I am simply using virt-manager to create virtual machines, I've got
maybe half a dozen on a box, and then after a reboot they are set to start
automatically and dmesg will give me those messages. This is under Ubuntu
20.04, I can not swear they were not happening earlier but I did not notice
them.
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
Knowledgeable human assistance, not telephone trees or script readers.
See our web site: http://www.eskimo.com/ (206) 812-0051 or (800) 246-6874.
On Fri, 5 Jun 2020, Christian Ehrhardt wrote:
> Date: Fri, 05 Jun 2020 04:23:39 -0000
> From: Christian Ehrhardt <email address hidden>
> To: <email address hidden>
> Subject: [Bug 1881969] Re: apparmor profile for libvirtd/libvirt-daemon needs
> fixing
>
> I'd agree and work on adding the rule upstream and into Ubuntu, but what
> I need to to do is help to understand "why this triggers for you".
>
> I run libvirt locally and in many tests, but so far have never seen this apparmor denial.
> Although if it is a non fatal bug it is easier to miss ...
>
> The linked Debian bug (thanks paride) has a bit more details how to trigger.
> But the bug also is almost a year old and no one else has hit this, ... that is odd.
>
> I've set up a L1 guest with an extra disk as scsi disk
> 44 <disk type='file' device='disk'>
> 45 <driver name='qemu' type='qcow2'/>
> 46 <source file='/var/lib/uvtool/libvirt/images/testguest-scsi-ephem-00.qcow'/>
> 47 <target dev='sda' bus='scsi'/>
> 48 <address type='drive' controller='0' bus='0' target='0' unit='0'/>
> 49 </disk>
> ...
> 100 <controller type='scsi' index='0' model='virtio-scsi'>
> 101 <address type='pci' domain='0x0000' bus='0x0a' slot='0x01' function='0x0'/>
> 102 </controller>
>
>
> In the guest that appears as scsi disk, here from lshw:
> *-scsi
> description: SCSI storage controller
> product: Virtio SCSI
> vendor: Red Hat, Inc.
> physical id: 1
> bus info: pci@0000:07:01.0
> version: 00
> width: 64 bits
> clock: 33MHz
> capabilities: scsi msix bus_master cap_list
> configuration: driver=virtio-pci latency=0
> resources: irq:23 ioport:c000(size=64) memory:fc000000-fc000fff memory:fe000000-fe003fff
> *-disk
> description: SCSI Disk
> product: QEMU HARDDISK
> vendor: QEMU
> physical id: 0.0.0
> bus info: scsi@0:0.0.0
> logical name: /dev/sda
> version: 2.5+
> size: 4GiB (4294MB)
> capabilities: 5400rpm
> configuration: ansiversion=5 logicalsectorsize=512 sectorsize=512
> *-sata
> description: SATA controller
> product: 82801IR/IO/IH (ICH9R/DO/DH) 6 port SATA Controller [AHCI mode]
> vendor: Intel Corporation
> physical id: 1f.2
> bus info: pci@0000:00:1f.2
> version: 02
> width: 32 bits
> clock: 33MHz
> capabilities: sata msi ahci_1.0 bus_master cap_list
> configuration: driver=ahci latency=0
> resources: irq:41 ioport:d060(size=32) memory:fd41b000-fd41bfff
>
> Using that to define another guest:
> <disk type='block' device='disk'>
> <driver name='qemu' type='raw'/>
> <source dev='/dev/sda'/>
> <target dev='sda' bus='scsi'/>
> </disk>
> <controller type='scsi' index='0' model='virtio-scsi'/>
>
> But with that the guest starts fine and no apparmor denial shows up.
> Could you help by outlining how you configure your host and guest so that this issue triggers.
>
> Only then we have a use case that we can tie to the new apparmor rule to
> allow this.
