[Touch-packages] [Bug 1525310] Re: virsh with apparmor misconfigures libvirt-UUID files during snapshot

Anonymous Linux User Fri, 11 Dec 2015 08:42:08 -0800

** Description changed:

  Reproducible: Yes, every time.
  
  Background:
  
  When you create a virtual machine (VM) under KVM/Qemu in Ubuntu,
  apparmor files are created as:
  
  /etc/apparmor.d/libvirt/libvirt-<UUID>
-   and
+   and
  /etc/apparmor.d/libvirt/libvirt-<UUID>.files
  
  And in the file /etc/apparmor.d/libvirt/libvirt-<UUID>.files there is
  the line
  
-   "PATH_to_BLOCK_DEVICE" rw,
+   "PATH_to_BLOCK_DEVICE" rw,
  
- where PATH_to_BLOCK_DEVICE is the full path name of the image. ( E.g. 
something like  /var/lib/libvirtd/images/asdf.qcow2) 
- and <UUID> is the UUID of the  VM container. 
+ where PATH_to_BLOCK_DEVICE is the full path name of the image. ( E.g. 
something like  /var/lib/libvirtd/images/asdf.qcow2)
+ and <UUID> is the UUID of the  VM container.
  
  The problem:
  
  When creating a shapshot of a running VM under KVM/Qemu you run the
  command
  
  $ sudo virsh snapshot-create-as DOMAIN_NAME   DESCRIPTION   --no-
  metadata --disk-only --atomic
  
  which creates a new file and stops writing to the old VM block device.
  
  However:  the old PATH_to_BLOCK_DEVICE in  /etc/apparmor.d/libvirt
  /libvirt-UUID.files is deleted and replaced with the new block device
  info BEFORE virsh is done creating the snapshot. So you get the error
  
  error: internal error: unable to execute QEMU command 'transaction':
  Could not open 'PATH_to_BLOCK_DEVICE': Could not open
  'PATH_to_BLOCK_DEVICE': Permission denied: Permission denied
  
  and in /var/log/syslog you get the error:
  
  type=1400 audit(1449752104.054:539): apparmor="DENIED" operation="open"
  profile="libvirt-<UUID>" name="PATH_to_BLOCK_DEVICE" pid=8710 comm
  ="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=106 ouid=106
  
+ When you look now at /etc/apparmor.d/libvirt/libvirt-<UUID>.files you
+ find that the line that was there
  
- When you look now at /etc/apparmor.d/libvirt/libvirt-<UUID>.files you find 
that the line that was there
+   "PATH_to_BLOCK_DEVICE" rw,
  
-   "PATH_to_BLOCK_DEVICE" rw,
+ has been replaced with
  
+   "PATH_to_BLOCK_DEVICE.DESCRIPTION" rw,
  
- has been replaced with 
- 
-   "PATH_to_BLOCK_DEVICE.DESCRIPTION" rw,
- 
- 
- but you need BOTH LINES. in order for the command "virsh  snapshot-create-as" 
to work. (or at least have the old file have  read permissions)
+ but you need BOTH LINES. in order for the command "virsh  snapshot-
+ create-as" to work. (or at least have the old file have  read
+ permissions)
  
  -----
  
  Workarounds:
  
  1. Disable apparmor for libvirtd
  
- or 
+ or
  2. Change  /etc/apparmor.d/libvirt/libvirt-<UUID> to look like this
+ 
  ----------
  #
  # This profile is for the domain whose UUID matches this file.
- # 
-   
+ #
+ 
  #include <tunables/global>
-   
+ 
  profile libvirt-UUID {
-   #include <abstractions/libvirt-qemu>
-   #include <libvirt/libvirt-UUID.files>
-   
-   "PATH_to_BLOCK_DEVICE*" rw,
- } 
+   #include <abstractions/libvirt-qemu>
+   #include <libvirt/libvirt-UUID.files>
+ 
+   "PATH_to_BLOCK_DEVICE*" rw,
+ }
  -----------
  
+ (
+   So if the old line was 
+      "/var/lib/libvirtd/images/asdf.qcow2" rw, 
+   , the line you can add would read something like this
+ 
+   "/var/lib/libvirtd/images/asdf*" rw,
+ 
+ )
+ --------
  
  Details on server:
  
  # lsb_release -rd
  Description:    Ubuntu 14.04.3 LTS
  Release:        14.04
  
- 
  # apt-cache policy apparmor
  apparmor:
-   Installed: 2.8.95~2430-0ubuntu5.3
-   Candidate: 2.8.95~2430-0ubuntu5.3
-   Version table:
-  *** 2.8.95~2430-0ubuntu5.3 0
-         500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 
Packages
-         100 /var/lib/dpkg/status
-      2.8.95~2430-0ubuntu5.1 0
-         500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 
Packages
-      2.8.95~2430-0ubuntu5 0
-         500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
+   Installed: 2.8.95~2430-0ubuntu5.3
+   Candidate: 2.8.95~2430-0ubuntu5.3
+   Version table:
+  *** 2.8.95~2430-0ubuntu5.3 0
+         500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 
Packages
+         100 /var/lib/dpkg/status
+      2.8.95~2430-0ubuntu5.1 0
+         500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 
Packages
+      2.8.95~2430-0ubuntu5 0
+         500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  
  # apt-cache policy libvirt-bin
  libvirt-bin:
-   Installed: 1.2.2-0ubuntu13.1.14
-   Candidate: 1.2.2-0ubuntu13.1.14
-   Version table:
-  *** 1.2.2-0ubuntu13.1.14 0
-         500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 
Packages
-         100 /var/lib/dpkg/status
-      1.2.2-0ubuntu13.1.7 0
-         500 http://security.u buntu.com/ubuntu/ trusty-security/main amd64 
Packages
-      1.2.2-0ubuntu13 0
-         500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
- 
+   Installed: 1.2.2-0ubuntu13.1.14
+   Candidate: 1.2.2-0ubuntu13.1.14
+   Version table:
+  *** 1.2.2-0ubuntu13.1.14 0
+         500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 
Packages
+         100 /var/lib/dpkg/status
+      1.2.2-0ubuntu13.1.7 0
+         500 http://security.u buntu.com/ubuntu/ trusty-security/main amd64 
Packages
+      1.2.2-0ubuntu13 0
+         500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  
  -----
  
