Bug #1845506 “Libvirt snapshot doesn't update apparmor profile” : Bugs : libvirt package : Ubuntu

Revision history for this message

In Red Hat Bugzilla #1746684, lars.dunemark (lars.dunemark-redhat-bugs) wrote on 2019-08-29:

#15

Created attachment 1609257
Domain file

Description of problem:
Creating a domain with multiple disks and trying to take an disk-only snapshot with external disk overlay fails with the error "Could not create file: Permission denied"

Version-Release number of selected component (if applicable):
Tested on 4.0.0, 5.0.0 and master (648c11c04cf1d45f37f4662ffb7952611ddb458c)

How reproducible:
Create a new domain for qemu with 2 disk connected. (dumpxml of my domain as attachemnt)

Steps to Reproduce:
1. snapshot-create-as --domain ubuntu18.04 --disk-only --atomic --diskspec vda,file=/var/lib/libvirt/images/ubuntu18.04-overlay.qcow2,snapshot=external --diskspec vdb,file=/var/lib/libvirt/images/ubuntu18.04-1-overlay.qcow2,snapshot=external

Actual results:
error: internal error: unable to execute QEMU command 'transaction': Could not create file: Permission denied

Expected results:
Domain snapshot 1567058757 created

Additional info:
When manually adding the path to vda overlay file in /etc/apparmor.d/libvirt/libvirt-a955728a-ac8f-4fcb-8bea-3e12fca826a7 as:
"/var/lib/libvirt/images/ubuntu18.04-overlay.qcow2" rwk,

It works to take snapshot for both disk. So it looks like the apparmor is only updated with the last disk

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-09-26:

#1

Hi Dominique,
isn't that the same as I outlined on [1] ?

In case you think it is related could you for a check open /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper and remove the deny lines from /dev/sd to /dev/mapper; then reload via `sudo apparmor_parser -r /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper` and try again.

And if it is not the same, there I definitely did "snapshot of one disk with guests having multiple disks" there. So you might take a look what differs.
From a glimpse at your command I did none,none,none,snap,none while you try to snapshot two at once.

In case the above didn't help, could you attach a guest XML so that I can recreate a similar case?

[1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1525310/comments/2

Changed in libvirt (Ubuntu):
status:	New → Incomplete

Revision history for this message

Dominique Ramaekers (dominique-ramaekers) wrote on 2019-09-26:

#2

@paelzer,

I don't think my bug is a duplicate of 1525310...

With me, everything works fine from the start. Creating snapshots works fine also. Only with guest that has multiple disks, the snapshot fails.

Nonetheless, I tested the snapshot with the /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper lines removed (like you suggested) and the snapshot failed just the same.

I agree with Mr. Lars Dunemark who reported the bug on Bugzilla. Libvirt doesn't manage the /etc/apparmor.d/libvirt/libvirt-[UUID].files file correctly on snapshotting a guest with multiple disks.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-09-27:

#3

Then please attach a guest XML of your case as there are too many ways to configure/attach disks to try all of them. I'll give it a retry myself then when I'm back to chime in with a +1 on the case then (if confirmed).

Revision history for this message

Dominique Ramaekers (dominique-ramaekers) wrote on 2019-09-27:

#4

CmsrvLAP2.xml Edit (8.4 KiB, application/xml)

Please find xml attached.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-09-27:

#5

From the description of Dominque this seemed a common case, so I tried with just qcow files and got it confirmed.

# Create basic guest (already has two disks)
uvt-simplestreams-libvirt --verbose sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=eoan
uvt-kvm create --password ubuntu eoan arch=amd64 release=eoan label=daily

# Add further disks for the test:
sudo qemu-img create -f qcow2 /var/lib/uvtool/libvirt/images/eoan-disk1.qcow 1G
sudo qemu-img create -f qcow2 /var/lib/uvtool/libvirt/images/eoan-disk2.qcow 1G
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/var/lib/uvtool/libvirt/images/eoan-disk1.qcow'/>
      <target dev='vdc' bus='virtio'/>
    </disk>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/var/lib/uvtool/libvirt/images/eoan-disk2.qcow'/>
      <target dev='vdd' bus='virtio'/>
    </disk>

The guest now looks like:
$ virsh domblklist eoan --details
Type Device Target Source
--------------------------------------------------------------------------
file disk vda /var/lib/uvtool/libvirt/images/eoan.qcow
file disk vdb /var/lib/uvtool/libvirt/images/eoan-ds.qcow
file disk vdc /var/lib/uvtool/libvirt/images/eoan-disk1.qcow
file disk vdd /var/lib/uvtool/libvirt/images/eoan-disk2.qcow

Snapshot of single disk works:
$ virsh snapshot-create-as --domain eoan --disk-only --atomic --diskspec vda,snapshot=no --diskspec vdb,snapshot=no --diskspec vdc,file=/var/lib/libvirt/images/eoan-disk1.snapshot1.qcow,snapshot=external --diskspec vdd,snapshot=no

The apparmor profile got the snapshot added as expected:
cat /etc/apparmor.d/libvirt/libvirt-72b929d2-389d-4c60-9f3b-4c3a8a98b4b0.files
...
"/var/lib/libvirt/images/eoan-disk1.snapshot1.qcow" rwk,

Snapshot of multiple disks fails:
virsh snapshot-create-as --domain eoan --disk-only --atomic --diskspec vda,snapshot=no --diskspec vdb,snapshot=no --diskspec vdc,file=/var/lib/libvirt/images/eoan-disk1.snapshot1.qcow,snapshot=external --diskspec vdd,file=/var/lib/libvirt/images/eoan-disk2.snapshot1.qcow,snapshot=external
error: internal error: unable to execute QEMU command 'transaction': Could not create file: Permission denied

None of the two paths got added to the apparmor profile.

Alongside that we see the expected apparmor denials.
apparmor="DENIED" operation="open" profile="libvirt-72b929d2-389d-4c60-9f3b-4c3a8a98b4b0" name="/var/lib/libvirt/images/eoan-disk2.snapshot1.qcow" pid=23603 comm="qemu-system-x86" requested_mask="wrc" denied_mask="wrc" fsuid=64055 ouid=64055

This proves the report.
I'll be out for a while after today, but I agree that we need to sort out what is missing in this case.
In the single snapshot case I've seen virt-aa-helper called to add a line, needs debugging where this fails with more than one snapshot target.

Until then one might as workaround try to snapshot each of the disks one by one (therefore only medium).

From the description of Dominque this seemed a common case, so I tried with just qcow files and got it confirmed.

