Ubuntu Cloud Archive

Comment 18 for bug 1890858

Revision history for this message

Kim Covil (vendor-ubuntu) wrote on 2020-12-29:

#18

# Clarify how to fix it #

Adding the network unix dgram, line works here:

1. revert /etc/apparmor.d/usr.sbin.libvirtd to the content delivered by the package in 20.04
   $ dpkg-query -W -f '${Conffiles}\n' libvirt-daemon-system | awk -vOFS=" " '/apparmor/{print $2,$1}' | LANG=C sudo md5sum -c 2>/dev/null
   /etc/apparmor.d/abstractions/libvirt-lxc: OK
   /etc/apparmor.d/abstractions/libvirt-qemu: OK
   /etc/apparmor.d/libvirt/TEMPLATE.lxc: OK
   /etc/apparmor.d/libvirt/TEMPLATE.qemu: OK
   /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper: OK
   /etc/apparmor.d/usr.sbin.libvirtd: OK

2. retry and verify the issue triggers
   $ virsh list
   error: failed to connect to the hypervisor
   error: End of file while reading data: Input/output error

3. restart libvirtd (systemctl restart libvirtd)
$ sudo systemctl restart libvirtd

4. retry and verify the issue triggers still
   $ virsh list
   error: failed to connect to the hypervisor
   error: End of file while reading data: Input/output error

5. add this line above to /etc/apparmor.d/usr.sbin.libvirtd where the other network rules are
   $ cp /etc/apparmor.d/usr.sbin.libvirtd /tmp/usr.sbin.libvirtd.bak
   $ sudo sed -i -e '/^ network inet stream/i \ \ network unix dgram,' /etc/apparmor.d/usr.sbin.libvirtd
   $ diff -p /tmp/usr.sbin.libvirtd.bak /etc/apparmor.d/usr.sbin.libvirtd
   *** /tmp/usr.sbin.libvirtd.bak 2020-12-29 14:46:26.716346230 +0000
   --- /etc/apparmor.d/usr.sbin.libvirtd 2020-12-29 14:48:58.816884722 +0000
   *************** profile libvirtd /usr/sbin/libvirtd flag
   *** 39,44 ****
   --- 39,45 ----
       mount options=(rw, move) /{,var/}run/libvirt/qemu/*.dev/ -> /dev/,
       mount options=(rw, move) /{,var/}run/libvirt/qemu/*{,/} -> /dev/**,

   + network unix dgram,
       network inet stream,
       network inet dgram,
       network inet6 stream,

6. sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.libvirtd
$ sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.libvirtd

7. restart libvirtd (systemctl restart libvirtd)
$ sudo systemctl restart libvirtd

8. retry and verify the issue triggers still (or is it fixed now?)
   $ virsh list
    Id Name State
   --------------------

# Clarify how to fix it #

Adding the network unix dgram, line works here:

1. revert /etc/apparmor.d/usr.sbin.libvirtd to the content delivered by the package in 20.04
   $ dpkg-query -W -f '${Conffiles}\n' libvirt-daemon-system | awk -vOFS="  " '/apparmor/{print $2,$1}' | LANG=C sudo md5sum -c 2>/dev/null
   /etc/apparmor.d/abstractions/libvirt-lxc: OK
   /etc/apparmor.d/abstractions/libvirt-qemu: OK
   /etc/apparmor.d/libvirt/TEMPLATE.lxc: OK
   /etc/apparmor.d/libvirt/TEMPLATE.qemu: OK
   /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper: OK
   /etc/apparmor.d/usr.sbin.libvirtd: OK

2. retry and verify the issue triggers
   $ virsh list
   error: failed to connect to the hypervisor
   error: End of file while reading data: Input/output error

3. restart libvirtd (systemctl restart libvirtd)
   $ sudo systemctl restart libvirtd

4. retry and verify the issue triggers still
   $ virsh list
   error: failed to connect to the hypervisor
   error: End of file while reading data: Input/output error

5. add this line above to /etc/apparmor.d/usr.sbin.libvirtd where the other network rules are
   $ cp /etc/apparmor.d/usr.sbin.libvirtd /tmp/usr.sbin.libvirtd.bak
   $ sudo sed -i -e '/^  network inet stream/i \ \ network unix dgram,' /etc/apparmor.d/usr.sbin.libvirtd             
   $ diff -p /tmp/usr.sbin.libvirtd.bak /etc/apparmor.d/usr.sbin.libvirtd
   *** /tmp/usr.sbin.libvirtd.bak  2020-12-29 14:46:26.716346230 +0000
   --- /etc/apparmor.d/usr.sbin.libvirtd   2020-12-29 14:48:58.816884722 +0000
   *************** profile libvirtd /usr/sbin/libvirtd flag
   *** 39,44 ****
   --- 39,45 ----
       mount options=(rw, move) /{,var/}run/libvirt/qemu/*.dev/ -> /dev/,
       mount options=(rw, move) /{,var/}run/libvirt/qemu/*{,/} -> /dev/**,
     
   +   network unix dgram,
       network inet stream,
       network inet dgram,
       network inet6 stream,

6. sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.libvirtd
   $ sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.libvirtd

7. restart libvirtd (systemctl restart libvirtd)
   $ sudo systemctl restart libvirtd

8. retry and verify the issue triggers still (or is it fixed now?)
   $ virsh list
    Id   Name   State
   --------------------