VM fails to start with dac security driver added
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Fix Released
|
Medium
|
Taco Screen team | ||
Yakkety |
Fix Released
|
Low
|
Unassigned |
Bug Description
[Impact]
* Due to an upstream change in libvirt 2.0 users of libvirt >=2.0
(that is >=Yakkety) can't use non apparmor security labels anymore.
* That means old guest definitions that should still work fail to start
now
* The issue was in virt-aa-helper, the proposed fix was tested and then
brought upstream. This is a backport of the upstream accepted fix.
[Test Case]
* Testcase with virt-aa-helper on a minimal xml:
$ cat << EOF > /tmp/test.xml
<domain type='kvm'>
<name>
<uuid>
<memory unit='KiB'
<os><type arch='x86_
<seclabel type='dynamic' model='apparmor' relabel='yes'/>
<seclabel type='dynamic' model='dac' relabel='yes'/>
</domain>
EOF
$ /usr/lib/
-u libvirt-
Current Result:
virt-aa-helper: error: could not parse XML
virt-aa-helper: error: could not get VM definition
Expected Result is to emit a valid apparmor profile
* The more complex test is to create a guest (whatever way you like) and
add an empty dac security label (as shown above) to then start the
guest.
Current Result:
error: Failed to start domain yakkety-
error: internal error: cannot load AppArmor profile 'libvirt-
Expected Result:
properly staring the guest
[Regression Potential]
* The change is in the parsing of domain info in domain.conf. While no
local nor upstream tests broke anything one could think of very special
xml configuation that now might fail parsing. OTOH the new change now
skips some of the parsing, so even if we miss to consider something it
shouldn't fail, but instead "forget" to read some data correctly. The
part that we skip are seclabels which are created dynamically anyway.
* Also the changed flag is local to virt-aa-helper.c so and guarded by
that flag in domain_conf.c so it should be a no-op to anybody but virt-
aa-helper for sure.
[Other Info]
* N/A
---Problem Description---
VM fails to start with dac security driver added
---uname output---
Linux ltc-test-ci1 4.4.0-9136-generic #55-Ubuntu SMP Fri Aug 26 05:56:24 UTC 2016 ppc64le ppc64le ppc64le GNU/Linux
Machine Type = power 8 ppc64le
---Steps to Reproduce---
VM fails to start with dac security driver added
1. Define a VM with both apparmor and dac security driver( Used XML as below)
#virsh dumpxml virt-tests-vm1
<domain type='kvm'>
<name>
<uuid>
<memory unit='KiB'
<currentMemory unit='KiB'
<vcpu placement=
<resource>
<partition>
</resource>
<os>
<type arch='ppc64le' machine=
<boot dev='hd'/>
</os>
<cpu>
<topology sockets='1' cores='32' threads='1'/>
</cpu>
<clock offset='utc'/>
<on_poweroff>
<on_reboot>
<on_crash>
<devices>
<emulator>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/
<target dev='sda' bus='scsi'/>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>
<controller type='usb' index='0'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</controller>
<controller type='pci' index='0' model='pci-root'/>
<controller type='scsi' index='0'>
<address type='spapr-vio' reg='0x2000'/>
</controller>
<interface type='bridge'>
<mac address=
<source bridge='virbr0'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
</interface>
<serial type='pty'>
<target port='0'/>
<address type='spapr-vio' reg='0x30000000'/>
</serial>
<console type='pty'>
<target type='serial' port='0'/>
<address type='spapr-vio' reg='0x30000000'/>
</console>
<memballoon model='virtio'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</memballoon>
<panic model='pseries'/>
</devices>
<seclabel type='dynamic' model='apparmor' relabel='yes'/>
<seclabel type='dynamic' model='dac' relabel='yes'/>
</domain>
2. virsh start virt-tests-vm1
#virsh start virt-tests-vm1
error: Failed to start domain virt-tests-vm1
error: internal error: cannot load AppArmor profile 'libvirt-
3. After removing dac line from xml(<seclabel type='dynamic' model='dac' relabel='yes'/>) VM started fine
#virsh start virt-tests-vm1
Domain virt-tests-vm1 started
Userspace tool common name: ii libvirt-bin 2.1.0-1ubuntu5 ppc64el programs for the libvirt library
The userspace tool has the following bit modes: both
Userspace package: ii libvirt-bin 2.1.0-1ubuntu5 ppc64el programs for the libvirt library
Changed in libvirt (Ubuntu): | |
status: | Confirmed → In Progress |
description: | updated |
description: | updated |
Default Comment by Bridge