Ubuntu Cloud Archive

Series yoga
Bug #1890858
Activity log

Activity log for bug #1890858

Date	Who	What changed	Old value	New value	Message
2020-08-07 23:43:41	Mike Salvatore	bug			added bug
2020-08-07 23:43:50	Mike Salvatore	nominated for series		Ubuntu Focal
2020-08-07 23:43:50	Mike Salvatore	bug task added		libvirt (Ubuntu Focal)
2020-08-11 01:48:08	Rafael David Tinoco	bug			added subscriber Christian Ehrhardt 
2020-08-11 01:48:13	Rafael David Tinoco	bug			added subscriber Ubuntu Server
2020-08-11 01:48:22	Rafael David Tinoco	libvirt (Ubuntu Focal): status	New	Triaged
2020-08-11 01:48:36	Rafael David Tinoco	libvirt (Ubuntu): status	New	Triaged
2020-08-12 08:55:31	Christian Ehrhardt 	libvirt (Ubuntu): status	Triaged	Incomplete
2020-08-12 08:55:32	Christian Ehrhardt 	libvirt (Ubuntu Focal): status	Triaged	Incomplete
2020-08-17 17:46:39	Tommy Nevtelen	attachment added		aa-logprof generated libvirt profile https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/+attachment/5402216/+files/usr.sbin.libvirtd
2020-08-18 08:04:35	Christian Ehrhardt 	libvirt (Ubuntu Focal): status	Incomplete	Confirmed
2020-09-30 12:29:52	Bertrand Rétif	bug			added subscriber Bertrand Rétif
2020-09-30 13:09:27	Bertrand Rétif	attachment added		Tar of my /etc/libvirt https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/+attachment/5415654/+files/etc-libvirt.tar
2020-11-16 21:39:58	Mark Foster (ExtraHop)	bug			added subscriber Mark Foster (ExtraHop)
2020-12-29 14:38:16	Kim Covil	attachment added		strace of libvirtd while running virsh list https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/+attachment/5447694/+files/libvirtd.strace
2020-12-29 14:40:21	Kim Covil	attachment added		output of running systemctl status $(basename -a $(dpkg -L libvirt-daemon-system \| grep -e .socket -e .service \| xargs) \| xargs) https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/+attachment/5447695/+files/systemctl-socket-status
2021-03-01 05:19:39	Eric Stone	bug			added subscriber Eric Stone
2021-06-08 13:28:08	Robert Euhus	attachment added		systemctl status $(basename -a $(dpkg -L libvirt-daemon-system \| grep -e .socket -e .service \| xargs) \| xargs) > systemctl_status_before https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/+attachment/5503149/+files/systemctl_status_before
2021-06-08 13:29:10	Robert Euhus	attachment added		systemctl status $(basename -a $(dpkg -L libvirt-daemon-system \| grep -e .socket -e .service \| xargs) \| xargs) > systemctl_status_before https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/+attachment/5503150/+files/systemctl_status_before
2021-06-08 13:29:57	Robert Euhus	attachment added		3) strace -p 1246 2>&1 \| tee -a strace_local_user_success https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/+attachment/5503151/+files/strace_local_user_success
2021-06-08 13:30:29	Robert Euhus	attachment added		5) systemctl status $(basename -a $(dpkg -L libvirt-daemon-system \| grep -e .socket -e .service \| xargs) \| xargs) > systemctl_status_after_success https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/+attachment/5503152/+files/systemctl_status_after_success
2021-06-08 13:31:39	Robert Euhus	attachment added		6) strace -p 1246 2>&1 \| tee -a strace_domain_user_fail https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/+attachment/5503153/+files/strace_domain_user_fail
2021-06-08 13:32:14	Robert Euhus	attachment added		8) systemctl status $(basename -a $(dpkg -L libvirt-daemon-system \| grep -e .socket -e .service \| xargs) \| xargs) > systemctl_status_after_failure https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/+attachment/5503154/+files/systemctl_status_after_failure
2021-06-08 13:33:29	Robert Euhus	attachment added		10) strace -p 11051 2>&1 \| tee -a strace_domain_user_network_unix_dgram_success https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/+attachment/5503155/+files/strace_domain_user_network_unix_dgram_success
