libvirt does not grant qemu-guest-agent channel perms
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | libvirt (Ubuntu) |
High
|
Unassigned | ||
| | Trusty |
High
|
Christian Ehrhardt | ||
Bug Description
[Impact]
* If one defines guest channels manually (xml) or via tools like virt-
manager (there it defaults to add channels for some distros), then
starting the guest fails.
There are two reason:
1. by default the base dir for the channels doesn't exists so the
open fails
2. further virt-aa-helper does not create a matchign rule to allow
access, so apparmor blocks
* In latter versions the paths are slightly different (better namespaced
by guest name), but still similar. So this still can be considered
backporting the virt-aa-helper change, and making sure the base dir
exists (only needed in this old release) is a postinst change.
[Test Case]
* Create a libvirt based KVM guest on Trusty the way you prefer
* Add a guest channel to it by adding a snippet like:
<channel type='unix'>
<source mode='bind' />
<target type='virtio' name='org.
</channel>
* Start the guest via e.g. virsh
* Without the fix this fails, you'll see in strace a failed call to open
the channel, but even if e.g. dirs are created then apparmor will block
the access.
* With the fix installed the guest starts correctly
[Regression Potential]
* The patch is a backport and only a slight change to code that is used
quite some time (paths were different in Trusty). In any case it is
"adding" one more rule to open up apparmor. It should functionally not
regress by that, if anything one could consider it security risk, but
due to the guestname-
be safe - see the tail of comment #58 for some considerations on that.
* The postinst change only runs if the dir is not existing, which should
ensure that no former unexpected setup makes the postinst fail
[Other Info]
* Tests on the issue itself look good based on a ppa, see comment #59
----
=======
1. Impact: cannot create a default RHEL7 vm in virt-manager
2. fix: allow use of qemu-guest-agent channel
3. test case: see in description below. Create a VM in virt-manager specifying
Linux os and RHEL7.
4. Regression potential: there should be none. We are only adding an
apparmor permission for unix sockets which libvirt creates when needed
for kvm vms.
=======
Create a new VM, choose Linux for OS type and Red Hat Enterprise Linux 7 (or later) for Version. Proceed through the wizard leaving all other options unchanged. On clicking Finish, the following error is displayed:
Unable to complete install: 'internal error: process exited while connecting to monitor: 2014-11-
2014-11-
'
Traceback (most recent call last):
File "/usr/share/
callback(
File "/usr/share/
guest.
File "/usr/share/
noboot)
File "/usr/share/
dom = self.conn.
File "/usr/lib/
if ret is None:raise libvirtError(
libvirtError: internal error: process exited while connecting to monitor: 2014-11-
2014-11-
ProblemType: Bug
DistroRelease: Ubuntu 14.10
Package: virt-manager 1:1.0.1-0ubuntu2
ProcVersionSign
Uname: Linux 3.16.0-24-generic x86_64
ApportVersion: 2.14.7-0ubuntu8
Architecture: amd64
CurrentDesktop: KDE
Date: Tue Nov 18 15:55:59 2014
EcryptfsInUse: Yes
InstallationDate: Installed on 2014-11-07 (11 days ago)
InstallationMedia: Kubuntu 14.10 "Utopic Unicorn" - Release amd64 (20141022.1)
PackageArchitec
SourcePackage: virt-manager
UpgradeStatus: No upgrade log present (probably fresh install)
| Mark Grocock (mgrocock) wrote : | #1 |
| Mark Grocock (mgrocock) wrote : | #2 |
| tags: | added: apparmor |
| Changed in virt-manager (Ubuntu): | |
| importance: | Undecided → Medium |
| status: | New → Triaged |
| summary: |
- Creating Red Hat Enterprise Linux 7 VM fails + libvirt does not grant qemu-guest-agent channel perms |
| Changed in libvirt (Ubuntu): | |
| importance: | Undecided → Medium |
| status: | New → Triaged |
| no longer affects: | virt-manager (Ubuntu) |
| Jeffrey Bouter (jbouter) wrote : | #3 |
Taking the steps Mark Grocock posted did not resolve this issue for me. I have no idea where else it may go wrong. The issue remains the same:
Unable to complete install: 'internal error: process exited while connecting to monitor: 2014-12-
2014-12-
'
Traceback (most recent call last):
File "/usr/share/
callback(
File "/usr/share/
guest.
