Ubuntu
libvirt package

Apparmor blocks creating external snaphshot

Bug #1320221 reported by Jan Müller
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Won't Fix
Medium
Jamie Strandboge

Bug Description

Description: Ubuntu 14.04 LTS
Release: 14.04

libvirt0 1.2.2-0ubuntu13.1

Trying to create an external snapshot of a kvm-vm:

virsh snapshot-create-as <vmname> <snapname> "snap1 description" --diskspec vda,file=<path> --disk-only --atomic

this fails caused by apparmor, which does not allow access to the image (in my case a .cqow2 image)

shutting down apparmor, everything works fine :)

Revision history for this message
Serge Hallyn (serge-hallyn) wrote : Re: [Bug 1320221] [NEW] Apparmor blocks creating external snaphshot

Could you please attach the .xml file for the vm you are trying to
snapshot?

 status: incomplete

Changed in libvirt (Ubuntu):
status: New → Incomplete
Revision history for this message
Jan Müller (jm-3) wrote :

sure:

<domain type='kvm'>
  <name>example</name>
  <uuid>789a4284-bf70-d461-35f0-685fb44b1906</uuid>
  <memory unit='KiB'>24687616</memory>
  <currentMemory unit='KiB'>24687616</currentMemory>
  <vcpu placement='static'>4</vcpu>
  <os>
    <type arch='x86_64' machine='pc-i440fx-trusty'>hvm</type>
    <boot dev='hd'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <pae/>
  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/bin/kvm-spice</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='<path-to-image>'/>
      <target dev='vda' bus='virtio'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
    </disk>
    <disk type='block' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <target dev='hdc' bus='ide'/>
      <readonly/>
      <address type='drive' controller='0' bus='1' target='0' unit='0'/>
    </disk>
    <controller type='usb' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
    </controller>
    <controller type='pci' index='0' model='pci-root'/>
    <controller type='ide' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
    </controller>
    <interface type='bridge'>
      <mac address='52:54:00:83:3c:94'/>
      <source bridge='br0'/>
      <model type='virtio'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
    <serial type='pty'>
      <target port='0'/>
    </serial>
    <console type='pty'>
      <target type='serial' port='0'/>
    </console>
    <input type='mouse' bus='ps2'/>
    <input type='keyboard' bus='ps2'/>
    <graphics type='vnc' port='-1' autoport='yes'/>
    <video>
      <model type='cirrus' vram='9216' heads='1'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>
    <memballoon model='virtio'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
    </memballoon>
  </devices>
</domain>

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Can you show the relevant DENIED message in /var/log/audit/auditd.log or /var/log/syslog?

The .xml obfuscated the pathname which i was looking for :) can you generally describe the filename and the path?

Revision history for this message
Jan Müller (jm-3) wrote :

This was written in /var/log/syslog:

May 16 14:37:00 mars kernel: [275453.973328] type=1400 audit(1400243820.154:55): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/var/vm/neptun-test4/neptun-test4.1400243812" pid=8890 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Revision history for this message
Serge Hallyn (serge-hallyn) wrote : Re: [Bug 1320221] Re: Apparmor blocks creating external snaphshot

Thanks. So looking at the current profile for virt-aa-helper, it is
allowed to read anything under /mnt, /opt, /srv, /media, most anything
under /home, but and anything under /var/lib/libvirt, /var/lib/nova,
and a few others.

Your vms are under /var/vm. You can of course work around this trivially
by adding the line

  /var/vms/** r,

to /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper. The preferred
workaround would be to move the vms under /var/lib/libvirt/images
or another of the currently whitelisted paths.

I'm assigning this temporarily to Jamie to get his input on whether
the finer granularity under /var was on purpose (I assume it was),
or whether we can just whitelist all of /var/**.

 status: confirmed
 assignee: jdstrand
 priority: medium

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Thanks. So looking at the current profile for virt-aa-helper, it is
allowed to read anything under /mnt, /opt, /srv, /media, most anything
under /home, but and anything under /var/lib/libvirt, /var/lib/nova,
and a few others.

Your vms are under /var/vm. You can of course work around this trivially
by adding the line

  /var/vms/** r,

to /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper. The preferred
workaround would be to move the vms under /var/lib/libvirt/images
or another of the currently whitelisted paths.

I'm assigning this temporarily to Jamie to get his input on whether
the finer granularity under /var was on purpose (I assume it was),
or whether we can just whitelist all of /var/**.

 status: confirmed
 assignee: jdstrand
 importance: medium

Changed in libvirt (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

We don't want to add all of /var. Either the images can be stored in the standard location or the profile can be adjusted by the administrator.

Changed in libvirt (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → nobody
assignee: nobody → Jamie Strandboge (jdstrand)
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.