2020-08-07 23:43:41 |
Mike Salvatore |
bug |
|
|
added bug |
2020-08-07 23:43:50 |
Mike Salvatore |
nominated for series |
|
Ubuntu Focal |
|
2020-08-07 23:43:50 |
Mike Salvatore |
bug task added |
|
libvirt (Ubuntu Focal) |
|
2020-08-11 01:48:08 |
Rafael David Tinoco |
bug |
|
|
added subscriber Christian Ehrhardt |
2020-08-11 01:48:13 |
Rafael David Tinoco |
bug |
|
|
added subscriber Ubuntu Server |
2020-08-11 01:48:22 |
Rafael David Tinoco |
libvirt (Ubuntu Focal): status |
New |
Triaged |
|
2020-08-11 01:48:36 |
Rafael David Tinoco |
libvirt (Ubuntu): status |
New |
Triaged |
|
2020-08-12 08:55:31 |
Christian Ehrhardt |
libvirt (Ubuntu): status |
Triaged |
Incomplete |
|
2020-08-12 08:55:32 |
Christian Ehrhardt |
libvirt (Ubuntu Focal): status |
Triaged |
Incomplete |
|
2020-08-17 17:46:39 |
Tommy Nevtelen |
attachment added |
|
aa-logprof generated libvirt profile https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/+attachment/5402216/+files/usr.sbin.libvirtd |
|
2020-08-18 08:04:35 |
Christian Ehrhardt |
libvirt (Ubuntu Focal): status |
Incomplete |
Confirmed |
|
2020-09-30 12:29:52 |
Bertrand Rétif |
bug |
|
|
added subscriber Bertrand Rétif |
2020-09-30 13:09:27 |
Bertrand Rétif |
attachment added |
|
Tar of my /etc/libvirt https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/+attachment/5415654/+files/etc-libvirt.tar |
|
2020-11-16 21:39:58 |
Mark Foster (ExtraHop) |
bug |
|
|
added subscriber Mark Foster (ExtraHop) |
2020-12-29 14:38:16 |
Kim Covil |
attachment added |
|
strace of libvirtd while running virsh list https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/+attachment/5447694/+files/libvirtd.strace |
|
2020-12-29 14:40:21 |
Kim Covil |
attachment added |
|
output of running systemctl status $(basename -a $(dpkg -L libvirt-daemon-system | grep -e .socket -e .service | xargs) | xargs) https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/+attachment/5447695/+files/systemctl-socket-status |
|
2021-03-01 05:19:39 |
Eric Stone |
bug |
|
|
added subscriber Eric Stone |
2021-06-08 13:28:08 |
Robert Euhus |
attachment added |
|
systemctl status $(basename -a $(dpkg -L libvirt-daemon-system | grep -e .socket -e .service | xargs) | xargs) > systemctl_status_before https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/+attachment/5503149/+files/systemctl_status_before |
|
2021-06-08 13:29:10 |
Robert Euhus |
attachment added |
|
systemctl status $(basename -a $(dpkg -L libvirt-daemon-system | grep -e .socket -e .service | xargs) | xargs) > systemctl_status_before https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/+attachment/5503150/+files/systemctl_status_before |
|
2021-06-08 13:29:57 |
Robert Euhus |
attachment added |
|
3) strace -p 1246 2>&1 | tee -a strace_local_user_success https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/+attachment/5503151/+files/strace_local_user_success |
|
2021-06-08 13:30:29 |
Robert Euhus |
attachment added |
|
5) systemctl status $(basename -a $(dpkg -L libvirt-daemon-system | grep -e .socket -e .service | xargs) | xargs) > systemctl_status_after_success https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/+attachment/5503152/+files/systemctl_status_after_success |
|
2021-06-08 13:31:39 |
Robert Euhus |
attachment added |
|
6) strace -p 1246 2>&1 | tee -a strace_domain_user_fail https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/+attachment/5503153/+files/strace_domain_user_fail |
|
2021-06-08 13:32:14 |
Robert Euhus |
attachment added |
|
8) systemctl status $(basename -a $(dpkg -L libvirt-daemon-system | grep -e .socket -e .service | xargs) | xargs) > systemctl_status_after_failure https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/+attachment/5503154/+files/systemctl_status_after_failure |
|
2021-06-08 13:33:29 |
Robert Euhus |
attachment added |
|
10) strace -p 11051 2>&1 | tee -a strace_domain_user_network_unix_dgram_success https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/+attachment/5503155/+files/strace_domain_user_network_unix_dgram_success |
|
2021-06-08 13:34:18 |
Robert Euhus |
attachment added |
|
