virsh snapshot-create-as fails when --disk-only is specified
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Reporting per chat in #apparmor . Since that suggestion I've done enough to establish its highly likely a dupe of one of the tickets I reference further down but I'm reporting so someone more experienced can determine where it should be linked to.
I'm seeing denials like this (on ubuntu 18.04) when trying to run virsh snapshot-create-as server-here --name "Auto snapshot $(date --rfc-3339=

type=AVC msg=audit(
For the record, trying without spaces we have the same error. but the name of the snapshot simply isn't encoded.
type=AVC msg=audit(
Further research showed that this succeeds:
virsh snapshot-create-as server-02 --name "Auto snapshot $(date --rfc-3339=
So its when --disk-only becomes involved the failure occurs. that means https:/
As a final point; I needed to add rwk and re run aa-enforce on the instance's profile (not libvirt-qemu).
vi /etc/apparmor.
aa-enforce /etc/apparmor.
virsh snapshot-create-as server-here --name "xxx661722F6C69
Domain snapshot xxx661722F6C696
It appears to me that whatever generates the .files listing should consider derived names ; it would be better than the `/var/lib/
disk one original: server-name-1.img
disk two original: server-name-2.img
disk two snapshot: server-
disk one snapshot: server-
After running the script at the bottom snapshots work using the incantation below.
virsh snapshot-create-as server-name --name "postscript" --atomic --disk-only
Domain snapshot postscript created
#!/bin/bash /bugs.launchpad .net/ubuntu/ +source/ libvirt/ +bug/1892306
# Script to broaden the permissions libvirts apparmor-helper script gives to instances.
# See also https:/
# Possibly not the ideal fix but better than the alternatives (I could see)
# <email address hidden>
# Bail if nothing passed instance= $1
if [ -z $1 ] ; then
echo "Pass anything which identifies instance to libvirt - uuid, id, name."
exit 1
else
current_
fi
# Root is required to change libvirt/apparmor settings
if ! [ `id -u` -eq 0 ]; then
echo "Root is required to run this script"
exit 1
fi
# Determine running status running= `virsh dominfo $current_instance |grep 'State' |awk '{ print $2 }'` seclabel= `virsh dominfo $current_instance |grep 'Security label' |awk '{ print $3 }'` aa_config= /etc/apparmor. d/libvirt/ $instance_ seclabel
instance_
# Extract instance security label; used to configure apparmour
instance_
# Shortcut to file
instance_
if ! [ 'running' == $instance_running ]; then start_retcode= `virsh start $current_instance` start_retcode -gt 0 ]; then start_retcode
# Start the intance
virsh_
if [ $virsh_
exit $virsh_
fi
fi
# List current block devices, try to extract actual device then make a permitting wildcard based on it aa_config} .files
for blockdev in $(virsh domblklist 24 |grep 'libvirt/images' |awk '{ print $2}' |sed -e 's|\..*$||'); do
echo " \"${blockdev}.*\" rwk," >> ${instance_
done
# Re-enforce using the updated block device/file config
apparmor_parser -r -v $instance_aa_config