for (i = 0; sec_managers[i]; i++) {
...
VIR_DEBUG("Initialized caps for security driver \"%s\" with "
Good:
- apparmor
- dac
Bad:
- none
- dac
In function virQEMUDriverCreateCapabilities.
So it isn't probing apparmor because it isn't even in the list.
That list is from "qemuSecurityGetNested"
qemuSecurityGetNested == virSecurityManagerGetNested
-> virSecurityStackGetNested(mgr)
The latter iterates on the list priv->itemsHead which is from the
security manager.
That in turn is from driver->securityManager of
virQEMUDriverGetCapabilities(driver)
virCapsPtr virQEMUDriverCreateCapabilities(virQEMUDriverPtr driver)
(gdb) bt
#0 virSecurityStackGetNested (mgr=mgr@entry=0x7f8b0c00dde0) at
../../../src/security/security_stack.c:613
#1 0x00007f8b5704f2b8 in virSecurityManagerGetNested (mgr=0x7f8b0c00dde0) at
../../../src/security/security_manager.c:1035
#2 0x00007f8b50133970 in virQEMUDriverCreateCapabilities
(driver=0x7f8b0c051550) at ../../../src/qemu/qemu_conf.c:1344
#3 0x00007f8b50133c18 in virQEMUDriverGetCapabilities (driver=0x7f8b0c051550,
refresh=<optimized out>) at ../../../src/qemu/qemu_conf.c:1397
#4 0x00007f8b5019e0b8 in qemuConnectGetCapabilities (conn=<optimized out>) at
../../../src/qemu/qemu_driver.c:1328
#5 0x00007f8b57171953 in virConnectGetCapabilities (conn=0x7f8b28004050) at
../../../src/libvirt-host.c:467
#6 0x00005555a51f16ec in remoteDispatchConnectGetCapabilities
(server=0x5555a5c1d080, msg=0x5555a5c2bc80, ret=0x7f8b48000e60,
rerr=0x7f8b51be6920, client=0x5555a5c2c070)
at ./remote/remote_daemon_dispatch_stubs.h:766
#7 remoteDispatchConnectGetCapabilitiesHelper (server=0x5555a5c1d080,
client=0x5555a5c2c070, msg=0x5555a5c2bc80, rerr=0x7f8b51be6920, args=0x0,
ret=0x7f8b48000e60)
at ./remote/remote_daemon_dispatch_stubs.h:748
#8 0x00007f8b5707d470 in virNetServerProgramDispatchCall (msg=0x5555a5c2bc80,
client=0x5555a5c2c070, server=0x5555a5c1d080, prog=0x5555a5c25810)
at ../../../src/rpc/virnetserverprogram.c:430
#9 virNetServerProgramDispatch (prog=0x5555a5c25810,
server=server@entry=0x5555a5c1d080, client=0x5555a5c2c070, msg=0x5555a5c2bc80)
at ../../../src/rpc/virnetserverprogram.c:302
#10 0x00007f8b570825a8 in virNetServerProcessMsg (msg=<optimized out>,
prog=<optimized out>, client=<optimized out>, srv=0x5555a5c1d080) at
../../../src/rpc/virnetserver.c:137
#11 virNetServerHandleJob (jobOpaque=0x5555a5bf97f0, opaque=0x5555a5c1d080) at
../../../src/rpc/virnetserver.c:154
#12 0x00007f8b56f901e2 in virThreadPoolWorker (opaque=<optimized out>) at
../../../src/util/virthreadpool.c:163
#13 0x00007f8b56f8f769 in virThreadHelper (data=<optimized out>) at
../../../src/util/virthread.c:233
#14 0x00007f8b56c61590 in start_thread (arg=0x7f8b51be7640) at
pthread_create.c:463
#15 0x00007f8b56b6c223 in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:95
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1895967
Title:
3.0.0~beta1-0ubuntu1 in Groovy breaks Libvirt/Qemu/KVM
Status in apparmor package in Ubuntu:
Incomplete
Bug description:
Hi,
I stumbled over this due to automatic tests checking proposed.
I found that Focal no more could migrate to Groovy with:
$ virsh migrate --unsafe --live fguest qemu+ssh://10.162.30.163/system
error: unsupported configuration: Security driver model 'apparmor' is not
available
I looked after it and found that while all former releases detected
apparmor correctly:
$ virsh capabilities | grep -C 3 secmodel
<cache>
<bank id='0' level='3' type='both' size='15' unit='MiB' cpus='0-11'/>
</cache>
<secmodel>
<model>apparmor</model>
<doi>0</doi>
</secmodel>
<secmodel>
<model>dac</model>
<doi>0</doi>
<baselabel type='kvm'>+64055:+108</baselabel>
<baselabel type='qemu'>+64055:+108</baselabel>
</secmodel>
Now on groovy that didn't work anymore:
<secmodel>
<model>none</model>
<doi>0</doi>
</secmodel>
<secmodel>
<model>dac</model>
<doi>0</doi>
<baselabel type='kvm'>+64055:+108</baselabel>
<baselabel type='qemu'>+64055:+108</baselabel>
</secmodel>
Since 3.0 is only in proposed:
# apt-cache policy apparmor
apparmor:
Installed: 2.13.3-7ubuntu6
Candidate: 3.0.0~beta1-0ubuntu1
Version table:
3.0.0~beta1-0ubuntu1 500
500 http://archive.ubuntu.com/ubuntu groovy-proposed/main amd64
Packages
*** 2.13.3-7ubuntu6 500
500 http://archive.ubuntu.com/ubuntu groovy/main amd64 Packages
100 /var/lib/dpkg/status
I installed the former version.
$ apt install apparmor=2.13.3-7ubuntu6
$ rm /var/cache/libvirt/qemu/capabilities/*
$ systemctl restart libvirtd
And it works again.
Interestingly going back to 3.0 then works and keeps working.
Therefore maybe it is a red-herring and I'll consider it incomplete & low
prio for now until I know more (allowing others that might see the same to find
this bug and chime in).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895967/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