# Create basic guest (already has two disks)
uvt-simplestreams-libvirt --verbose sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=eoan
uvt-kvm create --password ubuntu eoan arch=amd64 release=eoan label=daily

# Add further disks for the test:
sudo qemu-img create -f qcow2 /var/lib/uvtool/libvirt/images/eoan-disk1.qcow 1G
sudo qemu-img create -f qcow2 /var/lib/uvtool/libvirt/images/eoan-disk2.qcow 1G
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/var/lib/uvtool/libvirt/images/eoan-disk1.qcow'/>
      <target dev='vdc' bus='virtio'/>
    </disk>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/var/lib/uvtool/libvirt/images/eoan-disk2.qcow'/>
      <target dev='vdd' bus='virtio'/>
    </disk>

The guest now looks like:
$ virsh domblklist eoan --details
 Type   Device   Target   Source
--------------------------------------------------------------------------
 file   disk     vda      /var/lib/uvtool/libvirt/images/eoan.qcow
 file   disk     vdb      /var/lib/uvtool/libvirt/images/eoan-ds.qcow
 file   disk     vdc      /var/lib/uvtool/libvirt/images/eoan-disk1.qcow
 file   disk     vdd      /var/lib/uvtool/libvirt/images/eoan-disk2.qcow

Snapshot of single disk works:
$ virsh snapshot-create-as --domain eoan --disk-only --atomic --diskspec vda,snapshot=no  --diskspec vdb,snapshot=no --diskspec vdc,file=/var/lib/libvirt/images/eoan-disk1.snapshot1.qcow,snapshot=external --diskspec vdd,snapshot=no

The apparmor profile got the snapshot added as expected:
cat /etc/apparmor.d/libvirt/libvirt-72b929d2-389d-4c60-9f3b-4c3a8a98b4b0.files
...
  "/var/lib/libvirt/images/eoan-disk1.snapshot1.qcow" rwk,

Snapshot of multiple disks fails:
virsh snapshot-create-as --domain eoan --disk-only --atomic --diskspec vda,snapshot=no  --diskspec vdb,snapshot=no --diskspec vdc,file=/var/lib/libvirt/images/eoan-disk1.snapshot1.qcow,snapshot=external --diskspec vdd,file=/var/lib/libvirt/images/eoan-disk2.snapshot1.qcow,snapshot=external
error: internal error: unable to execute QEMU command 'transaction': Could not create file: Permission denied

None of the two paths got added to the apparmor profile.

Alongside that we see the expected apparmor denials.
 apparmor="DENIED" operation="open" profile="libvirt-72b929d2-389d-4c60-9f3b-4c3a8a98b4b0" name="/var/lib/libvirt/images/eoan-disk2.snapshot1.qcow" pid=23603 comm="qemu-system-x86" requested_mask="wrc" denied_mask="wrc" fsuid=64055 ouid=64055

This proves the report.
I'll be out for a while after today, but I agree that we need to sort out what is missing in this case.
In the single snapshot case I've seen virt-aa-helper called to add a line, needs debugging where this fails with more than one snapshot target.

Until then one might as workaround try to snapshot each of the disks one by one (therefore only medium).

Changed in libvirt (Ubuntu):
status:	Incomplete → Triaged
importance:	Undecided → Medium

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-09-27:

#6

FYI: Also the dumpxml of the other reported case was at: https://bugzilla.redhat.com/attachment.cgi?id=1609257

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-10-15:

#7

Download full text (7.5 KiB)

logs:

2 disks:
Oct 15 13:14:07 e libvirtd[612]: internal error: unable to execute QEMU command 'transaction': Could not create file: Permission denied
Oct 15 13:14:08 e libvirtd[612]: Path '/var/lib/libvirt/images/eoan-disk1.snapshot1.qcow' is not accessible: No such file or directory
Oct 15 13:14:08 e libvirtd[612]: Unable to tear down cgroup access on /var/lib/libvirt/images/eoan-disk1.snapshot1.qcow
Oct 15 13:14:08 e libvirtd[612]: internal error: child reported (status=125): unable to set user and group to '0:0' on '/var/lib/libvirt/images/eoan-disk1.snapshot1.qcow': No such file or directory
Oct 15 13:14:08 e libvirtd[612]: Unable to restore security label on /var/lib/libvirt/images/eoan-disk1.snapshot1.qcow
Oct 15 13:14:08 e libvirtd[612]: Path '/var/lib/libvirt/images/eoan-disk2.snapshot1.qcow' is not accessible: No such file or directory
Oct 15 13:14:08 e libvirtd[612]: Unable to tear down cgroup access on /var/lib/libvirt/images/eoan-disk2.snapshot1.qcow
Oct 15 13:14:08 e libvirtd[612]: internal error: child reported (status=125): unable to set user and group to '0:0' on '/var/lib/libvirt/images/eoan-disk2.snapshot1.qcow': No such file or directory
Oct 15 13:14:08 e libvirtd[612]: Unable to restore security label on /var/lib/libvirt/images/eoan-disk2.snapshot1.qcow

One disk:
- no message
- new rule
"/var/lib/libvirt/images/eoan-disk1.snapshot1.qcow" rwk,

This looks like a late call from labelling (comes with rwk by default).

Check what we get with one disk and two disks in GDB:
Num Type Disp Enb Address What
3 breakpoint keep y 0x00007f92474dacd0 in load_profile at ../../../src/security/security_apparmor.c:166
        silent
        if fn == 0
          cont
        p fn
        end

(gdb) bt
#0 load_profile (profile=0x7f9224049f10 "libvirt-2370eae2-cc9a-493c-b502-d2d64e2ee1d1", def=def@entry=0x7f92380e9190,
    fn=0x7f92180be390 "/var/lib/libvirt/images/eoan-disk1.snapshot2.qcow", append=append@entry=false, mgr=<optimized out>) at ../../../src/security/security_apparmor.c:166
#1 0x00007f92474db08b in AppArmorSetSecurityImageLabel (mgr=<optimized out>, def=0x7f92380e9190, src=0x7f92181f9930, flags=<optimized out>) at ../../../src/security/security_apparmor.c:830
#2 0x00007f92474d1ebe in virSecurityManagerSetImageLabel (mgr=0x7f91f401d0b0, vm=vm@entry=0x7f92380e9190, src=src@entry=0x7f92181f9930, flags=flags@entry=(unknown: 0))
    at ../../../src/security/security_manager.c:506
#3 0x00007f92474cd9a9 in virSecurityStackSetImageLabel (mgr=<optimized out>, vm=0x7f92380e9190, src=0x7f92181f9930, flags=(unknown: 0)) at ../../../src/security/security_stack.c:575
#4 0x00007f92474d1ebe in virSecurityManagerSetImageLabel (mgr=0x7f91f401b920, vm=0x7f92380e9190, src=src@entry=0x7f92181f9930, flags=flags@entry=(unknown: 0))
    at ../../../src/security/security_manager.c:506
#5 0x00007f923c27a014 in qemuSecuritySetImageLabel (driver=driver@entry=0x7f91f400f880, vm=vm@entry=0x7f92240444b0, src=src@entry=0x7f92181f9930, backingChain=backingChain@entry=false)
    at ../../../src/qemu/qemu_security.c:115
#6 0x00007f923c1dccad in qemuDomainStorageSourceAccessModify (driver=0x7f91f400f880, vm=0x7f9...

logs:

2 disks:
Oct 15 13:14:07 e libvirtd[612]: internal error: unable to execute QEMU command 'transaction': Could not create file: Permission denied
Oct 15 13:14:08 e libvirtd[612]: Path '/var/lib/libvirt/images/eoan-disk1.snapshot1.qcow' is not accessible: No such file or directory
Oct 15 13:14:08 e libvirtd[612]: Unable to tear down cgroup access on /var/lib/libvirt/images/eoan-disk1.snapshot1.qcow
Oct 15 13:14:08 e libvirtd[612]: internal error: child reported (status=125): unable to set user and group to '0:0' on '/var/lib/libvirt/images/eoan-disk1.snapshot1.qcow': No such file or directory
Oct 15 13:14:08 e libvirtd[612]: Unable to restore security label on /var/lib/libvirt/images/eoan-disk1.snapshot1.qcow
Oct 15 13:14:08 e libvirtd[612]: Path '/var/lib/libvirt/images/eoan-disk2.snapshot1.qcow' is not accessible: No such file or directory
Oct 15 13:14:08 e libvirtd[612]: Unable to tear down cgroup access on /var/lib/libvirt/images/eoan-disk2.snapshot1.qcow
Oct 15 13:14:08 e libvirtd[612]: internal error: child reported (status=125): unable to set user and group to '0:0' on '/var/lib/libvirt/images/eoan-disk2.snapshot1.qcow': No such file or directory
Oct 15 13:14:08 e libvirtd[612]: Unable to restore security label on /var/lib/libvirt/images/eoan-disk2.snapshot1.qcow

One disk:
- no message
- new rule
  "/var/lib/libvirt/images/eoan-disk1.snapshot1.qcow" rwk,

This looks like a late call from labelling (comes with rwk by default).

Check what we get with one disk and two disks in GDB:
Num     Type           Disp Enb Address            What
3       breakpoint     keep y   0x00007f92474dacd0 in load_profile at ../../../src/security/security_apparmor.c:166
        silent
        if fn == 0
          cont
        p fn
        end

(gdb) bt
#0  load_profile (profile=0x7f9224049f10 "libvirt-2370eae2-cc9a-493c-b502-d2d64e2ee1d1", def=def@entry=0x7f92380e9190, 
    fn=0x7f92180be390 "/var/lib/libvirt/images/eoan-disk1.snapshot2.qcow", append=append@entry=false, mgr=<optimized out>) at ../../../src/security/security_apparmor.c:166
#1  0x00007f92474db08b in AppArmorSetSecurityImageLabel (mgr=<optimized out>, def=0x7f92380e9190, src=0x7f92181f9930, flags=<optimized out>) at ../../../src/security/security_apparmor.c:830
#2  0x00007f92474d1ebe in virSecurityManagerSetImageLabel (mgr=0x7f91f401d0b0, vm=vm@entry=0x7f92380e9190, src=src@entry=0x7f92181f9930, flags=flags@entry=(unknown: 0))
    at ../../../src/security/security_manager.c:506
#3  0x00007f92474cd9a9 in virSecurityStackSetImageLabel (mgr=<optimized out>, vm=0x7f92380e9190, src=0x7f92181f9930, flags=(unknown: 0)) at ../../../src/security/security_stack.c:575
#4  0x00007f92474d1ebe in virSecurityManagerSetImageLabel (mgr=0x7f91f401b920, vm=0x7f92380e9190, src=src@entry=0x7f92181f9930, flags=flags@entry=(unknown: 0))
    at ../../../src/security/security_manager.c:506
#5  0x00007f923c27a014 in qemuSecuritySetImageLabel (driver=driver@entry=0x7f91f400f880, vm=vm@entry=0x7f92240444b0, src=src@entry=0x7f92181f9930, backingChain=backingChain@entry=false)
    at ../../../src/qemu/qemu_security.c:115
#6  0x00007f923c1dccad in qemuDomainStorageSourceAccessModify (driver=0x7f91f400f880, vm=0x7f92240444b0, src=0x7f92181f9930, flags=QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_SKIP_REVOKE)
    at ../../../src/qemu/qemu_domain.c:9350
#7  0x00007f923c275473 in qemuDomainSnapshotCreateSingleDiskActive (reuse=false, actions=<optimized out>, dd=0x7f92181f98c0, vm=<optimized out>, driver=0x7f91f400f880)
    at ../../../src/qemu/qemu_driver.c:15216
#8  qemuDomainSnapshotCreateDiskActive (asyncJob=QEMU_ASYNC_JOB_SNAPSHOT, flags=144, snap=<optimized out>, vm=<optimized out>, driver=0x7f91f400f880)
    at ../../../src/qemu/qemu_driver.c:15269
#9  qemuDomainSnapshotCreateActiveExternal (flags=144, snap=<optimized out>, vm=<optimized out>, driver=0x7f91f400f880) at ../../../src/qemu/qemu_driver.c:15476
#10 qemuDomainSnapshotCreateXML (domain=<optimized out>, xmlDesc=<optimized out>, flags=144) at ../../../src/qemu/qemu_driver.c:15773
#11 0x00007f92475ed698 in virDomainSnapshotCreateXML (domain=domain@entry=0x7f92180f3100, 
    xmlDesc=0x7f92183119a0 "<domainsnapshot>\n  <disks>\n    <disk name='vda' snapshot='no'/>\n    <disk name='vdb' snapshot='no'/>\n    <disk name='vdc' snapshot='external'>\n      <source file='/var/lib/libvirt/images/eoan-disk1.sn"..., flags=144) at ../../../src/libvirt-domain-snapshot.c:241
#12 0x0000561722d17ddc in remoteDispatchDomainSnapshotCreateXML (server=0x56172369bed0, msg=0x56172371b300, ret=0x7f921830c9e0, args=0x7f921803a160, rerr=0x7f9241fce9a0, 
    client=<optimized out>) at ../../../src/remote/remote_daemon_dispatch_stubs.h:11744
#13 remoteDispatchDomainSnapshotCreateXMLHelper (server=0x56172369bed0, client=<optimized out>, msg=0x56172371b300, rerr=0x7f9241fce9a0, args=0x7f921803a160, ret=0x7f921830c9e0)
    at ../../../src/remote/remote_daemon_dispatch_stubs.h:11718
#14 0x00007f92474fbcb1 in virNetServerProgramDispatchCall (msg=0x56172371b300, client=0x5617236f00e0, server=0x56172369bed0, prog=0x5617236e5550)
    at ../../../src/rpc/virnetserverprogram.c:435
#15 virNetServerProgramDispatch (prog=0x5617236e5550, server=server@entry=0x56172369bed0, client=0x5617236f00e0, msg=0x56172371b300) at ../../../src/rpc/virnetserverprogram.c:302
#16 0x00007f92475022bc in virNetServerProcessMsg (msg=<optimized out>, prog=<optimized out>, client=<optimized out>, srv=0x56172369bed0) at ../../../src/rpc/virnetserver.c:142
#17 virNetServerHandleJob (jobOpaque=<optimized out>, opaque=0x56172369bed0) at ../../../src/rpc/virnetserver.c:163
#18 0x00007f924742860f in virThreadPoolWorker (opaque=opaque@entry=0x56172368a580) at ../../../src/util/virthreadpool.c:163
#19 0x00007f92474278fc in virThreadHelper (data=<optimized out>) at ../../../src/util/virthread.c:206
#20 0x00007f9247299669 in start_thread (arg=<optimized out>) at pthread_create.c:479
#21 0x00007f92471c1323 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

This effectively calls 
$9 = 0x7f92180f6520 "LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -r -u libvirt-2370eae2-cc9a-493c-b502-d2d64e2ee1d1 -f /var/lib/libvirt/images/eoan-disk1.snapshot2.qcow"

Which seems right to me ...