>
> ** Changed in: libvirt (Ubuntu)
> Status: Triaged => Incomplete
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1881969
>
> Title:
> apparmor profile for libvirtd/libvirt-daemon needs fixing
>
> Status in libvirt package in Ubuntu:
> Incomplete
> Status in libvirt package in Debian:
> Incomplete
>
> Bug description:
> Libvirtd is trying to use a capability being denied it by apparmor.
>
> [474656.842239] audit: type=1400 audit(1591211959.677:101):
> apparmor="DENIED" operation="capable" profile="libvirtd" pid=3393444
> comm="libvirtd" capability=17 capname="sys_rawio"
>
> ProblemType: Bug
> DistroRelease: Ubuntu 20.04
> Package: libvirt-daemon 6.0.0-0ubuntu8.1
> Uname: Linux 5.6.0 x86_64
> ApportVersion: 2.20.11-0ubuntu27.2
> Architecture: amd64
> CasperMD5CheckResult: skip
> CurrentDesktop: MATE
> Date: Wed Jun 3 14:01:30 2020
> InstallationDate: Installed on 2017-05-27 (1103 days ago)
> InstallationMedia: Ubuntu-MATE 17.04 "Zesty Zapus" - Release amd64 (20170412)
> SourcePackage: libvirt
> UpgradeStatus: Upgraded to focal on 2020-04-26 (38 days ago)
> modified.conffile..etc.libvirt.nwfilter.allow-arp.xml: [modified]
> modified.conffile..etc.libvirt.nwfilter.allow-dhcp-server.xml: [modified]
> modified.conffile..etc.libvirt.nwfilter.allow-dhcp.xml: [modified]
> modified.conffile..etc.libvirt.nwfilter.allow-incoming-ipv4.xml: [modified]
> modified.conffile..etc.libvirt.nwfilter.allow-ipv4.xml: [modified]
> modified.conffile..etc.libvirt.nwfilter.clean-traffic-gateway.xml: [modified]
> modified.conffile..etc.libvirt.nwfilter.clean-traffic.xml: [modified]
> modified.conffile..etc.libvirt.nwfilter.no-arp-ip-spoofing.xml: [modified]
> modified.conffile..etc.libvirt.nwfilter.no-arp-mac-spoofing.xml: [modified]
> modified.conffile..etc.libvirt.nwfilter.no-arp-spoofing.xml: [modified]
> modified.conffile..etc.libvirt.nwfilter.no-ip-multicast.xml: [modified]
> modified.conffile..etc.libvirt.nwfilter.no-ip-spoofing.xml: [modified]
> modified.conffile..etc.libvirt.nwfilter.no-mac-broadcast.xml: [modified]
> modified.conffile..etc.libvirt.nwfilter.no-mac-spoofing.xml: [modified]
> modified.conffile..etc.libvirt.nwfilter.no-other-l2-traffic.xml: [modified]
> modified.conffile..etc.libvirt.nwfilter.no-other-rarp-traffic.xml: [modified]
> modified.conffile..etc.libvirt.nwfilter.qemu-announce-self-rarp.xml: [modified]
> modified.conffile..etc.libvirt.nwfilter.qemu-announce-self.xml: [modified]
> modified.conffile..etc.libvirt.qemu.networks.default.xml: [modified]
> mtime.conffile..etc.libvirt.nwfilter.allow-arp.xml: 2017-05-27T04:38:59.454073
> mtime.conffile..etc.libvirt.nwfilter.allow-dhcp-server.xml: 2017-05-27T04:38:58.894071
> mtime.conffile..etc.libvirt.nwfilter.allow-dhcp.xml: 2017-05-27T04:38:58.990072
> mtime.conffile..etc.libvirt.nwfilter.allow-incoming-ipv4.xml: 2017-05-27T04:38:59.714073
> mtime.conffile..etc.libvirt.nwfilter.allow-ipv4.xml: 2017-05-27T04:38:59.522073
