Comment 3 for bug 1248577

Yes, of course.
I developed a live-backup script (I attached it; the script is “bkvm” and you can run it with “-h” to get help) which does the follow:

1) Undefine VM to make it transient
2) Via blockcopy backup all block devices associated to VM
3) Suspend vm
4) Save VM memory state
5) Restore vm to running state (necessary because saving vm-state shutdown the vm)
6) Re-define VM from xml

This script works correctly on ubuntu 13.04 with backported qemu 1.5 - libvirt 1.0.9. I’m using it on 4 servers without problems.

Now I’ve upgraded a server to ubuntu 13.10 (reinstalled it from scratch and moved vm onto it) and the procedure doesn’t work anymore.

By manually executing:

virsh undefine TestVM
virsh blockcopy TestVM vda /mnt/nfs/TestVMBackup/vda-disk.qcow2 —wait —verbose

I got the error. After error (which seems related to a “profile_update” in app armor) I’ve found that in /etc/apparmor.d/libvirt/libvirt-xxxxxx.files the line related to base VM disk disappear, while it appears a new line related to blockcopy target. So apparmor starts to deny access to VM’s disk and vm starts claiming disk-errors.

If I disable security_driver in /etc/libvirt/qemu.conf, however, and restart libvirt-bin, everything works as expected.
I must also add that with apparmor enabled I’ve got host’ syslog flooded by messages denying access to many files.

Manually adding access permissions to target nfs directory in /etc/apparmor.d/local/usr.sbin.libvirtd doesn’t help.

Thank you for your help,

Il giorno 06/nov/2013, alle ore 19:23, Serge Hallyn <email address hidden> ha scritto:

> Thanks for reporting this bug. Could you please show exactly where and
> how you are initiating the blockcopy?
>
> status: incomplete
>
>
> ** Changed in: libvirt (Ubuntu)
> Status: New => Incomplete
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1248577
>
> Title:
> libvirt with securty_driver="apparmor" (default settings) cannot do
> live blockcopy of devices due to permission denied error
>
> Status in “libvirt” package in Ubuntu:
> Incomplete
>
> Bug description:
> Hi,
> if I create a VM using default libvirt settings and try to do a blockcopy of one of its block devices, procedure fails claiming "permission denied" and the original block device looses write permission. Only power-cycling the VM restores correct behaviour.
>
> If I manually edit /etc/libvirt/qemu.conf and set
>
> security_driver="none"
>
> then blockcopy works as expected.
>
> ProblemType: Bug
> DistroRelease: Ubuntu 13.10
> Package: libvirt-bin 1.1.1-0ubuntu8
> ProcVersionSignature: Ubuntu 3.11.0-12.19-generic 3.11.3
> Uname: Linux 3.11.0-12-generic x86_64
> ApportVersion: 2.12.5-0ubuntu2.1
> Architecture: amd64
> Date: Wed Nov 6 15:57:33 2013
> InstallationDate: Installed on 2013-11-04 (2 days ago)
> InstallationMedia: Ubuntu-Server 13.10 "Saucy Salamander" - Release amd64 (20131016)
> MarkForUpload: True
> SourcePackage: libvirt
> UpgradeStatus: No upgrade log present (probably fresh install)
> modified.conffile..etc.apparmor.d.abstractions.libvirt.qemu: [modified]
> modified.conffile..etc.apparmor.d.local.usr.sbin.libvirtd: [modified]
> modified.conffile..etc.libvirt.libvirtd.conf: [modified]
> modified.conffile..etc.libvirt.qemu.conf: [modified]
> modified.conffile..etc.libvirt.qemu.networks.default.xml: [deleted]
> mtime.conffile..etc.apparmor.d.abstractions.libvirt.qemu: 2013-11-06T12:40:14.384226
> mtime.conffile..etc.apparmor.d.local.usr.sbin.libvirtd: 2013-11-06T15:02:46.028029
> mtime.conffile..etc.libvirt.libvirtd.conf: 2013-11-06T11:17:34.844340
> mtime.conffile..etc.libvirt.qemu.conf: 2013-11-06T15:49:54.023964
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1248577/+subscriptions

Ing. Luca Lazzeroni - Trend Servizi Srl
Responsabile R&D
http://www.trendservizi.it