  Apologies if this is the wrong place to submit this bug.


-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1525310

Title:
  virsh with apparmor misconfigures libvirt-UUID files during snapshot

Status in apparmor package in Ubuntu:
  New

Bug description:
  Reproducible: Yes, every time.

  Background:

  When you create a virtual machine (VM) under KVM/Qemu in Ubuntu,
  apparmor files are created as:

  /etc/apparmor.d/libvirt/libvirt-<UUID>
    and
  /etc/apparmor.d/libvirt/libvirt-<UUID>.files

  And in the file /etc/apparmor.d/libvirt/libvirt-<UUID>.files there is
  the line

    "PATH_to_BLOCK_DEVICE" rw,

  where PATH_to_BLOCK_DEVICE is the full path name of the image. ( E.g. 
something like  /var/lib/libvirtd/images/asdf.qcow2)
  and <UUID> is the UUID of the  VM container.

  The problem:

  When creating a shapshot of a running VM under KVM/Qemu you run the
  command

  $ sudo virsh snapshot-create-as DOMAIN_NAME   DESCRIPTION   --no-
  metadata --disk-only --atomic

  which creates a new file and stops writing to the old VM block device.

  However:  the old PATH_to_BLOCK_DEVICE in  /etc/apparmor.d/libvirt
  /libvirt-UUID.files is deleted and replaced with the new block device
  info BEFORE virsh is done creating the snapshot. So you get the error

  error: internal error: unable to execute QEMU command 'transaction':
  Could not open 'PATH_to_BLOCK_DEVICE': Could not open
  'PATH_to_BLOCK_DEVICE': Permission denied: Permission denied

  and in /var/log/syslog you get the error:

  type=1400 audit(1449752104.054:539): apparmor="DENIED"
  operation="open" profile="libvirt-<UUID>" name="PATH_to_BLOCK_DEVICE"
  pid=8710 comm="qemu-system-x86" requested_mask="r" denied_mask="r"
  fsuid=106 ouid=106

  When you look now at /etc/apparmor.d/libvirt/libvirt-<UUID>.files you
  find that the line that was there

    "PATH_to_BLOCK_DEVICE" rw,

  has been replaced with

    "PATH_to_BLOCK_DEVICE.DESCRIPTION" rw,

  but you need BOTH LINES. in order for the command "virsh  snapshot-
  create-as" to work. (or at least have the old file have  read
  permissions)

  -----

  Workarounds:

  1. Disable apparmor for libvirtd

  or
  2. Change  /etc/apparmor.d/libvirt/libvirt-<UUID> to look like this

  ----------
  #
  # This profile is for the domain whose UUID matches this file.
  #

  #include <tunables/global>

  profile libvirt-UUID {
    #include <abstractions/libvirt-qemu>
    #include <libvirt/libvirt-UUID.files>

    "PATH_to_BLOCK_DEVICE*" rw,
  }
  -----------

  (
    So if the old line was 
       "/var/lib/libvirtd/images/asdf.qcow2" rw, 
    , the line you can add would read something like this

    "/var/lib/libvirtd/images/asdf*" rw,

  )
  --------

  Details on server:

  # lsb_release -rd
  Description:    Ubuntu 14.04.3 LTS
  Release:        14.04

  # apt-cache policy apparmor
  apparmor:
    Installed: 2.8.95~2430-0ubuntu5.3
    Candidate: 2.8.95~2430-0ubuntu5.3
    Version table:
   *** 2.8.95~2430-0ubuntu5.3 0
          500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 
Packages
          100 /var/lib/dpkg/status
       2.8.95~2430-0ubuntu5.1 0
          500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 
Packages
       2.8.95~2430-0ubuntu5 0
          500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

  # apt-cache policy libvirt-bin
  libvirt-bin:
    Installed: 1.2.2-0ubuntu13.1.14
    Candidate: 1.2.2-0ubuntu13.1.14
    Version table:
   *** 1.2.2-0ubuntu13.1.14 0
          500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 
Packages
          100 /var/lib/dpkg/status
       1.2.2-0ubuntu13.1.7 0
          500 http://security.u buntu.com/ubuntu/ trusty-security/main amd64 
Packages
       1.2.2-0ubuntu13 0
          500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

  -----

  Apologies if this is the wrong place to submit this bug.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1525310/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1525310] Re: virsh with apparmor misconfigures libvirt-UUID files during snapshot

Reply via email to