2015-12-11 16:32:02 |
ALU |
description |
Reproducible: Yes, every time.
Background:
When you create a virtual machine (VM) under KVM/Qemu in Ubuntu, apparmor files are created as:
/etc/apparmor.d/libvirt/libvirt-<UUID>
and
/etc/apparmor.d/libvirt/libvirt-<UUID>.files
And in the file /etc/apparmor.d/libvirt/libvirt-<UUID>.files there is the line
"PATH_to_BLOCK_DEVICE" rw,
where PATH_to_BLOCK_DEVICE is the full path name of the image. ( E.g. something like /var/lib/libvirtd/images/asdf.qcow2)
and <UUID> is the UUID of the VM container.
The problem:
When creating a shapshot of a running VM under KVM/Qemu you run the command
$ sudo virsh snapshot-create-as DOMAIN_NAME DESCRIPTION --no-metadata --disk-only --atomic
which creates a new file and stops writing to the old VM block device.
However: the old PATH_to_BLOCK_DEVICE in /etc/apparmor.d/libvirt/libvirt-UUID.files is deleted and replaced with the new block device info BEFORE virsh is done creating the snapshot. So you get the error
error: internal error: unable to execute QEMU command 'transaction': Could not open 'PATH_to_BLOCK_DEVICE': Could not open 'PATH_to_BLOCK_DEVICE': Permission denied: Permission denied
and in /var/log/syslog you get the error:
type=1400 audit(1449752104.054:539): apparmor="DENIED" operation="open" profile="libvirt-<UUID>" name="PATH_to_BLOCK_DEVICE" pid=8710 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=106 ouid=106
When you look now at /etc/apparmor.d/libvirt/libvirt-<UUID>.files you find that the line that was there
"PATH_to_BLOCK_DEVICE" rw,
has been replaced with
"PATH_to_BLOCK_DEVICE.DESCRIPTION" rw,
but you need BOTH LINES. in order for the command "virsh snapshot-create-as" to work. (or at least have the old file have read permissions)
-----
Workarounds:
1. Disable apparmor for libvirtd
or
2. Change /etc/apparmor.d/libvirt/libvirt-<UUID> to look like this
----------
#
# This profile is for the domain whose UUID matches this file.
#
#include <tunables/global>
profile libvirt-UUID {
#include <abstractions/libvirt-qemu>
#include <libvirt/libvirt-UUID.files>
"PATH_to_BLOCK_DEVICE*" rw,
}
-----------
Details on server:
# lsb_release -rd
Description: Ubuntu 14.04.3 LTS
Release: 14.04
# apt-cache policy apparmor
apparmor:
Installed: 2.8.95~2430-0ubuntu5.3
Candidate: 2.8.95~2430-0ubuntu5.3
Version table:
*** 2.8.95~2430-0ubuntu5.3 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
100 /var/lib/dpkg/status
2.8.95~2430-0ubuntu5.1 0
500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
2.8.95~2430-0ubuntu5 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
# apt-cache policy libvirt-bin
libvirt-bin:
Installed: 1.2.2-0ubuntu13.1.14
Candidate: 1.2.2-0ubuntu13.1.14
Version table:
*** 1.2.2-0ubuntu13.1.14 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
100 /var/lib/dpkg/status
1.2.2-0ubuntu13.1.7 0
500 http://security.u buntu.com/ubuntu/ trusty-security/main amd64 Packages
1.2.2-0ubuntu13 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
-----
Apologies if this is the wrong place to submit this bug. |
Reproducible: Yes, every time.
Background:
When you create a virtual machine (VM) under KVM/Qemu in Ubuntu, apparmor files are created as:
/etc/apparmor.d/libvirt/libvirt-<UUID>
and
/etc/apparmor.d/libvirt/libvirt-<UUID>.files
And in the file /etc/apparmor.d/libvirt/libvirt-<UUID>.files there is the line
"PATH_to_BLOCK_DEVICE" rw,
where PATH_to_BLOCK_DEVICE is the full path name of the image. ( E.g. something like /var/lib/libvirtd/images/asdf.qcow2)
and <UUID> is the UUID of the VM container.
The problem:
When creating a shapshot of a running VM under KVM/Qemu you run the command
$ sudo virsh snapshot-create-as DOMAIN_NAME DESCRIPTION --no-metadata --disk-only --atomic
which creates a new file and stops writing to the old VM block device.
However: the old PATH_to_BLOCK_DEVICE in /etc/apparmor.d/libvirt/libvirt-UUID.files is deleted and replaced with the new block device info BEFORE virsh is done creating the snapshot. So you get the error
error: internal error: unable to execute QEMU command 'transaction': Could not open 'PATH_to_BLOCK_DEVICE': Could not open 'PATH_to_BLOCK_DEVICE': Permission denied: Permission denied
and in /var/log/syslog you get the error:
type=1400 audit(1449752104.054:539): apparmor="DENIED" operation="open" profile="libvirt-<UUID>" name="PATH_to_BLOCK_DEVICE" pid=8710 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=106 ouid=106
When you look now at /etc/apparmor.d/libvirt/libvirt-<UUID>.files you find that the line that was there
"PATH_to_BLOCK_DEVICE" rw,
has been replaced with
"PATH_to_BLOCK_DEVICE.DESCRIPTION" rw,
but you need BOTH LINES. in order for the command "virsh snapshot-create-as" to work. (or at least have the old file have read permissions)
-----
Workarounds:
1. Disable apparmor for libvirtd
or
2. Change /etc/apparmor.d/libvirt/libvirt-<UUID> to look like this
----------
#
# This profile is for the domain whose UUID matches this file.
#
#include <tunables/global>
profile libvirt-UUID {
#include <abstractions/libvirt-qemu>
#include <libvirt/libvirt-UUID.files>
"PATH_to_BLOCK_DEVICE*" rw,
}
-----------
(
So if the old line was
"/var/lib/libvirtd/images/asdf.qcow2" rw,
, the line you can add would read something like this
"/var/lib/libvirtd/images/asdf*" rw,
)
--------
Details on server:
# lsb_release -rd
Description: Ubuntu 14.04.3 LTS
Release: 14.04
# apt-cache policy apparmor
apparmor:
Installed: 2.8.95~2430-0ubuntu5.3
Candidate: 2.8.95~2430-0ubuntu5.3
Version table:
*** 2.8.95~2430-0ubuntu5.3 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
100 /var/lib/dpkg/status
2.8.95~2430-0ubuntu5.1 0
500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
2.8.95~2430-0ubuntu5 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
# apt-cache policy libvirt-bin
libvirt-bin:
Installed: 1.2.2-0ubuntu13.1.14
Candidate: 1.2.2-0ubuntu13.1.14
Version table:
*** 1.2.2-0ubuntu13.1.14 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
100 /var/lib/dpkg/status
1.2.2-0ubuntu13.1.7 0
500 http://security.u buntu.com/ubuntu/ trusty-security/main amd64 Packages
1.2.2-0ubuntu13 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
-----
Apologies if this is the wrong place to submit this bug. |
|