And after this I see in the profile it is added:

"/var/lib/libvirt/images/eoan-disk1.snapshot2.qcow" rwk,

I see those calls for both paths:
Thread 4 "libvirtd" hit Breakpoint 5, load_profile (profile=0x7f9224049f10 "libvirt-2370eae2-cc9a-493c-b502-d2d64e2ee1d1", def=def@entry=0x7f92380e9190, 
    fn=0x7f9210007be0 "/var/lib/libvirt/images/eoan-disk1.snapshot2.qcow", append=append@entry=false, mgr=<optimized out>) at ../../../src/security/security_apparmor.c:166
166     load_profile(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
$17 = 0x7f9210007be0 "/var/lib/libvirt/images/eoan-disk1.snapshot2.qcow"
(gdb) c
Continuing.
[Detaching after fork from child process 21613]
[Detaching after fork from child process 21616]

Thread 4 "libvirtd" hit Breakpoint 5, load_profile (profile=0x7f9224049f10 "libvirt-2370eae2-cc9a-493c-b502-d2d64e2ee1d1", def=def@entry=0x7f92380e9190, 
    fn=0x7f9210009f10 "/var/lib/libvirt/images/eoan-disk2.snapshot1.qcow", append=append@entry=false, mgr=<optimized out>) at ../../../src/security/security_apparmor.c:166
166     load_profile(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
$18 = 0x7f9210009f10 "/var/lib/libvirt/images/eoan-disk2.snapshot1.qcow"

$29 = 0x7f92300055a0 "LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -r -u libvirt-2370eae2-cc9a-493c-b502-d2d64e2ee1d1 -f /var/lib/libvirt/images/eoan-disk2.snapshot1.qcow"

So surely both file labelling calls happen.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-10-15:

#8

Interesting is that for:

$ virsh snapshot-create-as --domain eoan --disk-only --atomic --diskspec vda,snapshot=no --diskspec vdb,snapshot=no --diskspec vdc,file=/var/lib/libvirt/images/eoan-disk1.snapshot2.qcow,snapshot=external --diskspec vdd,file=/var/lib/libvirt/images/eoan-disk2.snapshot1.qcow,snapshot=external

I first see:
"/var/lib/libvirt/images/eoan-disk1.snapshot2.qcow" rwk,
and then it is gone but I see
"/var/lib/libvirt/images/eoan-disk2.snapshot1.qcow" rwk,

And then eventually neither of those

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-10-15:

#9

I think I see what happens.
virt-aa-helper works on some intermediate content, and the labelling calls only "append" something.
This works if you e.g. hot attach one and later another device.
But on this interaction with snapshots of multiple devices they seem to work on "the same" intermediate content.
It is like:

start "A"
1. result A+B
2. result A+C (totally ignoring B being added)

And eventually we only have the last disk added as apparmor rule.
Since the overall action then fails by an apparmor denial the profile is reloaded as it was before.

I need to check how/where that interim content is stored.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-10-15:

#10

XML is taken via virDomainDefFormat from the contexts `virDomainDefPtr def`
That is passed to virt-aa-helper as stdin.

These calls are from the same stack.
In my example having the same object for the VM.

vm=0x7f92240444b0 which carries def=0x7f92380e9190 nto both calls and therby the same XML context it starts with (our issue).

qemuDomainSnapshotCreateDiskActive
-> 2*qemuDomainSnapshotCreateSingleDiskActive

Since virt-aa-helper is external it doesn't know state, libvirt needs to pass that state from the labeling calls somehow.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-10-15:

#11

In comparison in a hotplug case the extra disk becomes part of the ephemeral active XML.
And on the next action would be added by parsing that.
But here it renders the XML to append one, and then does the same to append the second.
But then one can hotplug multiple disks in one XML, that does work - but maybe that is serialized differently with state changes in between.

I'll recheck that later to be sure ...

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-10-15:

#12

virt-aa-helper has (TBH misunderstandable) call modes for appending:
-f | --add-file <file> add file to profile
-F | --append-file <file> append file to profile

-f does render the XML into apparmor rules and then adds the passed file (this is used atm by the labelling call).
-F keeps the apparmor rules as-is and will add a new rule at the end.

By using -F this would work for the use case in discussion (tried it manually), but I will need to consider a bunch of other interactions if we change this.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-10-15:

#13

All false are reloads to restore former content (that is ok):
src/security/security_apparmor.c:706: return reload_profile(mgr, def, NULL, false);
src/security/security_apparmor.c:750: return reload_profile(mgr, def, NULL, false);
src/security/security_apparmor.c:795: return reload_profile(mgr, def, NULL, false);
src/security/security_apparmor.c:1017: return reload_profile(mgr, def, NULL, false);
src/security/security_apparmor.c:1088: return reload_profile(mgr, def, NULL, false);
src/security/security_apparmor.c:1125: return reload_profile(mgr, def, NULL, false);

All additions of paths are append=true which will cause it to use -F:
src/security/security_apparmor.c:320: return reload_profile(ptr->mgr, def, file, true);
src/security/security_apparmor.c:501: return reload_profile(mgr, def, stdin_path, true);
src/security/security_apparmor.c:733: return reload_profile(mgr, def, mem->nvdimmPath, true);
src/security/security_apparmor.c:776: return reload_profile(mgr, def, input->source.evdev, true);
src/security/security_apparmor.c:1039: ret = reload_profile(mgr, def, dev_source->data.file.path, true);
src/security/security_apparmor.c:1047: if (reload_profile(mgr, def, in, true) < 0)
src/security/security_apparmor.c:1051: if (reload_profile(mgr, def, out, true) < 0)
src/security/security_apparmor.c:1054: ret = reload_profile(mgr, def, dev_source->data.file.path, true);
src/security/security_apparmor.c:1096: return reload_profile(mgr, def, savefile, true);
src/security/security_apparmor.c:1111: rc = reload_profile(mgr, def, full_path, true);
src/security/security_apparmor.c:1114: rc = reload_profile(mgr, def, path, true);
src/security/security_apparmor.c:1152: return reload_profile(mgr, def, fd_path, true);

The only outlier to this rule is:
src/security/security_apparmor.c:466: if (load_profile(mgr, secdef->label, def, NULL, false) < 0) {

Which is what we hit in the call chain of this use-case that fails here.