surrounding area from syslog https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/+attachment/5503156/+files/syslog-error |
|
2021-06-08 13:36:07 |
Robert Euhus |
attachment removed |
systemctl status $(basename -a $(dpkg -L libvirt-daemon-system | grep -e .socket -e .service | xargs) | xargs) > systemctl_status_before https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/+attachment/5503149/+files/systemctl_status_before |
|
|
2021-06-08 13:37:20 |
Robert Euhus |
bug |
|
|
added subscriber Robert Euhus |
2021-06-09 21:47:16 |
Alexander Kabakaev |
bug |
|
|
added subscriber Alexander Kabakaev |
2021-06-14 11:30:55 |
Christian Ehrhardt |
libvirt (Ubuntu): status |
Incomplete |
Fix Released |
|
2021-06-14 11:30:58 |
Christian Ehrhardt |
libvirt (Ubuntu Focal): status |
Confirmed |
Triaged |
|
2021-06-14 11:31:00 |
Christian Ehrhardt |
libvirt (Ubuntu Focal): assignee |
|
Christian Ehrhardt (paelzer) |
|
2021-06-14 11:31:09 |
Christian Ehrhardt |
libvirt (Ubuntu Focal): assignee |
Christian Ehrhardt (paelzer) |
Ubuntu Security Team (ubuntu-security) |
|
2021-06-14 12:28:14 |
Christian Ehrhardt |
description |
On some focal 20.04 systems, users are seeing "QEMU/KVM - Not Connected" when they attempt to use virt-manager to manage virtual machines. AppArmor denials like the following are seen in the logs:
sudo grep libvirt /var/log/syslog | grep -i apparmor | grep -i denied
Jun 28 14:53:27 koromicha kernel: [ 334.660844] audit: type=1400 audit(1593345207.778:951): apparmor="DENIED" operation="bind" profile="libvirtd" pid=12254 comm="libvirtd" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@userdb-6228daaaf66b14dfd14d93ef46d962c3"
Jun 28 14:54:19 koromicha kernel: [ 386.034970] audit: type=1400 audit(1593345259.145:952): apparmor="DENIED" operation="bind" profile="libvirtd" pid=14311 comm="libvirtd" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@userdb-c861507740da1fa0c3356ad3b78bffe9"
Jun 28 15:02:30 koromicha kernel: [ 877.339057] audit: type=1400 audit(1593345750.437:968): apparmor="DENIED" operation="bind" profile="libvirtd" pid=16175 comm="libvirtd" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@userdb-7d70643a9f8da0342f6359907817b664"
Users have reported that the "solution" is to disable the AppArmor profile. More details, screenshots, etc. can be found here: https://kifarunix.com/how-to-fix-qemu-kvm-not-connected-error-on-ubuntu-20-04/ |
[Impact]
* libvirt in Focal in some cases e.g. with non local users
needs to resolve those users. When trying to do so it fails
due to apparmor isolation and breaks badly.
* In later and former releases this issue isn't triggered,
but it is unknown which (potentially complex) set of changes
did that. A simple apparmor rule would help to allow libvirt
to better function in environments with non known user IDs.
[Test Plan]
* Following these steps in an unfixed release triggers the issue
sudo apt update; sudo apt dist-upgrade -y
sudo apt install -y sssd sssd-ldap slapd ldap-utils openssl expect lsb-release libvirt-clients libvirt-daemon-system ubuntu-dev-tools
pull-lp-source sssd
cd sssd-2.4.1
echo "*;*;*;Al0000-2400;libvirt" | sudo tee -a /etc/security/group.conf
head -n -5 debian/tests/ldap-user-group-ldap-auth > debian/tests/lp1890858-test
chmod +x debian/tests/lp1890858-test
sudo ./debian/tests/lp1890858-test
sudo systemctl restart libvirtd
# ensure it works in a normal login
virsh list
journalctl -u libvirtd
# try the sssd login
sudo login
# use testuser1 / testuser1secret to log in
virsh list
If affected this will not work reporting an error like:
$ virsh list
error: failed to connect to the hypervisor
error: End of file while reading data: Input/output error
And in dmesg/journal an apparmor denial like:
Jun 14 11:25:26 ldap.example.com audit[48330]: AVC apparmor="DENIED" operation="bind" profile="libvirtd" pid=48330 comm="rpc-worker" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@userdb-f283d575d74df972f9e10bd14d0befe3"
[Where problems could occur]
* Allowing a little bit more to a daemon that already is rather powerful
and open in regard to it's profile usually isn't changing behavior.
