Added SRU Template in anticipation of the MP review
** Description changed:
+ [Impact]
+
+ * If one defines guest channels manually (xml) or via tools like virt-
+ manager (there it defaults to add channels for some distros), then
+ starting the guest fails.
+ There are two reason:
+ 1. by default the base dir for the channels doesn't exists so the
+ open fails
+ 2. further virt-aa-helper does not create a matchign rule to allow
+ access, so apparmor blocks
+
+ * In latter versions the paths are slightly different (better namespaced
+ by guest name), but still similar. So this still can be considered
+ backporting the virt-aa-helper change, and making sure the base dir
+ exists (only needed in this old release) is a postinst change.
+
+ [Test Case]
+
+ * Create a libvirt based KVM guest on Artful the way you prefer
+ * Add a guest channel to it by adding a snippet like:
+ <channel type='unix'>
+ <source mode='bind' />
+ <target type='virtio' name='org.qemu.guest_agent.0'/>
+ </channel>
+ * Start the guest via e.g. virsh
+ * Without the fix this fails, you'll see in strace a failed call to open
+ the channel, but even if e.g. dirs are created then apparmor will block
+ the access.
+ * With the fix installed the guest starts correctly
+
+ [Regression Potential]
+
+ * The patch is a backport and only a slight change to code that is used
+ quite some time (paths were different in Trusty). In any case it is
+ "adding" one more rule to open up apparmor. It should functionally not
+ regress by that, if anything one could consider it security risk, but
+ due to the guestname-namespacing in the rule now generated this shoudl
+ be safe - see the tail of comment #58 for some considerations on that.
+
+ * The postinst change only runs if the dir is not existing, which should
+ ensure that no former unexpected setup makes the postinst fail
+
+ [Other Info]
+
+ * Tests on the issue itself look good based on a ppa, see comment #59
+
+
+ ----
+
+
=======================================
1. Impact: cannot create a default RHEL7 vm in virt-manager
2. fix: allow use of qemu-guest-agent channel
3. test case: see in description below. Create a VM in virt-manager
specifying
- Linux os and RHEL7.
+ Linux os and RHEL7.
4. Regression potential: there should be none. We are only adding an
apparmor permission for unix sockets which libvirt creates when needed
for kvm vms.
=======================================
Create a new VM, choose Linux for OS type and Red Hat Enterprise Linux 7
(or later) for Version. Proceed through the wizard leaving all other
options unchanged. On clicking Finish, the following error is displayed:
Unable to complete install: 'internal error: process exited while connecting
to monitor: 2014-11-18T16:00:11.802430Z qemu-system-x86_64: -chardev
socket,id=charchannel0,path=/var/lib/libvirt/qemu/channel/target/rhel7.org.qemu.guest_agent.0,server,nowait:
Failed to bind socket: No such file or directory
2014-11-18T16:00:11.802483Z qemu-system-x86_64: -chardev
socket,id=charchannel0,path=/var/lib/libvirt/qemu/channel/target/rhel7.org.qemu.guest_agent.0,server,nowait:
chardev: opening backend "socket" failed
'
Traceback (most recent call last):
File "/usr/share/virt-manager/virtManager/asyncjob.py", line 91, in
cb_wrapper
callback(asyncjob, *args, **kwargs)
File "/usr/share/virt-manager/virtManager/create.py", line 1820, in
do_install
guest.start_install(meter=meter)
File "/usr/share/virt-manager/virtinst/guest.py", line 403, in start_install
noboot)
File "/usr/share/virt-manager/virtinst/guest.py", line 467, in _create_guest
dom = self.conn.createLinux(start_xml or final_xml, 0)
File "/usr/lib/python2.7/dist-packages/libvirt.py", line 3398, in
createLinux
if ret is None:raise libvirtError('virDomainCreateLinux() failed',
conn=self)
libvirtError: internal error: process exited while connecting to monitor:
2014-11-18T16:00:11.802430Z qemu-system-x86_64: -chardev
socket,id=charchannel0,path=/var/lib/libvirt/qemu/channel/target/rhel7.org.qemu.guest_agent.0,server,nowait:
Failed to bind socket: No such file or directory
2014-11-18T16:00:11.802483Z qemu-system-x86_64: -chardev
socket,id=charchannel0,path=/var/lib/libvirt/qemu/channel/target/rhel7.org.qemu.guest_agent.0,server,nowait:
chardev: opening backend "socket" failed
ProblemType: Bug
DistroRelease: Ubuntu 14.10
Package: virt-manager 1:1.0.1-0ubuntu2
ProcVersionSignature: Ubuntu 3.16.0-24.32-generic 3.16.4
Uname: Linux 3.16.0-24-generic x86_64
ApportVersion: 2.14.7-0ubuntu8
Architecture: amd64
CurrentDesktop: KDE
Date: Tue Nov 18 15:55:59 2014
EcryptfsInUse: Yes
InstallationDate: Installed on 2014-11-07 (11 days ago)
InstallationMedia: Kubuntu 14.10 "Utopic Unicorn" - Release amd64 (20141022.1)
PackageArchitecture: all
SourcePackage: virt-manager
UpgradeStatus: No upgrade log present (probably fresh install)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1393842
Title:
libvirt does not grant qemu-guest-agent channel perms
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1393842/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