All false are reloads to restore former content (that is ok):
src/security/security_apparmor.c:706:    return reload_profile(mgr, def, NULL, false);
src/security/security_apparmor.c:750:    return reload_profile(mgr, def, NULL, false);
src/security/security_apparmor.c:795:    return reload_profile(mgr, def, NULL, false);
src/security/security_apparmor.c:1017:    return reload_profile(mgr, def, NULL, false);
src/security/security_apparmor.c:1088:    return reload_profile(mgr, def, NULL, false);
src/security/security_apparmor.c:1125:    return reload_profile(mgr, def, NULL, false);

All additions of paths are append=true which will cause it to use -F:
src/security/security_apparmor.c:320:    return reload_profile(ptr->mgr, def, file, true);
src/security/security_apparmor.c:501:        return reload_profile(mgr, def, stdin_path, true);
src/security/security_apparmor.c:733:        return reload_profile(mgr, def, mem->nvdimmPath, true);
src/security/security_apparmor.c:776:        return reload_profile(mgr, def, input->source.evdev, true);
src/security/security_apparmor.c:1039:        ret = reload_profile(mgr, def, dev_source->data.file.path, true);
src/security/security_apparmor.c:1047:            if (reload_profile(mgr, def, in, true) < 0)
src/security/security_apparmor.c:1051:            if (reload_profile(mgr, def, out, true) < 0)
src/security/security_apparmor.c:1054:        ret = reload_profile(mgr, def, dev_source->data.file.path, true);
src/security/security_apparmor.c:1096:    return reload_profile(mgr, def, savefile, true);
src/security/security_apparmor.c:1111:        rc = reload_profile(mgr, def, full_path, true);
src/security/security_apparmor.c:1114:        rc = reload_profile(mgr, def, path, true);
src/security/security_apparmor.c:1152:    return reload_profile(mgr, def, fd_path, true);

The only outlier to this rule is:
src/security/security_apparmor.c:466:    if (load_profile(mgr, secdef->label, def, NULL, false) < 0) {

Which is what we hit in the call chain of this use-case that fails here.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-10-15:

#14

TODO from here:
- Test attaching multiple disks in one XML (hot add) just to be sure
- reword the bad help text in virt-aa-helper
  - split operation modes / general options / file passing
  - add some more words to differ between -f and -F
- In AppArmorSetSecurityImageLabel for the load_profile call switch append to true
   - this is the actual fix for this issue
- AppArmorSetSecurityImageLabel can be simplified by refactoring it to use
  - reload_profile instead of load_profile
  - logic is mostly the same
- Create test builds in PPA
- Test case on test builds
- Upstream the change
- backport Fixes to affected Ubuntu release

Changed in libvirt (Ubuntu):
assignee:	nobody → Christian Ehrhardt  (paelzer)
tags:	added: server-next

Revision history for this message

In Red Hat Bugzilla #1746684, paelzer (paelzer-redhat-bugs) wrote on 2019-10-15:

#16

FYI - I was debugging this in the context of Ubuntu bug https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1845506
I think I found the root cause (see recent updates there)

The summary for now is:
- one of the labeling calls does not use append=true
- thereby the apparmor rules get re-rendered from XML throwing away former appended paths
- the snapshot case here represents two calls and the second throws away the content of the former one

If from here all goes well will submit patches some-when this week.

Bug Watch Updater (bug-watch-updater) on 2019-10-15

Changed in libvirt:
importance:	Unknown → Undecided
status:	Unknown → Confirmed

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-10-16:

#17

ok, attach-device and attach-disk only support one device on each invocation and thereby are safe even if they would call the critical code.

But these (more common) paths still pass AppArmorSetSecurityImageLabel which means if there were rules added that are not yet reflected in the XML representation they would be lost at this point.
So while not really affected it seems wise for this use-case as well to make the changes.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-10-16:

#18

Example if you run snapshot and hot-add concurrently it might loose one rule and break.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-10-16:

#19

I have created the patches that I had in mind and a test PPA [1] (only a subset of the patches created are in there) to verify them.
I have run test builds on Eoan and on upstream/master code levels, upstream code also ran the sysntax/style check scripts of the project.

For me the test PPA [1] works for what was identified but has further issues.
I now see (interim state) both rules there:

root@e:~# cat /etc/apparmor.d/libvirt/libvirt-2370eae2-cc9a-493c-b502-d2d64e2ee1d1.files
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
  "/var/log/libvirt/**/eoan.log" w,
...
  "/dev/vhost-net" rw,
  "/var/lib/libvirt/images/eoan-disk1.snapshot2.qcow" rwk,
  "/var/lib/libvirt/images/eoan-disk2.snapshot1.qcow" rwk,

But still the snapshot fails and access still is denied by apparmor:
apparmor="DENIED" operation="open" name="/var/lib/libvirt/images/eoan-disk2.snapshot1.qcow" requested_mask="r" ...
... name="/var/lib/libvirt/images/eoan-disk2.snapshot1.qcow"
... name="/var/lib/libvirt/images/eoan-disk2.snapshot1.qcow"

Hmm, those are the same paths ...
So I need to find another issue that affects this before I can go for upstreaming as I want to show the case now working ...

[1]: https://launchpad.net/~paelzer/+archive/ubuntu/bug-1845506-multi-snapshot-apparmor

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-10-16:

#20

By single stepping the code I see that the Denies clearly come in after the second reload_profile added the rule - so it just should not happen?

Maybe the rules aren't reloaded yet?
But I see the reload activities in dmesg:
... apparmor="STATUS" operation="profile_replace" ...

A manual reload while in this state shows:
info="same as current profile, skipping"

So it clearly is loaded correctly.

Analyzing the stack on that shows that it gets back up to "qemuDomainSnapshotCreateDiskActive" without triggering the issue.
At this point it looped over the involved disks and called qemuDomainSnapshotCreateSingleDiskActive which led to the adding of the profile rules.

Then there it starts a async monitor job.
And the sync on that then triggers the denies.
ret = qemuMonitorTransaction(priv->mon, &actions);

We know this is the qemu driver and the domain pointer is my domain, the async flag is: QEMU_ASYNC_JOB_SNAPSHOT

This command is
a) what triggers the denials
b) failing and due to that later invoking the restore of the original profile

What is submitted is the actual snapshot command to qemu:
in qemuMonitorJSONCommandWithFd:
(gdb) printf "%s\n", cmdbuf.content
{
  "execute": "transaction",
  "arguments": {
    "actions": [
      {
        "type": "blockdev-snapshot-sync",
        "data": {
          "device": "drive-virtio-disk2",
          "snapshot-file": "/var/lib/libvirt/images/eoan-disk1.snapshot2.qcow",
          "format": "qcow2"
        }
      },
      {
        "type": "blockdev-snapshot-sync",
        "data": {
          "device": "drive-virtio-disk3",
          "snapshot-file": "/var/lib/libvirt/images/eoan-disk2.snapshot1.qcow",
          "format": "qcow2"
        }
      }
    ]
  },
  "id": "libvirt-32"
}

Hmm, I'm struggling here:
1. the profile with proper rules is loaded
2. the rule is 'rwk'
3. the denial is for read which 'r' should cover
4. the paths of rule and denial are identical
5. the reported profile that blocks is the profile that we extended

I'm missing something ...

By single stepping the code I see that the Denies clearly come in after the second reload_profile added the rule - so it just should not happen?

Maybe the rules aren't reloaded yet?
But I see the reload activities in dmesg:
 ... apparmor="STATUS" operation="profile_replace" ...

A manual reload while in this state shows:
  info="same as current profile, skipping"

So it clearly is loaded correctly.

Analyzing the stack on that shows that it gets back up to "qemuDomainSnapshotCreateDiskActive" without triggering the issue.
At this point it looped over the involved disks and called qemuDomainSnapshotCreateSingleDiskActive which led to the adding of the profile rules.

Then there it starts a async monitor job.
And the sync on that then triggers the denies.
  ret = qemuMonitorTransaction(priv->mon, &actions);

We know this is the qemu driver and the domain pointer is my domain, the async flag is: QEMU_ASYNC_JOB_SNAPSHOT

This command is
a) what triggers the denials
b) failing and due to that later invoking the restore of the original profile

What is submitted is the actual snapshot command to qemu:
in qemuMonitorJSONCommandWithFd:
(gdb) printf "%s\n", cmdbuf.content
{
  "execute": "transaction",
  "arguments": {
    "actions": [
      {
        "type": "blockdev-snapshot-sync",
        "data": {
          "device": "drive-virtio-disk2",
          "snapshot-file": "/var/lib/libvirt/images/eoan-disk1.snapshot2.qcow",
          "format": "qcow2"
        }
      },
      {
        "type": "blockdev-snapshot-sync",
        "data": {
          "device": "drive-virtio-disk3",
          "snapshot-file": "/var/lib/libvirt/images/eoan-disk2.snapshot1.qcow",
          "format": "qcow2"
        }
      }
    ]
  },
  "id": "libvirt-32"
}

Hmm, I'm struggling here:
1. the profile with proper rules is loaded
2. the rule is 'rwk'
3. the denial is for read which 'r' should cover
4. the paths of rule and denial are identical
5. the reported profile that blocks is the profile that we extended

I'm missing something ...

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-10-16:

#21

Ok the extra issue I had was only due to my stacked container setup, something broke on the apparmor nesting.
On a bare metal system with the patches applied snapshotting multiple disks at once worked fine now.

The good part of that is that I can now submit my patch series.
Done here:
https://www.redhat.com/archives/libvir-list/2019-October/msg01002.html

Now lets wait what the upstream feedback on those will be before considering backports.
Also Eoan being released soon will most likely block uploads for a few days until 20.04 is really open.

Revision history for this message

In Red Hat Bugzilla #1746684, paelzer (paelzer-redhat-bugs) wrote on 2019-10-24:

#22

FYI a fix to this is on the mailing list since a few days with no response yet:
https://www.redhat.com/archives/libvir-list/2019-October/msg01002.html

Worth a FYI ping here anyway, and maybe it is seen by that.

P.S. With the massive glib changes ongoing we might need slight adaptions depending on the order they and, but that seems to be search/replace and should be ok.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-11-21:

#23

FYI - pushed in upstream git now and will be in the next release.

tags:

added: libvirt-20.04

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2020-01-21:

#24

Just adding a comment to refresh our "60 days timeout" timer, as this bug was not dropped and is being worked on.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-02-02:

#25

Download full text (13.2 KiB)

This bug was fixed in the package libvirt - 6.0.0-0ubuntu1

---------------
libvirt (6.0.0-0ubuntu1) focal; urgency=medium

  * Merged with Debian 5.6.0-4 from experimental and v6.0.0 from upstream
    Among many other new features and fixes this includes fixes for:
    - LP: #1859253 - rbd driver fails to create a new volume
    - LP: #1858341 - rbd driver does not list all volumes in pool
    - LP: #1845506 - Libvirt snapshot doesn't update apparmor profile
    - LP: #1854653 - slow libvirt-guests.sh during shutdown if service is off
    - LP: #1848229 - enable ppc64el to use ccf-assist feature
    - LP: #1853315 - Enable CPU Model Comparison and Baselining on s390x
    - LP: #1853317 - CCW IPL support to boot from ECKD DASDs
    - LP: #1859506 - security: AppArmor profile fixes for swtpm
    Remaining changes:
    - Disable libssh2 support (universe dependency)
    - Disable firewalld support (universe dependency)
    - Set qemu-group to kvm (for compat with older ubuntu)
    - Additional apport package-hook
    - Autostart default bridged network (As upstream does, but not Debian).
      In addition to just enabling it our solution provides:
      + do not autostart if subnet is already taken (e.g. in guests).
      + iterate some alternative subnets before giving up
    - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is
      the group based access to libvirt functions as it was used in Ubuntu
      for quite long.
      + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests
        due to the group access change.
      + d/libvirt-daemon-system.postinst: add users in sudo to the libvirt
        group.
    - ubuntu/parallel-shutdown.patch: set parallel shutdown by default.
    - Update Vcs-Git and Vcs-Browser fields to point to launchpad
    - Update README.Debian with Ubuntu changes
    - Enable some additional features on ppc64el and s390x (for arch parity)
      + systemtap, zfs, numa and numad on s390x.
      + systemtap on ppc64el.
    - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx
    - Further upstreamed apparmor Delta, especially any new one
      Our former delta is split into logical pieces and is either Ubuntu only
      or is part of a continuous upstreaming effort.
      Listing related remaining changes in debian/patches/ubuntu-aa/:
    - fix autopkgtests
      + d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making
        vmlinuz available and accessible (Debian bug 848314)
      + d/t/control: fix smoke-qemu-session by ensuring the service will run
        installing libvirt-daemon-system
      + d/t/smoke-lxc: fix smoke-lxc by ignoring potential issues on destroy as
        long as the following undefine succeeds
      + d/t/smoke-lxc: use systemd instead of sysV to restart the service
    - dnsmasq related enhancements
      + run dnsmasq as libvirt-dnsmasq (LP: 1743718)
      + d/libvirt-daemon-system.postinst: add libvirt-dnsmasq user and group
      + d/libvirt-daemon-system.postrm: remove libvirt-dnsmasq user and group
        on purge
      + d/p/ubuntu/dnsmasq-as-priv-user: write dnsmasq config with user
        libvirt-dnsmasq and adapt t...

This bug was fixed in the package libvirt - 6.0.0-0ubuntu1

---------------
libvirt (6.0.0-0ubuntu1) focal; urgency=medium

* Merged with Debian 5.6.0-4 from experimental and v6.0.0 from upstream
    Among many other new features and fixes this includes fixes for:
    - LP: #1859253 - rbd driver fails to create a new volume
    - LP: #1858341 - rbd driver does not list all volumes in pool
    - LP: #1845506 - Libvirt snapshot doesn't update apparmor profile
    - LP: #1854653 - slow libvirt-guests.sh during shutdown if service is off
    - LP: #1848229 - enable ppc64el to use ccf-assist feature
    - LP: #1853315 - Enable CPU Model Comparison and Baselining on s390x
    - LP: #1853317 - CCW IPL support to boot from ECKD DASDs
    - LP: #1859506 - security: AppArmor profile fixes for swtpm
    Remaining changes:
    - Disable libssh2 support (universe dependency)
    - Disable firewalld support (universe dependency)
    - Set qemu-group to kvm (for compat with older ubuntu)
    - Additional apport package-hook
    - Autostart default bridged network (As upstream does, but not Debian).
      In addition to just enabling it our solution provides:
      + do not autostart if subnet is already taken (e.g. in guests).
      + iterate some alternative subnets before giving up
    - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is
      the group based access to libvirt functions as it was used in Ubuntu
      for quite long.
      + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests
        due to the group access change.
      + d/libvirt-daemon-system.postinst: add users in sudo to the libvirt
        group.
    - ubuntu/parallel-shutdown.patch: set parallel shutdown by default.
    - Update Vcs-Git and Vcs-Browser fields to point to launchpad
    - Update README.Debian with Ubuntu changes
    - Enable some additional features on ppc64el and s390x (for arch parity)
      + systemtap, zfs, numa and numad on s390x.
      + systemtap on ppc64el.
    - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx
    - Further upstreamed apparmor Delta, especially any new one
      Our former delta is split into logical pieces and is either Ubuntu only
      or is part of a continuous upstreaming effort.
      Listing related remaining changes in debian/patches/ubuntu-aa/:
    - fix autopkgtests
      + d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making
        vmlinuz available and accessible (Debian bug 848314)
      + d/t/control: fix smoke-qemu-session by ensuring the service will run
        installing libvirt-daemon-system
      + d/t/smoke-lxc: fix smoke-lxc by ignoring potential issues on destroy as
        long as the following undefine succeeds
      + d/t/smoke-lxc: use systemd instead of sysV to restart the service
    - dnsmasq related enhancements
      + run dnsmasq as libvirt-dnsmasq (LP: 1743718)
      + d/libvirt-daemon-system.postinst: add libvirt-dnsmasq user and group
      + d/libvirt-daemon-system.postrm: remove libvirt-dnsmasq user and group
        on purge
      + d/p/ubuntu/dnsmasq-as-priv-user: write dnsmasq config with user
        libvirt-dnsmasq and adapt the self tests to expect that config
      + d/libvirt-daemon-system.postinst: fix old libvirt-dnsmasq users group
      + Add dnsmasq configuration to work with system wide dnsmasq-base
    - debian/rules: disable the netcf backend. (LP: 1764314)
    - debian/patches/ubuntu/ovmf_paths.patch: adjust paths to secboot.fd UEFI
      Secure Boot enabled variants of the OVMF firmware and variable store for
      the paths where we ship these files in Ubuntu.
    - d/rules: install virtlockd correctly with defaults file (LP: 1729516)
    - d/rules: also check build time self test results on all architectures
    - d/p/ubuntu/set-default-machine-to-ubuntu.patch: to select default
      machine type correctly with newer qemu/libvirt
    - d/rules: add --no-restart-after-upgrade to services that are supposed to
      stay up through upgrades - this also applies to related sockets.
    - Apparmor Delta that is Ubuntu specific or yet to be upstreamed
      split into logical pieces. File names in debian/patches/ubuntu-aa/:
      + 0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch:
        apparmor, libvirt-qemu: Allow read access to overcommit_memory
      + 0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO.patch:
        apparmor, libvirt-qemu: Allow owner read access to @{PROC}/*/auxv
      + 0017-apparmor-virt-aa-helper-Allow-access-to-tmp-director.patch:
        apparmor, virt-aa-helper: Allow access to tmp directories
      + 0020-virt-aa-helper-ubuntu-storage-paths.patch:
        apparmor, virt-aa-helper: Allow various storage pools and image
        locations
      + 0021-apparmor-virt-aa-helper-Add-openvswitch-support.patch:
        apparmor, virt-aa-helper: Add openvswitch support
      + 0029-appmor-libvirt-qemu-Add-9p-support.patch: appmor,
        libvirt-qemu: Add 9p support
      + 0030-virt-aa-helper-Complete-9p-support.patch: virt-aa-helper:
        add l to 9p file options.
      + 0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch:
        virt-aa-helper: Ask for no deny rule for readonly disk (renamed and
        reworded, was virt-aa-helper-no-explicity-deny-for-basefiles.patch)
      + 0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch:
        apparmor, libvirt-qemu: Allow reading charm-specific ceph config
      + 0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: allow
        commands executed by ubuntu only kvm wrapper on ppc64el
        (LP 1686621 LP 1680384 LP 1784023)
      + 0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch:
        apparmor, virt-aa-helper: access for snapped nova
      + 0050-local-include-for-libvirt-qemu.patch,
        d/libvirt-daemon-system.postinst: provide a local apparmor include
        for abstraction/libvirt-qemu (LP: 1786019)
      + lp-1815910-allow-vhost-net.patch: avoid apparmor issues
        with vhost-net/vhost-vsock/vhost-scsi hotplug (LP: 1815910)
  * Dropped changes (in Debian)
    - d/libvirt0.symbols: bump symbol versions for 5.4.0
    - avoid service dependency issues on upgrade (LP: 1786179)
      This will in the long term be resolved in dh_* tools, but to let an
      upgrade work for now we need to drop the sysV scripts (which we don't
      use anyway) and slightly modify the systemd service to work with todays
      dh_systemd_start properly. Can be dropped once Debian bug 905772 is
      resolved in dh_* tools and libvirt uses those new code.
      + d/libvirt-daemon-system.virtlogd.init: removed sysV init file
      + d/libvirt-daemon-system.libvirtd.init: removed sysV init file
      + debian/libvirt-daemon-system.maintscript: rm_conffile for virtlogd
        and lbivirtd sysV init file
      + d/p/ubuntu/avoid-restarting-virtlog-socket.patch: drop Also references
        to virtlogd/virtlockd sockets as they would imply a restart of
        virtlogd breaking it.
      [ we now have split packages for sysv and systemd support ]
    - d/t/control, d/t/smoke-lxc: fix up lxc smoke test isolation
    - Refreshed to match new upstream
      + d/p/Reduce-udevadm-settle-timeout-to-10-seconds.patch
  * Dropped changes (now upstream)
    - d/p/ubuntu/lp-1828495-*: make libvirt able to handle arch_capabilities
      cpu features for the Host. (LP: 1828495 - not closing yet as guest caps
      are still need fixups to work well LP: 1841066)
    - SECURITY UPDATEs: CVE-2019-10161, CVE-2019-10166,
      CVE-2019-10167 and CVE-2019-10168
    - d/p/ubuntu-aa/lp-1833040-Add-openGraphicsFD-rule-for-named-profile.patch:
      avoid issues with remote screen connections like virt-manager due to
      apparmor changes in libvirt 5.1 (LP 1833040)
    - 0001-apparmor-Allow-pygrub-to-run-on-Debian-Ubuntu.patch: apparmor:
      Allow pygrub to run on Debian/Ubuntu
    - update to v5.4.0
  * Dropped changes (Xen demoted to universe)
    - d/p/ubuntu/ubuntu-libxl-qemu-path.patch: this change was split. The
      section that adapts the path of the emulator to the Debian/Ubuntu
      packaging is kept.
    - d/p/ubuntu/ubuntu-libxl-Fix-up-VRAM-to-minimum-requirements.patch: auto
      set VRAM to minimum requirements
    - d/p/ubuntu/xen-default-uri.patch: set default URI on xen hosts
    - Add libxl log directory
    - libvirt-uri.sh: Automatically switch default libvirt URI for users on
      Xen dom0 via user profile (was missing on changelogs before)
  * Dropped changes (no more needed)
    - d/p/ubuntu/apibuild-skip-libvirt-common.h: drop libvirt-common.h from
      included_files to avoid build failures due to duplicate definitions.
      [ finally works in v6.0.0 ]
    - d/control: Revert iptables/ebtables dependency as Eoan still is on 1.6.x
      [ focal has iptables 1.8.3 ]
    - d/rules: adapt iptables binary paths present in Eoan (LP 1832297)
      [ focal has iptables 1.8.3 ]
  * Added Changes:
    - refreshed patches for libvirt v6.0.0
    - d/control: bump build dep to python3
    - d/control: VCS links to use generic Ubuntu launchpad git URLs
    - d/control: add python3-docutils as build dependency
    - d/control: add libzfslinux-dev to build-deps
    - d/rules: set enable-dependency-tracking to avoid FTBFS
    - d/rules: drop the no more existing phyp option
    - d/rules: drop the no more existing xen configure option
    - d/libvirt-clients.maintscript: rm_conffile libvirt-uri.sh that was
      optional for use on xen hosts
    - d/control: drop libvirt-lxc, vbox and xen drivers to suggest
    - minimize patches generated by autoreconf
    - fix build on Debian/Ubuntu in qemuhotplugtest
    - d/libvirt-doc.doc: install rendered docs
    - d/libvirt-daemon-system.examples: drop old examples that are now active
    - d/libvirt-doc.doc-base.libvirt-doc: adapt doc base to new file placement
    - d/libvirt-daemon-system-sysv.lintian-overrides: not shipiing systemd files
    - d/libnss-libvirt.lintian-overrides: accept having two nss so files
    - d/rules: don't ship split daemons just yet
    - d/rules: install /etc/default/* files that are shared between sysv and
      systemd packages
    - d/rules: add libvirt-guests.default to libvirt-daemon-system instead of
      libvirt-daemon-system-sysv
    - d/p/ubuntu/lp-1655111*: fix qemu_bridge_helper to work with  named
      profiles (LP: #1655111)

libvirt (5.6.0-4) experimental; urgency=medium

* [d88536d] Introduce libvirt-daemon-system-{systemd,sysv} Move init scripts
    to separate package that allows people to experiment with alternative init
    systems while avoiding the problems that mixed init scripts and systemd
    units have in the current packaging.
    Thanks to Christian Ehrhardt for all the input regarding upgrade
    problems seen in Ubuntu and possible solutions.
    (Closes: #887911, #905772)
  * [c19d230] autopkg tests: Use isolation-machine.
    This avoids running under debian ci since libvirt-lxc in lxc
    doesn't work there. (Closes: #947006)

libvirt (5.6.0-3) unstable; urgency=medium

* Team upload.

[ Christian Ehrhardt ]
  * Move qemu, lxc, uml, vbox and xen connection drivers into separate
    packages. This reduces the dependencies pulled into default installations.
    (Closes: #901940)
  * d/copyright: Update

[ Guido Günther ]
  * [362bec6] autopkgtest: Adjust to new path

libvirt (5.6.0-2) unstable; urgency=medium

* Team upload.

* [4dcbe93] Revert "Disable libvirtd socket activation" (Closes: #935883)
  * [b464de1] Add libvirtd sockets handling

libvirt (5.6.0-1) unstable; urgency=medium

* Team upload.

[ Guido Günther ]
  * [fb43676] d/control: Drop dh-autoreconf build-dep
  * [81d21d5] d/not-installed: Use multi-arch dirs
  * [07d5669] New upstream version 5.6.0
    Fixes CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091,
    CVE-2019-10132
    (Closes: #915107, #931243, #929334)
  * [9f38a9e] apparmor: Allow run pygrub
    (Closes: #931768)
  * Acknowledge NMU. Thanks Jonathan Wiltshire

[ Christian Ehrhardt ]
  * [c28c3b3] d/libvirt0.install: install translations
  * [c3c4cd4] d/libvirt-daemon-system.install: drop in helper for firewalld
  * [3e8b43c] d/not-installed: ignore default files /etc/sysconfig
  * [c223d7f] d/libvirt-daemon-system.examples: ship sysctl config as example
  * [f19acf6] d/libvirt-daemon-system.install: ship libxl-sanlock.conf
    (Closes: #919484)
  * [483e44a] d/libvirt-doc.docs: fix whitespace issue
  * [4f4751f] d/libvirt-doc.docs: install new doc elements
  * [781e22e] d/not-installed: ignore documentation already being installed
  * [eda89b2] d/no-installed, d/libvirt-doc.docs: do not install fonts
  * [ab67a28] d/copyright: add license for docs/fonts/
  * [2e222a2] d/rules: strip symbolic-functions linker option
  * [39b658c] Revert "d/libvirt-daemon-system.install: ship
    libxl-sanlock.conf"
  * [ce46360] d/rules: install libxl-sanlock.conf dependent on xen being
    enabled

[ Andrea Bolognani ]
  * [6a2eae3] Simplify and improve watch file
  * [82a1edc] Bump symbol versions
  * [73fccd9] Specify --doc-main-package for dh_installdocs
  * [d48fdf6] Rediff patches
  * [3b16c86] Bump symbol versions
  * [48c9b75] Drop Avahi support
  * [a49de91] Fix AppArmor profile for virt-aa-helper
  * [b8e92da] Disable libvirtd socket activation
  * [73d1e8c] Install kbase articles

-- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Mon, 13 Jan 2020 13:14:14 +0100

Changed in libvirt (Ubuntu):
status:	Triaged → Fix Released

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-09-17:

#26

We had a discussion about further backports in [1], but I think the answer is no unless we have a stronger reasoning. Let us mark the tags accordingly.

[1]: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1892306/comments/7

Changed in libvirt (Ubuntu):
assignee:	Christian Ehrhardt  (paelzer) → nobody
Changed in libvirt (Ubuntu Bionic):
status:	New → Won't Fix

Ubuntu
libvirt package

Libvirt snapshot doesn't update apparmor profile

Bug Description

CVE References

Duplicates of this bug

Other bug subscribers

Bug attachments

Remote bug watches

	Status	Importance	Assigned to
libvirt	Confirmed	Undecided	redhat-bugs #1746684
libvirt (Ubuntu)	Fix Released	Medium	Unassigned
Bionic	Won't Fix	Undecided	Unassigned

Ubuntulibvirt package

Libvirt snapshot doesn't update apparmor profile

Bug Description

CVE References

Duplicates of this bug

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
libvirt package