If anything it would be considered a potential risk, but this rule
should be ok to be added and ubuntu-security confirmed this.
[Other Info]
* Comment 38 confirms that this should be ok - from the security Teams
POV. https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/comments/38
---
On some focal 20.04 systems, users are seeing "QEMU/KVM - Not Connected" when they attempt to use virt-manager to manage virtual machines. AppArmor denials like the following are seen in the logs:
sudo grep libvirt /var/log/syslog | grep -i apparmor | grep -i denied
Jun 28 14:53:27 koromicha kernel: [ 334.660844] audit: type=1400 audit(1593345207.778:951): apparmor="DENIED" operation="bind" profile="libvirtd" pid=12254 comm="libvirtd" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@userdb-6228daaaf66b14dfd14d93ef46d962c3"
Jun 28 14:54:19 koromicha kernel: [ 386.034970] audit: type=1400 audit(1593345259.145:952): apparmor="DENIED" operation="bind" profile="libvirtd" pid=14311 comm="libvirtd" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@userdb-c861507740da1fa0c3356ad3b78bffe9"
Jun 28 15:02:30 koromicha kernel: [ 877.339057] audit: type=1400 audit(1593345750.437:968): apparmor="DENIED" operation="bind" profile="libvirtd" pid=16175 comm="libvirtd" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@userdb-7d70643a9f8da0342f6359907817b664"
Users have reported that the "solution" is to disable the AppArmor profile. More details, screenshots, etc. can be found here: https://kifarunix.com/how-to-fix-qemu-kvm-not-connected-error-on-ubuntu-20-04/ |
|
2021-06-14 12:40:22 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~paelzer/ubuntu/+source/libvirt/+git/libvirt/+merge/404124 |
|
2021-06-16 10:05:36 |
Christian Ehrhardt |
bug task added |
|
apparmor (Ubuntu) |
|
2021-06-16 10:05:45 |
Christian Ehrhardt |
apparmor (Ubuntu): status |
New |
Invalid |
|
2021-06-16 10:05:48 |
Christian Ehrhardt |
libvirt (Ubuntu): status |
Fix Released |
Invalid |
|
2021-06-16 10:05:52 |
Christian Ehrhardt |
libvirt (Ubuntu Focal): assignee |
Ubuntu Security Team (ubuntu-security) |
|
|
2021-06-17 14:44:40 |
Robie Basak |
libvirt (Ubuntu Focal): status |
Triaged |
Fix Committed |
|
2021-06-17 14:44:42 |
Robie Basak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2021-06-17 14:44:44 |
Robie Basak |
bug |
|
|
added subscriber SRU Verification |
2021-06-17 14:44:50 |
Robie Basak |
tags |
|
verification-needed verification-needed-focal |
|
2021-06-18 13:12:33 |
Robert Euhus |
tags |
verification-needed verification-needed-focal |
verification-done-focal verification-needed |
|
2021-06-19 22:37:27 |
Mathew Hodson |
tags |
verification-done-focal verification-needed |
verification-done-focal |
|
2021-06-19 22:39:12 |
Mathew Hodson |
bug |
|
|
added subscriber Mathew Hodson |
2021-06-21 05:22:13 |
Christian Ehrhardt |
tags |
verification-done-focal |
verification-done verification-done-focal |
|
2021-06-21 05:32:02 |
Christian Ehrhardt |
bug task deleted |
apparmor (Ubuntu) |
|
|
2021-06-21 05:32:07 |
Christian Ehrhardt |
bug task deleted |
apparmor (Ubuntu Focal) |
|
|
2021-06-24 17:55:22 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2021-06-24 18:01:44 |
Launchpad Janitor |
libvirt (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
2023-08-25 09:22:36 |
Christian Ehrhardt |
bug task added |
|
cloud-archive |
|
2024-04-10 12:26:35 |
David Negreira |
attachment added |
|
libvirt_8.0.0-1ubuntu7.7~cloud1_source.changes https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/+attachment/5763330/+files/libvirt_8.0.0-1ubuntu7.7~cloud1_source.changes |
|
2024-04-10 12:37:07 |
David Negreira |
bug |
|
|
added subscriber David Negreira |
2024-04-10 12:41:49 |
David Negreira |
nominated for series |
|
cloud-archive/yoga |
|
2024-04-10 12:41:49 |
David Negreira |
bug task added |
|
cloud-archive/yoga |
|