please split libvirt-driver apparmor abstraction for qemu and containers

Bug #1331081 reported by Jamie Strandboge
40
This bug affects 7 people
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Fix Released
Wishlist
Unassigned

Bug Description

1.2.5 introduces apparmor support for libvirt-lxc, which is great, however the method used renames the old /etc/apparmor.d/abstractions/libvirt-qemu to libvirt-driver. This is problematic for a couple of reasons:
 1. abstractions/libvirt-qemu contains policy specific to qemu VMs (ie, why would a container need '/usr/bin/qemu-system-x86_64 rmix,'?
 2. presumably likewise, container policy will be needed that shouldn't be given to qemu VMs

Instead of using 'abstractions/libvirt-driver', we can instead either:
 * ship both 'abstractions/libvirt-qemu' and 'abstractions/libvirt-lxc', adjust the TEMPLATE to include neither, and adjust the apparmor driver to inject the proper abstraction based on the driver in use
 * ship both 'abstractions/libvirt-qemu' and 'abstractions/libvirt-lxc', ship two different templates (eg, TEMPLATE.qemu and TEMPLATE.libvirt-lxc), and adjust the apparmor driver to choose the proper template based on the driver in use

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

I've assigned it to myself to keeep track, but if someone else has time to work on it please feel free to steal it. I'll update here when I start actually working on it.

Changed in libvirt (Ubuntu):
milestone: none → ubuntu-14.10
status: New → Triaged
importance: Undecided → Wishlist
assignee: nobody → Serge Hallyn (serge-hallyn)
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

This is being handled upstream (thanks to Cédric Bosdonnat)

Changed in libvirt (Ubuntu):
assignee: Serge Hallyn (serge-hallyn) → nobody
status: Triaged → In Progress
Changed in libvirt (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Brian Candler (b-candler) wrote :

I don't see any new libvirt-bin in the normal repos for 14.04. Should I be looking in trusty-proposed, trusty-updates, trusty-backports? Or has this been released only for 14.10?

Revision history for this message
Serge Hallyn (serge-hallyn) wrote : Re: [Bug 1331081] Re: please split libvirt-driver apparmor abstraction for qemu and containers

Quoting Brian Candler (<email address hidden>):
> I don't see any new libvirt-bin in the normal repos for 14.04. Should I
> be looking in trusty-proposed, trusty-updates, trusty-backports? Or has
> this been released only for 14.10?

This was only released for 14.10. Since 14.04 has been released, only
bugfixes may be introduced there per SRU policy, not new features.

Revision history for this message
Nick Holloway (nwholloway) wrote :

Quoting Serge Hallyn:
> This was only released for 14.10. Since 14.04 has been released, only
> bugfixes may be introduced there per SRU policy, not new features.

Bug 1331081 was reported against 14.04, but was closed as being a duplicate of this.

Not fixing the defect reported in 1331081 in 14.04 is not satisfactory for LTS users. It prevents destroying LXC instances which was previously possible.

Revision history for this message
Brian Candler (b-candler) wrote :

Must be some confusion: this *is* bug 1331081 :-)

Do you mean bug 1348698 ?

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Quoting Nick Holloway (<email address hidden>):
> Quoting Serge Hallyn:
> > This was only released for 14.10. Since 14.04 has been released, only
> > bugfixes may be introduced there per SRU policy, not new features.
>
> Bug 1331081 was reported against 14.04, but was closed as being a
> duplicate of this.
>
> Not fixing the defect reported in 1331081 in 14.04 is not satisfactory
> for LTS users. It prevents destroying LXC instances which was
> previously possible.

Using livirt to run containers was not recommended in the first place
until this bug was fixed. If using lxc containers then neither this
bug nor bug 1348698 are relevant.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.