------- Comment From <email address hidden> 2018-02-19 03:35 EDT-------
> Get me right I use virsh save/restore on a regular base and it works in the paths that are open by default, > which are the places the images usually are from like /var/lib/libvirt/images/.
> If that does not work that might be a modified apparmor rule, but for that I'd need to know way more
> about the case and see if it is actually a bug or really just using an uncommon dir.
Even with uncommon dir, the denial should be consistent if the path used by the user is not permitted then apparmor should block/deny when virsh save is performed and not during the virsh restore.
Observation in Ubuntu 16.04.3,
# virsh save virt-tests-vm1 /var/tmp/virt-tests-vm1.save
Domain virt-tests-vm1 saved to /var/tmp/virt-tests-vm1.save
By default virsh restore fails with same error,
# virsh restore /var/tmp/virt-tests-vm1.save
error: Failed to restore domain from /var/tmp/virt-tests-vm1.save
error: operation failed: job: unexpectedly failed
But as suggested by paelzer,
> If you want to look into potential config issues, remove the silent denies to /var and /var temp
> at the end of "/etc/apparmor.d/abstractions/libvirt-qemu".
> Then run your case again, report back with
# virsh restore /var/tmp/virt-tests-vm1.save
error: Failed to restore domain from /var/tmp/virt-tests-vm1.save
error: internal error: Process exited prior to exec: libvirt: error : unable to set AppArmor profile 'libvirt-81b387d9-1dfc-4f55-8b98-0318f1f94442' for '/usr/bin/kvm': No such file or directory
But file exists,
# file /var/tmp/virt-tests-vm1.save
/var/tmp/virt-tests-vm1.save: Libvirt QEMU Suspend Image, version 2, XML length 1970, running
dmesg:
[Mon Feb 19 03:19:16 2018] virbr0: port 2(vnet0) entered blocking state
[Mon Feb 19 03:19:16 2018] virbr0: port 2(vnet0) entered disabled state
[Mon Feb 19 03:19:16 2018] device vnet0 entered promiscuous mode
[Mon Feb 19 03:19:16 2018] virbr0: port 2(vnet0) entered blocking state
[Mon Feb 19 03:19:16 2018] virbr0: port 2(vnet0) entered listening state
[Mon Feb 19 03:19:16 2018] audit: type=1400 audit(1519028363.683:12417): apparmor="DENIED" operation="change_profile" info="label not found" error=-2 profile="/usr/sbin/libvirtd" name="libvirt-81b387d9-1dfc-4f55-8b98-0318f1f94442" pid=12949 comm="libvirtd"
[Mon Feb 19 03:19:16 2018] virbr0: port 2(vnet0) entered disabled state
[Mon Feb 19 03:19:16 2018] device vnet0 left promiscuous mode
[Mon Feb 19 03:19:16 2018] virbr0: port 2(vnet0) entered disabled state
Attaching full dmesg with this bugzilla
Environment:
Kernel
# uname -a
Linux ltc-test-ci1 4.13.0-35-generic #39~16.04.1-Ubuntu SMP Mon Feb 12 15:01:58 UTC 2018 ppc64le ppc64le ppc64le GNU/Linux
Libvirt
# dpkg -l | grep libvirt
ii libvirt-bin 1.3.1-1ubuntu10.18 ppc64el programs for the libvirt library
ii libvirt-dev:ppc64el 1.3.1-1ubuntu10.18 ppc64el development files for the libvirt library
ii libvirt0:ppc64el 1.3.1-1ubuntu10.18 ppc64el library for interfacing with different virtualization systems
ii python-libvirt 1.3.1-1ubuntu1.1 ppc64el libvirt Python bindings
Qemu
# dpkg -l | grep qemu
ii ipxe-qemu 1.0.0+git-20150424.a25a16d-1ubuntu1.2 all PXE boot firmware - ROM images for qemu
ii qemu-block-extra:ppc64el 1:2.5+dfsg-5ubuntu10.21 ppc64el extra block backend modules for qemu-system and qemu-utils
ii qemu-kvm 1:2.5+dfsg-5ubuntu10.21 ppc64el QEMU Full virtualization
ii qemu-slof 20151103+dfsg-1ubuntu1.1 all Slimline Open Firmware -- QEMU PowerPC version
ii qemu-system-common 1:2.5+dfsg-5ubuntu10.21 ppc64el QEMU full system emulation binaries (common files)
ii qemu-system-ppc 1:2.5+dfsg-5ubuntu10.21 ppc64el QEMU full system emulation binaries (ppc)
ii qemu-utils 1:2.5+dfsg-5ubuntu10.21 ppc64el QEMU utilities
------- Comment From <email address hidden> 2018-02-19 03:35 EDT------- libvirt/ images/ .