> mtime.conffile..etc.libvirt.nwfilter.clean-traffic-gateway.xml: 2018-10-27T01:48:21.872648
> mtime.conffile..etc.libvirt.nwfilter.clean-traffic.xml: 2017-05-27T04:38:59.582073
> mtime.conffile..etc.libvirt.nwfilter.no-arp-ip-spoofing.xml: 2017-05-27T04:38:58.942071
> mtime.conffile..etc.libvirt.nwfilter.no-arp-mac-spoofing.xml: 2017-05-27T04:38:59.870074
> mtime.conffile..etc.libvirt.nwfilter.no-arp-spoofing.xml: 2017-05-27T04:38:59.818074
> mtime.conffile..etc.libvirt.nwfilter.no-ip-multicast.xml: 2017-05-27T04:38:59.110072
> mtime.conffile..etc.libvirt.nwfilter.no-ip-spoofing.xml: 2017-05-27T04:38:59.178072
> mtime.conffile..etc.libvirt.nwfilter.no-mac-broadcast.xml: 2017-05-27T04:38:59.774074
> mtime.conffile..etc.libvirt.nwfilter.no-mac-spoofing.xml: 2017-05-27T04:38:59.254072
> mtime.conffile..etc.libvirt.nwfilter.no-other-l2-traffic.xml: 2017-05-27T04:38:59.394073
> mtime.conffile..etc.libvirt.nwfilter.no-other-rarp-traffic.xml: 2017-05-27T04:38:59.646073
> mtime.conffile..etc.libvirt.nwfilter.qemu-announce-self-rarp.xml: 2017-05-27T04:38:59.050072
> mtime.conffile..etc.libvirt.nwfilter.qemu-announce-self.xml: 2017-05-27T04:38:59.322073
> mtime.conffile..etc.libvirt.qemu.networks.default.xml: 2017-05-27T04:38:58.478070
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1881969/+subscriptions
>
I am simply using virt-manager to create virtual machines, I've got
maybe half a dozen on a box, and then after a reboot they are set to start
automatically and dmesg will give me those messages. This is under Ubuntu
20.04, I can not swear they were not happening earlier but I did not notice
them.
-_-_-_- _-_-_-_ -_-_-_- _-_-_-_ -_-_-_- _-_-_-_ -_-_-_- _-_-_-_ -_-_-_- _-_-_-_ -_-_-_- _- www.eskimo. com/ (206) 812-0051 or (800) 246-6874.
Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
Knowledgeable human assistance, not telephone trees or script readers.
See our web site: http://
On Fri, 5 Jun 2020, Christian Ehrhardt wrote:
> Date: Fri, 05 Jun 2020 04:23:39 -0000 libvirt- daemon needs var/lib/ uvtool/ libvirt/ images/ testguest- scsi-ephem- 00.qcow' /> virtio- scsi'> c000(size= 64) memory: fc000000- fc000fff memory: fe000000- fe003fff ze=512 sectorsize=512 d060(size= 32) memory: fd41b000- fd41bfff virtio- scsi'/> /bugs.launchpad .net/bugs/ 1881969 libvirt- daemon needs fixing 9.677:101) : esult: skip conffile. .etc.libvirt. nwfilter. allow-arp. xml: [modified] conffile. .etc.libvirt. nwfilter. allow-dhcp- server. xml: [modified] conffile. .etc.libvirt. nwfilter. allow-dhcp. xml: [modified] conffile. .etc.libvirt. nwfilter. allow-incoming- ipv4.xml: [modified] conffile. .etc.libvirt. nwfilter. allow-ipv4. xml: [modified] conffile. .etc.libvirt. nwfilter. clean-traffic- gateway. xml: [modified] conffile. .etc.libvirt. nwfilter. clean-traffic. xml: [modified] conffile. .etc.libvirt. nwfilter. no-arp- ip-spoofing. xml: [modified] conffile. .etc.libvirt. nwfilter. no-arp- mac-spoofing. xml: [modified] conffile. .etc.libvirt. nwfilter. no-arp- spoofing. xml: [modified] conffile. .etc.libvirt. nwfilter. no-ip-multicast .xml: [modified] conffile. .etc.libvirt. nwfilter. no-ip-spoofing. xml: [modified] conffile. .etc.libvirt. nwfilter. no-mac- broadcast. xml: [modified] conffile. .etc.libvirt. nwfilter. no-mac- spoofing. xml: [modified] conffile. .etc.libvirt. nwfilter. no-other- l2-traffic. xml: [modified] conffile. .etc.libvirt. nwfilter. no-other- rarp-traffic. xml: [modified] conffile. .etc.libvirt. nwfilter. qemu-announce- self-rarp. xml: [modified] conffile. .etc.libvirt. nwfilter. qemu-announce- self.xml: [modified] conffile. .etc.libvirt. qemu.networks. default. xml: [modified] .etc.libvirt. nwfilter. allow-arp. xml: 2017-05- 27T04:38: 59.454073 .etc.libvirt. nwfilter. allow-dhcp- server. xml: 2017-05- 27T04:38: 58.894071 .etc.libvirt. nwfilter. allow-dhcp. xml: 2017-05- 27T04:38: 58.990072 .etc.libvirt. nwfilter. allow-incoming- ipv4.xml: 2017-05- 27T04:38: 59.714073 .etc.libvirt. nwfilter. allow-ipv4. xml: 2017-05- 27T04:38: 59.522073 .etc.libvirt. nwfilter. clean-traffic- gateway. xml: 2018-10- 27T01:48: 21.872648 .etc.libvirt. nwfilter. clean-traffic. xml: 2017-05- 27T04:38: 59.582073 .etc.libvirt. nwfilter. no-arp- ip-spoofing. xml: 2017-05- 27T04:38: 58.942071 .etc.libvirt. nwfilter. no-arp- mac-spoofing. xml: 2017-05- 27T04:38: 59.870074 .etc.libvirt. nwfilter. no-arp- spoofing. xml: 2017-05- 27T04:38: 59.818074 .etc.libvirt. nwfilter. no-ip-multicast .xml: 2017-05- 27T04:38: 59.110072 .etc.libvirt. nwfilter. no-ip-spoofing. xml: 2017-05- 27T04:38: 59.178072 .etc.libvirt. nwfilter. no-mac- broadcast. xml: 2017-05- 27T04:38: 59.774074 .etc.libvirt. nwfilter. no-mac- spoofing. xml: 2017-05- 27T04:38: 59.254072 .etc.libvirt. nwfilter. no-other- l2-traffic. xml: 2017-05- 27T04:38: 59.394073 .etc.libvirt. nwfilter. no-other- rarp-traffic. xml: 2017-05- 27T04:38: 59.646073 .etc.libvirt. nwfilter. qemu-announce- self-rarp. xml: 2017-05- 27T04:38: 59.050072 .etc.libvirt. nwfilter. qemu-announce- self.xml: 2017-05- 27T04:38: 59.322073 .etc.libvirt. qemu.networks. default. xml: 2017-05- 27T04:38: 58.478070 /bugs.launchpad .net/ubuntu/ +source/ libvirt/ +bug/1881969/ +subscriptions
> From: Christian Ehrhardt <email address hidden>
> To: <email address hidden>
> Subject: [Bug 1881969] Re: apparmor profile for libvirtd/
> fixing
>
> I'd agree and work on adding the rule upstream and into Ubuntu, but what
> I need to to do is help to understand "why this triggers for you".
>
> I run libvirt locally and in many tests, but so far have never seen this apparmor denial.
> Although if it is a non fatal bug it is easier to miss ...
>
> The linked Debian bug (thanks paride) has a bit more details how to trigger.
> But the bug also is almost a year old and no one else has hit this, ... that is odd.