2021-06-08 13:34:18	Robert Euhus	attachment added		surrounding area from syslog https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/+attachment/5503156/+files/syslog-error
2021-06-08 13:36:07	Robert Euhus	attachment removed	systemctl status $(basename -a $(dpkg -L libvirt-daemon-system \| grep -e .socket -e .service \| xargs) \| xargs) > systemctl_status_before https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/+attachment/5503149/+files/systemctl_status_before
2021-06-08 13:37:20	Robert Euhus	bug			added subscriber Robert Euhus
2021-06-09 21:47:16	Alexander Kabakaev	bug			added subscriber Alexander Kabakaev
2021-06-14 11:30:55	Christian Ehrhardt 	libvirt (Ubuntu): status	Incomplete	Fix Released
2021-06-14 11:30:58	Christian Ehrhardt 	libvirt (Ubuntu Focal): status	Confirmed	Triaged
2021-06-14 11:31:00	Christian Ehrhardt 	libvirt (Ubuntu Focal): assignee		Christian Ehrhardt  (paelzer)
2021-06-14 11:31:09	Christian Ehrhardt 	libvirt (Ubuntu Focal): assignee	Christian Ehrhardt  (paelzer)	Ubuntu Security Team (ubuntu-security)
2021-06-14 12:28:14	Christian Ehrhardt 	description	On some focal 20.04 systems, users are seeing "QEMU/KVM - Not Connected" when they attempt to use virt-manager to manage virtual machines. AppArmor denials like the following are seen in the logs: sudo grep libvirt /var/log/syslog \| grep -i apparmor \| grep -i denied Jun 28 14:53:27 koromicha kernel: [ 334.660844] audit: type=1400 audit(1593345207.778:951): apparmor="DENIED" operation="bind" profile="libvirtd" pid=12254 comm="libvirtd" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@userdb-6228daaaf66b14dfd14d93ef46d962c3" Jun 28 14:54:19 koromicha kernel: [ 386.034970] audit: type=1400 audit(1593345259.145:952): apparmor="DENIED" operation="bind" profile="libvirtd" pid=14311 comm="libvirtd" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@userdb-c861507740da1fa0c3356ad3b78bffe9" Jun 28 15:02:30 koromicha kernel: [ 877.339057] audit: type=1400 audit(1593345750.437:968): apparmor="DENIED" operation="bind" profile="libvirtd" pid=16175 comm="libvirtd" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@userdb-7d70643a9f8da0342f6359907817b664" Users have reported that the "solution" is to disable the AppArmor profile. More details, screenshots, etc. can be found here: https://kifarunix.com/how-to-fix-qemu-kvm-not-connected-error-on-ubuntu-20-04/	[Impact] * libvirt in Focal in some cases e.g. with non local users needs to resolve those users. When trying to do so it fails due to apparmor isolation and breaks badly. * In later and former releases this issue isn't triggered, but it is unknown which (potentially complex) set of changes did that. A simple apparmor rule would help to allow libvirt to better function in environments with non known user IDs. [Test Plan] * Following these steps in an unfixed release triggers the issue sudo apt update; sudo apt dist-upgrade -y sudo apt install -y sssd sssd-ldap slapd ldap-utils openssl expect lsb-release libvirt-clients libvirt-daemon-system ubuntu-dev-tools pull-lp-source sssd cd sssd-2.4.1 echo ";;;Al0000-2400;libvirt" \| sudo tee -a /etc/security/group.conf head -n -5 debian/tests/ldap-user-group-ldap-auth > debian/tests/lp1890858-test chmod +x debian/tests/lp1890858-test sudo ./debian/tests/lp1890858-test sudo systemctl restart libvirtd # ensure it works in a normal login virsh list journalctl -u libvirtd # try the sssd login sudo login # use testuser1 / testuser1secret to log in virsh list If affected this will not work reporting an error like: $ virsh list error: failed to connect to the hypervisor error: End of file while reading data: Input/output error And in dmesg/journal an apparmor denial like: Jun 14 11:25:26 ldap.example.com audit[48330]: AVC apparmor="DENIED" operation="bind" profile="libvirtd" pid=48330 