libvirt does not grant qemu-guest-agent channel perms
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Trusty |
Fix Released
|
High
|
Christian Ehrhardt |
Bug Description
[Impact]
* If one defines guest channels manually (xml) or via tools like virt-
manager (there it defaults to add channels for some distros), then
starting the guest fails.
There are two reason:
1. by default the base dir for the channels doesn't exists so the
open fails
2. further virt-aa-helper does not create a matchign rule to allow
access, so apparmor blocks
* In latter versions the paths are slightly different (better namespaced
by guest name), but still similar. So this still can be considered
backporting the virt-aa-helper change, and making sure the base dir
exists (only needed in this old release) is a postinst change.
[Test Case]
* Create a libvirt based KVM guest on Trusty the way you prefer
* Add a guest channel to it by adding a snippet like:
<channel type='unix'>
<source mode='bind' />
<target type='virtio' name='org.
</channel>
* Start the guest via e.g. virsh
* Without the fix this fails, you'll see in strace a failed call to open
the channel, but even if e.g. dirs are created then apparmor will block
the access.
* With the fix installed the guest starts correctly
[Regression Potential]
* The patch is a backport and only a slight change to code that is used
quite some time (paths were different in Trusty). In any case it is
"adding" one more rule to open up apparmor. It should functionally not
regress by that, if anything one could consider it security risk, but
due to the guestname-
be safe - see the tail of comment #58 for some considerations on that.
* The postinst change only runs if the dir is not existing, which should
ensure that no former unexpected setup makes the postinst fail
[Other Info]
* Tests on the issue itself look good based on a ppa, see comment #59
----
=======
1. Impact: cannot create a default RHEL7 vm in virt-manager
2. fix: allow use of qemu-guest-agent channel
3. test case: see in description below. Create a VM in virt-manager specifying
Linux os and RHEL7.
4. Regression potential: there should be none. We are only adding an
apparmor permission for unix sockets which libvirt creates when needed
for kvm vms.
=======
Create a new VM, choose Linux for OS type and Red Hat Enterprise Linux 7 (or later) for Version. Proceed through the wizard leaving all other options unchanged. On clicking Finish, the following error is displayed:
Unable to complete install: 'internal error: process exited while connecting to monitor: 2014-11-
2014-11-
'
Traceback (most recent call last):
File "/usr/share/
callback(
File "/usr/share/
guest.
File "/usr/share/
noboot)
File "/usr/share/
dom = self.conn.
File "/usr/lib/
if ret is None:raise libvirtError(
libvirtError: internal error: process exited while connecting to monitor: 2014-11-
2014-11-
ProblemType: Bug
DistroRelease: Ubuntu 14.10
Package: virt-manager 1:1.0.1-0ubuntu2
ProcVersionSign
Uname: Linux 3.16.0-24-generic x86_64
ApportVersion: 2.14.7-0ubuntu8
Architecture: amd64
CurrentDesktop: KDE
Date: Tue Nov 18 15:55:59 2014
EcryptfsInUse: Yes
InstallationDate: Installed on 2014-11-07 (11 days ago)
InstallationMedia: Kubuntu 14.10 "Utopic Unicorn" - Release amd64 (20141022.1)
PackageArchitec
SourcePackage: virt-manager
UpgradeStatus: No upgrade log present (probably fresh install)
tags: | added: apparmor |
Changed in virt-manager (Ubuntu): | |
importance: | Undecided → Medium |
status: | New → Triaged |
summary: |
- Creating Red Hat Enterprise Linux 7 VM fails + libvirt does not grant qemu-guest-agent channel perms |
Changed in libvirt (Ubuntu): | |
importance: | Undecided → Medium |
status: | New → Triaged |
no longer affects: | virt-manager (Ubuntu) |
description: | updated |
description: | updated |
Changed in libvirt (Ubuntu): | |
status: | Fix Released → Triaged |
tags: | removed: verification-needed |
tags: |
added: verification-failed removed: verification-done |
description: | updated |
I've done some more research into this. It appears that the qemu_ga=True argument to _add_var() on line 241 of /usr/share/ virt-manager/ virtinst/ osdict. py (also line 258 affecting Fedora 18 and later) causes qemu-system-x86_64 to be called with an extra argument:
-chardev socket, id=charchannel0 ,path=/ var/lib/ libvirt/ qemu/channel/ target/ rhel7.org. qemu.guest_ agent.0, server, nowait
I've managed to get this working by creating /var/lib/ libvirt/ qemu/channel/ target with appropriate ownership:
# mkdir -p /var/lib/ libvirt/ qemu/channel/ target libvirt/ qemu/channel
# chown -R libvirt-qemu:kvm /var/lib/
and adding the following to the bottom of /etc/apparmor. d/abstractions/ libvirt- qemu:
/var/ lib/libvirt/ qemu/channel/ target/ * rw,
(I'm not an apparmor expert, so there may well be a better way of doing this.)