Reviewed: https://review.openstack.org/448203 Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=a41d265a19b7bcb1af8fc179bf864e00023c6cc6 Submitter: Jenkins Branch: master
commit a41d265a19b7bcb1af8fc179bf864e00023c6cc6 Author: Matt Riedemann <[email protected]> Date: Tue Mar 21 13:18:08 2017 -0400 libvirt: conditionally set script path for ethernet vif types Change I4f97c05e2dec610af22a5150dd27696e1d767896 worked around a change introduced in libvirt 1.3.3 where the script path on a LibvirtConfigGuestInterface could not be the emptry string because libvirt would literally take that as the path and couldn't resolve it, when in fact it used to indicate to libvirt that the script path is a noop. This has been fixed in libvirt 3.1. On Ubuntu with libvirt<1.3.3, if the script path is None then it defaults to /etc/qemu-ifup which is blocked by AppArmor. So this change adds a conditional check when setting the script path value based on the libvirt version so we can straddle releases. Change-Id: I192c61b93bd3736fdfe16b6a6906d58997d3eef9 Closes-Bug: #1665698 Related-Bug: #1649527 ** Changed in: nova Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1665698 Title: /etc/qemu-ifup not allowed by apparmor Status in Ubuntu Cloud Archive: Invalid Status in OpenStack Compute (nova): Fix Released Status in OpenStack Compute (nova) newton series: In Progress Status in OpenStack Compute (nova) ocata series: In Progress Status in libvirt package in Ubuntu: Fix Released Status in libvirt source package in Yakkety: Triaged Bug description: [Impact] * Please do note that this SRU statement is about the libvirt portion of it, this is a fix of essentially an API break from Xenial to Yakkety. This is independent to any decision to the Openstack context discussion about the change to drop specifying a path at all. * Before 9c17d665fdc5f (v1.3.2 which means 1.3.1 in Xenial for us) it was possible to have the following interface configuration: <interface type='ethernet'/> <script path=''/> </interface> This resulted in -netdev tap,script=,.. Fortunately, qemu helped us to get away with this as it just ignored the empty script path. However, after the commit mentioned above it's libvirtd who is executing the script. Unfortunately without special case-ing empty script path. * The fix adds the special casing that qemu had into libvirts handling of the interface definition. [Test Case] * That is tricky as the way openstack is using to shove that in seems to not care on xml validation as much as e.g. virsh. If normally adding a device like <interface type='ethernet'/> <script path=''/> <model type='virtio'/> </interface> At least in xenial AND yakkety blocked by the XML validation. But if trying to work around like: <script path='""'/> Which gave "-netdev tap,script="",id=hostnet1" on yakkety then the fix does not apply as this is '""' and not ''. So to add the above you have to edit it in via --skip-validate like $ virsh edit --skip-validate zesty-on-x-test This on onlder libvrit gave: -netdev tap,script=,id=hostnet1 Which qemu understood as nop. But newer libvirt refuses. * Error: error: Failed to start domain <name> error: Cannot find '' in path: No such file or directory * Expected: Starting the domain as-is without calling a script, but also without complaining about being empty. [Regression Potential] * Regression should be low because of: * The fix is upstream for a while now without follow on fix * We are essentially going back to how it was * There is no case like "I had '' set in my setup but now it is a no-op which makes me fail" because if one had '' it failed until now. * Fix is in zesty for a few days without new fallout being reported * also it passed several levels of testing (on the case and general regression testing) * Due to extra xml checks a device like path='' is not even definable. So only those who run --skip-validate or similar are affected in the first place. [Other Info] * n/a ---- I have VMs failing to start with 2017-02-17 15:38:44.458 264015 ERROR nova.compute.manager [instance: 0c97ab16-2d30-43fa-b0e4-a064a842b5ed] libvirtError: internal error: process exited while connecting to monitor: 2017-02-17T15:38:43.907222Z qemu-system-x86_64: -netdev tap,ifname=tapf34ef99e-18,id=hostnet0,vhost=on,vhostfd=28: network script /etc/qemu-ifup failed with status 256 Log excerpt: http://cdn.pasteraw.com/b3tw4cjefomfi3e9k09hvodrfun85z Seems to be that /etc/qemu-ifup is being blocked by apparmor: type=AVC msg=audit(1487347189.015:28536): apparmor="DENIED" operation="exec" profile="libvirt-4a03fea7-e966-48e4-80ac-aa138db67243" name="/etc/qemu-ifup" pid=285438 comm="qemu-system-x86" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 type=PATH msg=audit(1487347189.015:28536): item=0 name="/etc/qemu-ifup" inode=66403 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL root@ubuntu-trusty-5773:/etc/apparmor.d/abstractions# cat /etc/apparmor.d/libvirt/libvirt-4a03fea7-e966-48e4-80ac-aa138db67243 # # This profile is for the domain whose UUID matches this file. # #include <tunables/global> profile libvirt-4a03fea7-e966-48e4-80ac-aa138db67243 { #include <abstractions/libvirt-qemu> #include <libvirt/libvirt-4a03fea7-e966-48e4-80ac-aa138db67243.files> } root@ubuntu-trusty-5773:/etc/apparmor.d/abstractions# cat /etc/apparmor.d/libvirt/libvirt-4a03fea7-e966-48e4-80ac-aa138db67243.files # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT. "/var/log/libvirt/**/instance-00000008.log" w, "/var/lib/libvirt/qemu/domain-instance-00000008/monitor.sock" rw, "/var/run/libvirt/**/instance-00000008.pid" rwk, "/run/libvirt/**/instance-00000008.pid" rwk, "/var/run/libvirt/**/*.tunnelmigrate.dest.instance-00000008" rw, "/run/libvirt/**/*.tunnelmigrate.dest.instance-00000008" rw, "/var/lib/nova/instances/4a03fea7-e966-48e4-80ac-aa138db67243/console.log" rw, "/var/lib/nova/instances/4a03fea7-e966-48e4-80ac-aa138db67243/console.log" rw, # for qemu guest agent channel owner "/var/lib/libvirt/qemu/channel/target/domain-instance-00000008/**" rw, /dev/vhost-net rw, root@ubuntu-trusty-5773:/etc/apparmor.d/abstractions# dpkg -S libvirt-qemu libvirt-bin: /etc/apparmor.d/abstractions/libvirt-qemu root@ubuntu-trusty-5773:/etc/apparmor.d/abstractions# dpkg -l libvirt-bin Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-=========================================-=========================-=========================-======================================================================================= ii libvirt-bin 1.3.1-1ubuntu10.6~cloud0 amd64 programs for the libvirt library Seeing identical behavior on Xenial ubuntu@ubuntu-xenial-5165:~$ dpkg -l libvirt-bin Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-=========================================-=========================-=========================-======================================================================================= ii libvirt-bin 1.3.1-1ubuntu10.8 amd64 programs for the libvirt library To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1665698/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
