] - * The change is in the parsing of domain info in domain.conf. While no - local nor upstream tests broke anything one could think of very special - xml configuation that now might fail parsing. OTOH the new change now - skips some of the parsing, so even if we miss to consider something it - shouldn't fail, but instead "forget" to read some data correctly. The - part that we skip are seclabels which are created dynamically anyway. + * The change is in the parsing of domain info in domain.conf. While no + local nor upstream tests broke anything one could think of very special + xml configuation that now might fail parsing. OTOH the new change now + skips some of the parsing, so even if we miss to consider something it + shouldn't fail, but instead "forget" to read some data correctly. The + part that we skip are seclabels which are created dynamically anyway. - * Also the changed flag is local to virt-aa-helper.c so and guarded by - that flag in domain_conf.c so it should be a no-op to anybody but virt- - aa-helper for sure. + * Also the changed flag is local to virt-aa-helper.c so and guarded by + that flag in domain_conf.c so it should be a no-op to anybody but virt- + aa-helper for sure. [Other Info] - - * Anything else you think is useful to include - * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board - * and address these questions in advance + * N/A ---Problem Description--- VM fails to start with dac security driver added ---uname output--- Linux ltc-test-ci1 4.4.0-9136-generic #55-Ubuntu SMP Fri Aug 26 05:56:24 UTC 2016 ppc64le ppc64le ppc64le GNU/Linux Machine Type = power 8 ppc64le ---Steps to Reproduce--- VM fails to start with dac security driver added 1. Define a VM with both apparmor and dac security driver( Used XML as below) #virsh dumpxml virt-tests-vm1 <domain type='kvm'> <name>virt-tests-vm1</name> <uuid>0491f0cd-eb14-4992-be4c-53a1adf1d314</uuid> <memory unit='KiB'>33554432</memory> <currentMemory unit='KiB'>33554432</currentMemory> <vcpu placement='static'>32</vcpu> <resource> <partition>/machine</partition> </resource> <os> <type arch='ppc64le' machine='pseries-2.6'>hvm</type> <boot dev='hd'/> </os> <cpu> <topology sockets='1' cores='32' threads='1'/> </cpu> <clock offset='utc'/> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>restart</on_crash> <devices> <emulator>/usr/bin/kvm</emulator> <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/var/lib/libvirt/images/sath/avocado-fvt-wrapper/data/avocado-vt/images/ubuntu-16.10-ppc64le.qcow2'/> <target dev='sda' bus='scsi'/> <address type='drive' controller='0' bus='0' target='0' unit='0'/> </disk> <controller type='usb' index='0'> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/> </controller> <controller type='pci' index='0' model='pci-root'/> <controller type='scsi' index='0'> <address type='spapr-vio' reg='0x2000'/> </controller> <interface type='bridge'> <mac address='52:54:00:e2:e3:e4'/> <source bridge='virbr0'/> <model type='virtio'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/> </interface> <serial type='pty'> <target port='0'/> <address type='spapr-vio' reg='0x30000000'/> </serial> <console type='pty'> <target type='serial' port='0'/> <address type='spapr-vio' reg='0x30000000'/> </console> <memballoon model='virtio'> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </memballoon> <panic model='pseries'/> </devices> <seclabel type='dynamic' model='apparmor' relabel='yes'/> <seclabel type='dynamic' model='dac' relabel='yes'/> </domain> 2. virsh start virt-tests-vm1 #virsh start virt-tests-vm1 error: Failed to start domain virt-tests-vm1 error: internal error: cannot load AppArmor profile 'libvirt-0491f0cd-eb14-4992-be4c-53a1adf1d314'------NOK 3. After removing dac line from xml(<seclabel type='dynamic' model='dac' relabel='yes'/>) VM started fine #virsh start virt-tests-vm1 Domain virt-tests-vm1 started Userspace tool common name: ii libvirt-bin 2.1.0-1ubuntu5 ppc64el programs for the libvirt library The userspace tool has the following bit modes: both Userspace package: ii libvirt-bin 2.1.0-1ubuntu5 ppc64el programs for the libvirt library -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1633207 Title: VM fails to start with dac security driver added To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1633207/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs