Need to check the init of the bunch in qemuSecurityInit and qemuSecurityNew.
But that happens at daemon start and not later when probing caps.
virQEMUDriverConfigLoadSecurityEntry load this from config and it includes
apparmor in both:
/etc/libvirt/qemu.conf:# security_driver = [ "selinux", "apparmor" ]
So the initialization must go wrong in the bad case.
virSecurityManagerNew loooks up the driver via virSecurityDriverLookup(name,
virtDriver);
Then it calls virSecurityManagerNewDriver
Already differs here:
bad:
Thread 17 "daemon-init" hit Breakpoint 1, virSecurityManagerNew
(name=name@entry=0x0, virtDriver=virtDriver@entry=0x7fffea6ae1b2 "QEMU",
flags=flags@entry=10)
at ../../../src/security/security_manager.c:180
180 ../../../src/security/security_manager.c: No such file or directory.
(gdb) c
Continuing.
Thread 17 "daemon-init" hit Breakpoint 2, virSecurityDriverLookup
(name=name@entry=0x0, virtDriver=virtDriver@entry=0x7fffea6ae1b2 "QEMU") at
../../../src/security/security_driver.c:50
50 ../../../src/security/security_driver.c: No such file or directory.
(gdb) c
Continuing.
Thread 17 "daemon-init" hit Breakpoint 3, virSecurityManagerNewDriver
(drv=0x7ffff7fad4c0 <virSecurityDriverNop>,
virtDriver=virtDriver@entry=0x7fffea6ae1b2 "QEMU", flags=8)
at ../../../src/security/security_manager.c:78
78 ../../../src/security/security_manager.c: No such file or directory.
(gdb) c
Continuing.
Thread 17 "daemon-init" hit Breakpoint 3, virSecurityManagerNewDriver
(drv=0x7ffff7fad640 <virSecurityDriverStack>, virtDriver=0x7fffea6ae1b2 "QEMU",
flags=flags@entry=8)
at ../../../src/security/security_manager.c:78
78 in ../../../src/security/security_manager.c
Good:
Thread 17 "daemon-init" hit Breakpoint 1, virSecurityManagerNew
(name=name@entry=0x0, virtDriver=virtDriver@entry=0x7f694365e1b2 "QEMU",
flags=flags@entry=10)
at ../../../src/security/security_manager.c:180
180 ../../../src/security/security_manager.c: No such file or directory.
(gdb) c
Continuing.
Thread 17 "daemon-init" hit Breakpoint 2, virSecurityDriverLookup
(name=name@entry=0x0, virtDriver=virtDriver@entry=0x7f694365e1b2 "QEMU") at
../../../src/security/security_driver.c:50
50 ../../../src/security/security_driver.c: No such file or directory.
(gdb) c
Continuing.
Thread 17 "daemon-init" hit Breakpoint 3, virSecurityManagerNewDriver
(drv=0x7f694ff5cae0 <virAppArmorSecurityDriver>,
virtDriver=virtDriver@entry=0x7f694365e1b2 "QEMU", flags=10)
at ../../../src/security/security_manager.c:78
78 ../../../src/security/security_manager.c: No such file or directory.
(gdb) c
Continuing.
Thread 17 "daemon-init" hit Breakpoint 3, virSecurityManagerNewDriver
(drv=0x7f694ff5c640 <virSecurityDriverStack>, virtDriver=0x7f694365e1b2 "QEMU",
flags=flags@entry=10)
at ../../../src/security/security_manager.c:78
78 in ../../../src/security/security_manager.c
P.S. I might need a debug build going further yet I'm unsure if installing that
might change the bug conditions.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1895967
Title:
3.0.0~beta1-0ubuntu1 in Groovy breaks Libvirt/Qemu/KVM
Status in apparmor package in Ubuntu:
Incomplete
Bug description:
Hi,
I stumbled over this due to automatic tests checking proposed.
I found that Focal no more could migrate to Groovy with:
$ virsh migrate --unsafe --live fguest qemu+ssh://10.162.30.163/system
error: unsupported configuration: Security driver model 'apparmor' is not
available
I looked after it and found that while all former releases detected
apparmor correctly:
$ virsh capabilities | grep -C 3 secmodel
<cache>
<bank id='0' level='3' type='both' size='15' unit='MiB' cpus='0-11'/>
</cache>
<secmodel>
<model>apparmor</model>
<doi>0</doi>
</secmodel>
<secmodel>
<model>dac</model>
<doi>0</doi>
<baselabel type='kvm'>+64055:+108</baselabel>
<baselabel type='qemu'>+64055:+108</baselabel>
</secmodel>
Now on groovy that didn't work anymore:
<secmodel>
<model>none</model>
<doi>0</doi>
</secmodel>
<secmodel>
<model>dac</model>
<doi>0</doi>
<baselabel type='kvm'>+64055:+108</baselabel>
<baselabel type='qemu'>+64055:+108</baselabel>
</secmodel>
Since 3.0 is only in proposed:
# apt-cache policy apparmor
apparmor:
Installed: 2.13.3-7ubuntu6
Candidate: 3.0.0~beta1-0ubuntu1
Version table:
3.0.0~beta1-0ubuntu1 500
500 http://archive.ubuntu.com/ubuntu groovy-proposed/main amd64
Packages
*** 2.13.3-7ubuntu6 500
500 http://archive.ubuntu.com/ubuntu groovy/main amd64 Packages
100 /var/lib/dpkg/status
I installed the former version.
$ apt install apparmor=2.13.3-7ubuntu6
$ rm /var/cache/libvirt/qemu/capabilities/*
$ systemctl restart libvirtd
And it works again.
Interestingly going back to 3.0 then works and keeps working.
Therefore maybe it is a red-herring and I'll consider it incomplete & low
prio for now until I know more (allowing others that might see the same to find
this bug and chime in).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895967/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
