virsh with apparmor misconfigures libvirt-UUID files during snapshot
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Reproducible: Yes, every time.
Background:
When you create a virtual machine (VM) under KVM/Qemu in Ubuntu, apparmor files are created as:
/etc/apparmor.
and
/etc/apparmor.
And in the file /etc/apparmor.
"PATH_
where PATH_to_
and <UUID> is the UUID of the VM container.
The problem:
When creating a shapshot of a running VM under KVM/Qemu you run the command
$ sudo virsh snapshot-create-as DOMAIN_NAME DESCRIPTION --no-metadata --disk-only --atomic
which creates a new file and stops writing to the old VM block device.
However: the old PATH_to_
error: internal error: unable to execute QEMU command 'transaction': Could not open 'PATH_to_
and in /var/log/syslog you get the error:
type=1400 audit(144975210
When you look now at /etc/apparmor.
"PATH_
has been replaced with
"PATH_
but you need BOTH LINES. in order for the command "virsh snapshot-create-as" to work. (or at least have the old file have read permissions)
-----
Workarounds:
1. Disable apparmor for libvirtd
or
2. Change /etc/apparmor.
----------
#
# This profile is for the domain whose UUID matches this file.
#
#include <tunables/global>
profile libvirt-UUID {
#include <abstractions/
#include <libvirt/
"PATH_
}
-----------
(
So if the old line was
"/
, the line you can add would read something like this
"/var/
)
--------
Details on server:
# lsb_release -rd
Description: Ubuntu 14.04.3 LTS
Release: 14.04
# apt-cache policy apparmor
apparmor:
Installed: 2.8.95~
Candidate: 2.8.95~
Version table:
*** 2.8.95~
500 http://
100 /var/lib/
2.
500 http://
2.
500 http://
# apt-cache policy libvirt-bin
libvirt-bin:
Installed: 1.2.2-0ubuntu13
Candidate: 1.2.2-0ubuntu13
Version table:
*** 1.2.2-0ubuntu13
500 http://
100 /var/lib/
1.
500 http://
1.
500 http://
-----
Apologies if this is the wrong place to submit this bug.
summary: |
- virsh with apparmor misconfigures libvirtd-UUID files during snapshot + virsh with apparmor misconfigures libvirt-UUID files during snapshot |
description: | updated |
tags: | added: trusty |
tags: | added: wily |
Changed in apparmor (Ubuntu): | |
importance: | Undecided → Medium |
This bug also appears in Ubuntu 15.10
$ apt-cache policy apparmor us.archive. ubuntu. com/ubuntu/ wily/main amd64 Packages dpkg/status
apparmor:
Installed: 2.10-0ubuntu6
Candidate: 2.10-0ubuntu6
Version table:
*** 2.10-0ubuntu6 0
500 http://
100 /var/lib/
$ apt-cache policy libvirt-bin 2ubuntu11. 15.10.1 2ubuntu11. 15.10.1 2ubuntu11. 15.10.1 0 us.archive. ubuntu. com/ubuntu/ wily-updates/main amd64 Packages dpkg/status 2.16-2ubuntu11 0 us.archive. ubuntu. com/ubuntu/ wily/main amd64 Packages
libvirt-bin:
Installed: 1.2.16-
Candidate: 1.2.16-
Version table:
*** 1.2.16-
500 http://
100 /var/lib/
1.
500 http://