Ubuntu
apparmor package

  1. Bug #1525310
  2. Activity log

Activity log for bug #1525310

Date Who What changed Old value New value Message
2015-12-11 16:22:26 ALU bug added bug
2015-12-11 16:25:51 ALU summary virsh with apparmor misconfigures libvirtd-UUID files during snapshot virsh with apparmor misconfigures libvirt-UUID files during snapshot
2015-12-11 16:32:02 ALU description Reproducible: Yes, every time. Background: When you create a virtual machine (VM) under KVM/Qemu in Ubuntu, apparmor files are created as: /etc/apparmor.d/libvirt/libvirt-<UUID> and /etc/apparmor.d/libvirt/libvirt-<UUID>.files And in the file /etc/apparmor.d/libvirt/libvirt-<UUID>.files there is the line "PATH_to_BLOCK_DEVICE" rw, where PATH_to_BLOCK_DEVICE is the full path name of the image. ( E.g. something like /var/lib/libvirtd/images/asdf.qcow2) and <UUID> is the UUID of the VM container. The problem: When creating a shapshot of a running VM under KVM/Qemu you run the command $ sudo virsh snapshot-create-as DOMAIN_NAME DESCRIPTION --no-metadata --disk-only --atomic which creates a new file and stops writing to the old VM block device. However: the old PATH_to_BLOCK_DEVICE in /etc/apparmor.d/libvirt/libvirt-UUID.files is deleted and replaced with the new block device info BEFORE virsh is done creating the snapshot. So you get the error error: internal error: unable to execute QEMU command 'transaction': Could not open 'PATH_to_BLOCK_DEVICE': Could not open 'PATH_to_BLOCK_DEVICE': Permission denied: Permission denied and in /var/log/syslog you get the error: type=1400 audit(1449752104.054:539): apparmor="DENIED" operation="open" profile="libvirt-<UUID>" name="PATH_to_BLOCK_DEVICE" pid=8710 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=106 ouid=106 When you look now at /etc/apparmor.d/libvirt/libvirt-<UUID>.files you find that the line that was there "PATH_to_BLOCK_DEVICE" rw, has been replaced with "PATH_to_BLOCK_DEVICE.DESCRIPTION" rw, but you need BOTH LINES. in order for the command "virsh snapshot-create-as" to work. (or at least have the old file have read permissions) ----- Workarounds: 1. Disable apparmor for libvirtd or 2. Change /etc/apparmor.d/libvirt/libvirt-<UUID> to look like this ---------- # # This profile is for the domain whose UUID matches this file. # #include <tunables/global> profile libvirt-UUID { #include <abstractions/libvirt-qemu> #include <libvirt/libvirt-UUID.files> "PATH_to_BLOCK_DEVICE*" rw, } ----------- Details on server: # lsb_release -rd Description: Ubuntu 14.04.3 LTS Release: 14.04 # apt-cache policy apparmor apparmor: Installed: 2.8.95~2430-0ubuntu5.3 Candidate: 2.8.95~2430-0ubuntu5.3 Version table: *** 2.8.95~2430-0ubuntu5.3 0 500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.8.95~2430-0ubuntu5.1 0 500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages 2.8.95~2430-0ubuntu5 0 500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages # apt-cache policy libvirt-bin libvirt-bin: Installed: 1.2.2-0ubuntu13.1.14 Candidate: 1.2.2-0ubuntu13.1.14 Version table: *** 1.2.2-0ubuntu13.1.14 0 500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.2.2-0ubuntu13.1.7 0 500 http://security.u buntu.com/ubuntu/ trusty-security/main amd64 Packages 1.2.2-0ubuntu13 0 500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages ----- Apologies if this is the wrong place to submit this bug. Reproducible: Yes, every time. Background: When you create a virtual machine (VM) under KVM/Qemu in Ubuntu, apparmor files are created as: /etc/apparmor.d/libvirt/libvirt-<UUID>   and /etc/apparmor.d/libvirt/libvirt-<UUID>.files And in the file /etc/apparmor.d/libvirt/libvirt-<UUID>.files there is the line   "PATH_to_BLOCK_DEVICE" rw, where PATH_to_BLOCK_DEVICE is the full path name of the image. ( E.g. something like /var/lib/libvirtd/images/asdf.qcow2) and <UUID> is the UUID of the VM container. The problem: When creating a shapshot of a running VM under KVM/Qemu you run the command $ sudo virsh snapshot-create-as DOMAIN_NAME DESCRIPTION --no-metadata --disk-only --atomic which creates a new file and stops writing to the old VM block device. However: the old PATH_to_BLOCK_DEVICE in /etc/apparmor.d/libvirt/libvirt-UUID.files is deleted and replaced with the new block device info BEFORE virsh is done creating the snapshot. So you get the error error: internal error: unable to execute QEMU command 'transaction': Could not open 'PATH_to_BLOCK_DEVICE': Could not open 'PATH_to_BLOCK_DEVICE': Permission denied: Permission denied and in /var/log/syslog you get the error: type=1400 audit(1449752104.054:539): apparmor="DENIED" operation="open" profile="libvirt-<UUID>" name="PATH_to_BLOCK_DEVICE" pid=8710 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=106 ouid=106 When you look now at /etc/apparmor.d/libvirt/libvirt-<UUID>.files you find that the line that was there   "PATH_to_BLOCK_DEVICE" rw, has been replaced with   "PATH_to_BLOCK_DEVICE.DESCRIPTION" rw, but you need BOTH LINES. in order for the command "virsh snapshot-create-as" to work. (or at least have the old file have read permissions) ----- Workarounds: 1. Disable apparmor for libvirtd or 2. Change /etc/apparmor.d/libvirt/libvirt-<UUID> to look like this ---------- # # This profile is for the domain whose UUID matches this file. # #include <tunables/global> profile libvirt-UUID {   #include <abstractions/libvirt-qemu>   #include <libvirt/libvirt-UUID.files>   "PATH_to_BLOCK_DEVICE*" rw, } ----------- ( So if the old line was "/var/lib/libvirtd/images/asdf.qcow2" rw, , the line you can add would read something like this "/var/lib/libvirtd/images/asdf*" rw, ) -------- Details on server: # lsb_release -rd Description: Ubuntu 14.04.3 LTS Release: 14.04 # apt-cache policy apparmor apparmor:   Installed: 2.8.95~2430-0ubuntu5.3   Candidate: 2.8.95~2430-0ubuntu5.3   Version table:  *** 2.8.95~2430-0ubuntu5.3 0         500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages         100 /var/lib/dpkg/status      2.8.95~2430-0ubuntu5.1 0         500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages      2.8.95~2430-0ubuntu5 0         500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages # apt-cache policy libvirt-bin libvirt-bin:   Installed: 1.2.2-0ubuntu13.1.14   Candidate: 1.2.2-0ubuntu13.1.14   Version table:  *** 1.2.2-0ubuntu13.1.14 0         500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages         100 /var/lib/dpkg/status      1.2.2-0ubuntu13.1.7 0         500 http://security.u buntu.com/ubuntu/ trusty-security/main amd64 Packages      1.2.2-0ubuntu13 0         500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages ----- Apologies if this is the wrong place to submit this bug.
2016-04-21 20:36:29 Mathew Hodson tags trusty
2016-04-21 20:36:59 Mathew Hodson tags trusty trusty wily
2016-04-21 20:39:11 Mathew Hodson apparmor (Ubuntu): importance Undecided Medium
2019-09-10 14:17:14 Christian Ehrhardt  bug added subscriber Christian Ehrhardt 
2019-09-11 14:05:43 Christian Ehrhardt  apparmor (Ubuntu): status New Fix Released
2019-10-16 13:27:03 Pedro Principeza bug added subscriber Pedro Principeza