comm="rpc-worker" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@userdb-f283d575d74df972f9e10bd14d0befe3" [Where problems could occur] Allowing a little bit more to a daemon that already is rather powerful and open in regard to it's profile usually isn't changing behavior. If anything it would be considered a potential risk, but this rule should be ok to be added and ubuntu-security confirmed this. [Other Info] * Comment 38 confirms that this should be ok - from the security Teams POV. https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/comments/38 --- On some focal 20.04 systems, users are seeing "QEMU/KVM - Not Connected" when they attempt to use virt-manager to manage virtual machines. AppArmor denials like the following are seen in the logs: sudo grep libvirt /var/log/syslog \| grep -i apparmor \| grep -i denied Jun 28 14:53:27 koromicha kernel: [ 334.660844] audit: type=1400 audit(1593345207.778:951): apparmor="DENIED" operation="bind" profile="libvirtd" pid=12254 comm="libvirtd" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@userdb-6228daaaf66b14dfd14d93ef46d962c3" Jun 28 14:54:19 koromicha kernel: [ 386.034970] audit: type=1400 audit(1593345259.145:952): apparmor="DENIED" operation="bind" profile="libvirtd" pid=14311 comm="libvirtd" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@userdb-c861507740da1fa0c3356ad3b78bffe9" Jun 28 15:02:30 koromicha kernel: [ 877.339057] audit: type=1400 audit(1593345750.437:968): apparmor="DENIED" operation="bind" profile="libvirtd" pid=16175 comm="libvirtd" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@userdb-7d70643a9f8da0342f6359907817b664" Users have reported that the "solution" is to disable the AppArmor profile. More details, screenshots, etc. can be found here: https://kifarunix.com/how-to-fix-qemu-kvm-not-connected-error-on-ubuntu-20-04/
2021-06-14 12:40:22	Launchpad Janitor	merge proposal linked		https://code.launchpad.net/~paelzer/ubuntu/+source/libvirt/+git/libvirt/+merge/404124
2021-06-16 10:05:36	Christian Ehrhardt 	bug task added		apparmor (Ubuntu)
2021-06-16 10:05:45	Christian Ehrhardt 	apparmor (Ubuntu): status	New	Invalid
2021-06-16 10:05:48	Christian Ehrhardt 	libvirt (Ubuntu): status	Fix Released	Invalid
2021-06-16 10:05:52	Christian Ehrhardt 	libvirt (Ubuntu Focal): assignee	Ubuntu Security Team (ubuntu-security)
2021-06-17 14:44:40	Robie Basak	libvirt (Ubuntu Focal): status	Triaged	Fix Committed
2021-06-17 14:44:42	Robie Basak	bug			added subscriber Ubuntu Stable Release Updates Team
2021-06-17 14:44:44	Robie Basak	bug			added subscriber SRU Verification
2021-06-17 14:44:50	Robie Basak	tags		verification-needed verification-needed-focal
2021-06-18 13:12:33	Robert Euhus	tags	verification-needed verification-needed-focal	verification-done-focal verification-needed
2021-06-19 22:37:27	Mathew Hodson	tags	verification-done-focal verification-needed	verification-done-focal
2021-06-19 22:39:12	Mathew Hodson	bug			added subscriber Mathew Hodson
2021-06-21 05:22:13	Christian Ehrhardt 	tags	verification-done-focal	verification-done verification-done-focal
2021-06-21 05:32:02	Christian Ehrhardt 	bug task deleted	apparmor (Ubuntu)
2021-06-21 05:32:07	Christian Ehrhardt 	bug task deleted	apparmor (Ubuntu Focal)
2021-06-24 17:55:22	Brian Murray	removed subscriber Ubuntu Stable Release Updates Team
2021-06-24 18:01:44	Launchpad Janitor	libvirt (Ubuntu Focal): status	Fix Committed	Fix Released
2023-08-25 09:22:36	Christian Ehrhardt 	bug task added		cloud-archive
2024-04-10 12:26:35	David Negreira	attachment added		libvirt_8.0.0-1ubuntu7.7~cloud1_source.changes https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/+attachment/5763330/+files/libvirt_8.0.0-1ubuntu7.7~cloud1_source.changes
2024-04-10 12:37:07	David Negreira	bug			added subscriber David Negreira
2024-04-10 12:41:49	David Negreira	nominated for series		cloud-archive/yoga
2024-04-10 12:41:49	David Negreira	bug task added		cloud-archive/yoga