** Description changed:
[Impact]
- * If one defines guest channels manually (xml) or via tools like virt-
- manager (there it defaults to add channels for some distros), then
- starting the guest fails.
- There are two reason:
- 1. by default the base dir for the channels doesn't exists so the
- open fails
- 2. further virt-aa-helper does not create a matchign rule to allow
- access, so apparmor blocks
+ * If one defines guest channels manually (xml) or via tools like virt-
+ manager (there it defaults to add channels for some distros), then
+ starting the guest fails.
+ There are two reason:
+ 1. by default the base dir for the channels doesn't exists so the
+ open fails
+ 2. further virt-aa-helper does not create a matchign rule to allow
+ access, so apparmor blocks
- * In latter versions the paths are slightly different (better namespaced
- by guest name), but still similar. So this still can be considered
- backporting the virt-aa-helper change, and making sure the base dir
- exists (only needed in this old release) is a postinst change.
+ * In latter versions the paths are slightly different (better namespaced
+ by guest name), but still similar. So this still can be considered
+ backporting the virt-aa-helper change, and making sure the base dir
+ exists (only needed in this old release) is a postinst change.
[Test Case]
- * Create a libvirt based KVM guest on Artful the way you prefer
- * Add a guest channel to it by adding a snippet like:
- <channel type='unix'>
- <source mode='bind' />
- <target type='virtio' name='org.qemu.guest_agent.0'/>
- </channel>
- * Start the guest via e.g. virsh
- * Without the fix this fails, you'll see in strace a failed call to open
- the channel, but even if e.g. dirs are created then apparmor will block
- the access.
- * With the fix installed the guest starts correctly
+ * Create a libvirt based KVM guest on Trusty the way you prefer
+ * Add a guest channel to it by adding a snippet like:
+ <channel type='unix'>
+ <source mode='bind' />
+ <target type='virtio' name='org.qemu.guest_agent.0'/>
+ </channel>
+ * Start the guest via e.g. virsh
+ * Without the fix this fails, you'll see in strace a failed call to open
+ the channel, but even if e.g. dirs are created then apparmor will block
+ the access.
+ * With the fix installed the guest starts correctly
[Regression Potential]
- * The patch is a backport and only a slight change to code that is used
- quite some time (paths were different in Trusty). In any case it is
- "adding" one more rule to open up apparmor. It should functionally not
- regress by that, if anything one could consider it security risk, but
- due to the guestname-namespacing in the rule now generated this shoudl
- be safe - see the tail of comment #58 for some considerations on that.
+ * The patch is a backport and only a slight change to code that is used
+ quite some time (paths were different in Trusty). In any case it is
+ "adding" one more rule to open up apparmor. It should functionally not
+ regress by that, if anything one could consider it security risk, but
+ due to the guestname-namespacing in the rule now generated this shoudl
+ be safe - see the tail of comment #58 for some considerations on that.
- * The postinst change only runs if the dir is not existing, which should
- ensure that no former unexpected setup makes the postinst fail
+ * The postinst change only runs if the dir is not existing, which should
+ ensure that no former unexpected setup makes the postinst fail
[Other Info]
-
- * Tests on the issue itself look good based on a ppa, see comment #59
+ * Tests on the issue itself look good based on a ppa, see comment #59
----
-
=======================================
1. Impact: cannot create a default RHEL7 vm in virt-manager
2. fix: allow use of qemu-guest-agent channel
3. test case: see in description below. Create a VM in virt-manager
specifying
Linux os and RHEL7.
4. Regression potential: there should be none. We are only adding an
apparmor permission for unix sockets which libvirt creates when needed
for kvm vms.
=======================================
Create a new VM, choose Linux for OS type and Red Hat Enterprise Linux 7
(or later) for Version. Proceed through the wizard leaving all other
options unchanged. On clicking Finish, the following error is displayed:
Unable to complete install: 'internal error: process exited while connecting
to monitor: 2014-11-18T16:00:11.802430Z qemu-system-x86_64: -chardev
socket,id=charchannel0,path=/var/lib/libvirt/qemu/channel/target/rhel7.org.qemu.guest_agent.0,server,nowait:
Failed to bind socket: No such file or directory
2014-11-18T16:00:11.802483Z qemu-system-x86_64: -chardev
socket,id=charchannel0,path=/var/lib/libvirt/qemu/channel/target/rhel7.org.qemu.guest_agent.0,server,nowait:
chardev: opening backend "socket" failed
'
Traceback (most recent call last):
File "/usr/share/virt-manager/virtManager/asyncjob.py", line 91, in
cb_wrapper
callback(asyncjob, *args, **kwargs)
File "/usr/share/virt-manager/virtManager/create.py", line 1820, in
do_install
guest.start_install(meter=meter)
File "/usr/share/virt-manager/virtinst/guest.py", line 403, in start_install
noboot)
File "/usr/share/virt-manager/virtinst/guest.py", line 467, in _create_guest
dom = self.conn.createLinux(start_xml or final_xml, 0)
File "/usr/lib/python2.7/dist-packages/libvirt.py", line 3398, in
createLinux
if ret is None:raise libvirtError('virDomainCreateLinux() failed',
conn=self)
libvirtError: internal error: process exited while connecting to monitor:
2014-11-18T16:00:11.802430Z qemu-system-x86_64: -chardev
socket,id=charchannel0,path=/var/lib/libvirt/qemu/channel/target/rhel7.org.qemu.guest_agent.0,server,nowait:
Failed to bind socket: No such file or directory
2014-11-18T16:00:11.802483Z qemu-system-x86_64: -chardev
socket,id=charchannel0,path=/var/lib/libvirt/qemu/channel/target/rhel7.org.qemu.guest_agent.0,server,nowait:
chardev: opening backend "socket" failed
ProblemType: Bug
DistroRelease: Ubuntu 14.10
Package: virt-manager 1:1.0.1-0ubuntu2
ProcVersionSignature: Ubuntu 3.16.0-24.32-generic 3.16.4
Uname: Linux 3.16.0-24-generic x86_64
ApportVersion: 2.14.7-0ubuntu8
Architecture: amd64
CurrentDesktop: KDE
Date: Tue Nov 18 15:55:59 2014
EcryptfsInUse: Yes
InstallationDate: Installed on 2014-11-07 (11 days ago)
InstallationMedia: Kubuntu 14.10 "Utopic Unicorn" - Release amd64 (20141022.1)
PackageArchitecture: all
SourcePackage: virt-manager
UpgradeStatus: No upgrade log present (probably fresh install)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1393842
Title:
libvirt does not grant qemu-guest-agent channel perms
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1393842/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
