setgid, setuid needed by /etc/apparmor.d/abstractions/libvirt-qemu
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Fix Released
|
Medium
|
Jamie Strandboge | ||
Lucid |
Invalid
|
Undecided
|
Unassigned |
Bug Description
IMPACT: libvir cannot setuid to run VMs as non-root
REGRESSION POTENTIAL: there should be none, we are only allowing libvirt to setuid and setgid, not changing any code
TEST CASE:
I couldn't boot any guest VMs with virsh until I modified /etc/apparmor.
jad@kvmhost:~$ sudo bzr diff /etc/apparmor.d/
=== modified file 'apparmor.
--- apparmor.
+++ apparmor.
@@ -8,6 +8,8 @@
capability dac_override,
capability dac_read_search,
capability chown,
+ capability setgid,
+ capability setuid,
# this is needed with libcap-ng support, however it breaks a lot of things
# atm, so just silence the denial until libcap-ng works right. LP: #522845
... and restarted apparmor and libvirtd.
Without `capability setgid`, the qemu guest log file contained:
LC_ALL=C PATH=/usr/
AUDIO_DRV=none /usr/bin/kvm -S -M pc-0.11 -enable-kvm -m 512 -smp 1 -name dm1 -u
uid 79d03a71-
b/libvirt/
file=/
libvir: QEMU error : cannot change to '109' group: Operation not permitted
Without `capability setuid`, the qemu guest log file contained:
LC_ALL=C PATH=/usr/
libvir: QEMU error : cannot change to '104' user: Operation not permitted
I don't really know if these changes were the right thing to do, but it did allow me to boot the VMs with virsh.
jad@kvmhost:~$ lsb_release -rd
Description: Ubuntu 10.04 LTS
Release: 10.04
jad@kvmhost:~$ apt-cache policy libvirt-bin kvm qemu-kvm
libvirt-bin:
Installed: 0.7.5-5ubuntu27
Candidate: 0.7.5-5ubuntu27
Version table:
*** 0.7.5-5ubuntu27 0
500 http://
100 /var/lib/
kvm:
Installed: 1:84+dfsg-
Candidate: 1:84+dfsg-
Version table:
*** 1:84+dfsg-
500 http://
100 /var/lib/
qemu-kvm:
Installed: 0.12.3+
Candidate: 0.12.3+
Version table:
*** 0.12.3+
500 http://
100 /var/lib/
Related branches
Changed in libvirt (Ubuntu): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
status: | Incomplete → Triaged |
description: | updated |
Could attach the guest description (virsh dump-xml) to the bug? Could you also specify the complete command line used to connect to libvirtd with virsh?