> Get me right I use virsh save/restore on a regular base and it works in the paths that are open by default, > which are the places the images usually are from like /var/lib/
> If that does not work that might be a modified apparmor rule, but for that I'd need to know way more
> about the case and see if it is actually a bug or really just using an uncommon dir.
Even with uncommon dir, the denial should be consistent if the path used by the user is not permitted then apparmor should block/deny when virsh save is performed and not during the virsh restore.
Observation in Ubuntu 16.04.3,
# virsh save virt-tests-vm1 /var/tmp/ virt-tests- vm1.save
Domain virt-tests-vm1 saved to /var/tmp/ virt-tests- vm1.save
By default virsh restore fails with same error, virt-tests- vm1.save virt-tests- vm1.save
# virsh restore /var/tmp/
error: Failed to restore domain from /var/tmp/
error: operation failed: job: unexpectedly failed
But as suggested by paelzer, d/abstractions/ libvirt- qemu".
> If you want to look into potential config issues, remove the silent denies to /var and /var temp
> at the end of "/etc/apparmor.
> Then run your case again, report back with
commenting denials,
# silence spurious denials (see lp#1403648)
deny /tmp/{,**} r,
# deny /var/tmp/{,**} r,
restart libvirtd
# virsh restore /var/tmp/ virt-tests- vm1.save virt-tests- vm1.save 81b387d9- 1dfc-4f55- 8b98-0318f1f944 42' for '/usr/bin/kvm': No such file or directory
error: Failed to restore domain from /var/tmp/
error: internal error: Process exited prior to exec: libvirt: error : unable to set AppArmor profile 'libvirt-
But file exists, virt-tests- vm1.save virt-tests- vm1.save: Libvirt QEMU Suspend Image, version 2, XML length 1970, running
# file /var/tmp/
/var/tmp/
dmesg: 3.683:12417) : apparmor="DENIED" operation= "change_ profile" info="label not found" error=-2 profile= "/usr/sbin/ libvirtd" name="libvirt- 81b387d9- 1dfc-4f55- 8b98-0318f1f944 42" pid=12949 comm="libvirtd"
[Mon Feb 19 03:19:16 2018] virbr0: port 2(vnet0) entered blocking state
[Mon Feb 19 03:19:16 2018] virbr0: port 2(vnet0) entered disabled state
[Mon Feb 19 03:19:16 2018] device vnet0 entered promiscuous mode
[Mon Feb 19 03:19:16 2018] virbr0: port 2(vnet0) entered blocking state
[Mon Feb 19 03:19:16 2018] virbr0: port 2(vnet0) entered listening state
[Mon Feb 19 03:19:16 2018] audit: type=1400 audit(151902836
[Mon Feb 19 03:19:16 2018] virbr0: port 2(vnet0) entered disabled state
[Mon Feb 19 03:19:16 2018] device vnet0 left promiscuous mode
[Mon Feb 19 03:19:16 2018] virbr0: port 2(vnet0) entered disabled state
Attaching full dmesg with this bugzilla
Environment:
Kernel
# uname -a
Linux ltc-test-ci1 4.13.0-35-generic #39~16.04.1-Ubuntu SMP Mon Feb 12 15:01:58 UTC 2018 ppc64le ppc64le ppc64le GNU/Linux
Libvirt
# dpkg -l | grep libvirt
ii libvirt-bin 1.3.1-1ubuntu10.18 ppc64el programs for the libvirt library
ii libvirt-dev:ppc64el 1.3.1-1ubuntu10.18 ppc64el development files for the libvirt library
ii libvirt0:ppc64el 1.3.1-1ubuntu10.18 ppc64el library for interfacing with different virtualization systems
ii python-libvirt 1.3.1-1ubuntu1.1 ppc64el libvirt Python bindings
Qemu 20150424. a25a16d- 1ubuntu1. 2 all PXE boot firmware - ROM images for qemu extra:ppc64el 1:2.5+dfsg- 5ubuntu10. 21 ppc64el extra block backend modules for qemu-system and qemu-utils 5ubuntu10. 21 ppc64el QEMU Full virtualization dfsg-1ubuntu1. 1 all Slimline Open Firmware -- QEMU PowerPC version 5ubuntu10. 21 ppc64el QEMU full system emulation binaries (common files) 5ubuntu10. 21 ppc64el QEMU full system emulation binaries (ppc) 5ubuntu10. 21 ppc64el QEMU utilities
# dpkg -l | grep qemu
ii ipxe-qemu 1.0.0+git-
ii qemu-block-
ii qemu-kvm 1:2.5+dfsg-
ii qemu-slof 20151103+
ii qemu-system-common 1:2.5+dfsg-
ii qemu-system-ppc 1:2.5+dfsg-
ii qemu-utils 1:2.5+dfsg-