>
> I've set up a L1 guest with an extra disk as scsi disk
> 44 <disk type='file' device='disk'>
> 45 <driver name='qemu' type='qcow2'/>
> 46 <source file='/
> 47 <target dev='sda' bus='scsi'/>
> 48 <address type='drive' controller='0' bus='0' target='0' unit='0'/>
> 49 </disk>
> ...
> 100 <controller type='scsi' index='0' model='
> 101 <address type='pci' domain='0x0000' bus='0x0a' slot='0x01' function='0x0'/>
> 102 </controller>
>
>
> In the guest that appears as scsi disk, here from lshw:
> *-scsi
> description: SCSI storage controller
> product: Virtio SCSI
> vendor: Red Hat, Inc.
> physical id: 1
> bus info: pci@0000:07:01.0
> version: 00
> width: 64 bits
> clock: 33MHz
> capabilities: scsi msix bus_master cap_list
> configuration: driver=virtio-pci latency=0
> resources: irq:23 ioport:
> *-disk
> description: SCSI Disk
> product: QEMU HARDDISK
> vendor: QEMU
> physical id: 0.0.0
> bus info: scsi@0:0.0.0
> logical name: /dev/sda
> version: 2.5+
> size: 4GiB (4294MB)
> capabilities: 5400rpm
> configuration: ansiversion=5 logicalsectorsi
> *-sata
> description: SATA controller
> product: 82801IR/IO/IH (ICH9R/DO/DH) 6 port SATA Controller [AHCI mode]
> vendor: Intel Corporation
> physical id: 1f.2
> bus info: pci@0000:00:1f.2
> version: 02
> width: 32 bits
> clock: 33MHz
> capabilities: sata msi ahci_1.0 bus_master cap_list
> configuration: driver=ahci latency=0
> resources: irq:41 ioport:
>
> Using that to define another guest:
> <disk type='block' device='disk'>
> <driver name='qemu' type='raw'/>
> <source dev='/dev/sda'/>
> <target dev='sda' bus='scsi'/>
> </disk>
> <controller type='scsi' index='0' model='
>
> But with that the guest starts fine and no apparmor denial shows up.
> Could you help by outlining how you configure your host and guest so that this issue triggers.
>
> Only then we have a use case that we can tie to the new apparmor rule to
> allow this.
>
> ** Changed in: libvirt (Ubuntu)
> Status: Triaged => Incomplete
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> apparmor profile for libvirtd/
>
> Status in libvirt package in Ubuntu:
> Incomplete
> Status in libvirt package in Debian:
> Incomplete
>
> Bug description:
> Libvirtd is trying to use a capability being denied it by apparmor.
>
> [474656.842239] audit: type=1400 audit(159121195
> apparmor="DENIED" operation="capable" profile="libvirtd" pid=3393444
> comm="libvirtd" capability=17 capname="sys_rawio"
>
> ProblemType: Bug
> DistroRelease: Ubuntu 20.04
> Package: libvirt-daemon 6.0.0-0ubuntu8.1
> Uname: Linux 5.6.0 x86_64
> ApportVersion: 2.20.11-0ubuntu27.2
> Architecture: amd64
> CasperMD5CheckR
> CurrentDesktop: MATE
> Date: Wed Jun 3 14:01:30 2020
> InstallationDate: Installed on 2017-05-27 (1103 days ago)
> InstallationMedia: Ubuntu-MATE 17.04 "Zesty Zapus" - Release amd64 (20170412)
> SourcePackage: libvirt
> UpgradeStatus: Upgraded to focal on 2020-04-26 (38 days ago)
> modified.
> modified.
> modified.
> modified.
> modified.
> modified.
> modified.
> modified.
> modified.
> modified.
> modified.
> modified.
> modified.
> modified.
> modified.
> modified.
> modified.
> modified.
> modified.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
>
> To manage notifications about this bug go to:
> https:/
>