File "/usr/share/
noboot)
File "/usr/share/
dom = self.conn.
File "/usr/lib/
if ret is None:raise libvirtError(
libvirtError: internal error: process exited while connecting to monitor: 2014-12-
2014-12-
| Serge Hallyn (serge-hallyn) wrote : | #4 |
Thanks - so it looks like virt-aa-helper should be updated to recognize the channels and add a whitelist entry for them.
Do you have xml for a VM with such a channel handy?
| Serge Hallyn (serge-hallyn) wrote : | #5 |
Actually this bug doesn't appear to be related to apparmoer permissions. The channel is simply not created - /var/lib/
| Sebastien Cote (sebas642) wrote : | #6 |
Same issue here. syslog shows that app-armor is refusing the creation of the socket:
Dec 29 10:07:09: kernel: [ 1957.839479] audit: type=1400 audit(141987642
le="libvirt-
="qemu-system-x86" requested_mask="c" denied_mask="c" fsuid=116 ouid=116
Following the steps described above by Mark Grocock fixed the issue.
You need to be careful when editing the app-armor config since the last line of the file closes the 'profile qemu_bridge_helper' group. The added line must be after the curly braces. I have also restarted app-armor, I don't know if it was required.
| Jamie Strandboge (jdstrand) wrote : | #7 |
While adding this to /etc/apparmor.
/var/
it is not the proper fix because it breaks guest isolation (guests can access other guests target files). Seems like virt-aa-helper should be adjusted to ascertain the name of the 'target' and update /etc/apparmor.
| Serge Hallyn (serge-hallyn) wrote : | #8 |
Raising priority bc it prevents stocfedora vms from being created using virt-manager
| Changed in libvirt (Ubuntu): | |
| importance: | Medium → High |
| status: | Triaged → In Progress |
| Launchpad Janitor (janitor) wrote : | #9 |
This bug was fixed in the package libvirt - 1.2.12-0ubuntu9
---------------
libvirt (1.2.12-0ubuntu9) vivid; urgency=medium
* 9037-virt-
libvirt domains to start when using qemu guest agent. (LP: #1393842)
-- Serge Hallyn <email address hidden> Mon, 06 Apr 2015 11:14:03 -0500
| Changed in libvirt (Ubuntu): | |
| status: | In Progress → Fix Released |
| Benjamin Geese (ben-8409) wrote : | #10 |
Sandly, it seems this is not fixed yet. I have libvirt-1.2.12 and checked my system (vivid) is up to date. I still get the error reported above.
Unable to complete install: 'internal error: process exited while connecting to monitor: 2015-04-
'
Traceback (most recent call last):
File "/usr/share/
callback(
File "/usr/share/
guest.
File "/usr/share/
noboot)
File "/usr/share/
dom = self.conn.
File "/usr/lib/
if ret is None:raise libvirtError(
libvirtError: internal error: process exited while connecting to monitor: 2015-04-
| Petter Adsen (ducasse) wrote : | #11 |
Do a "mkdir -p /var/lib/
| Serge Hallyn (serge-hallyn) wrote : | #12 |
Yes, I forgot to have postinst create that.
| Changed in libvirt (Ubuntu): | |
| status: | Fix Released → Confirmed |
| Launchpad Janitor (janitor) wrote : | #13 |
This bug was fixed in the package libvirt - 1.2.12-0ubuntu11
---------------
libvirt (1.2.12-0ubuntu11) vivid; urgency=medium
* create /var/lib/
- libvirt-bin.dirs: add /var/lib/
- libvirt-
qemu can create the unix sockets.
-- Serge Hallyn <email address hidden> Thu, 09 Apr 2015 10:40:05 -0500
| Changed in libvirt (Ubuntu): | |
| status: | Confirmed → Fix Released |
| AlexWBaule (alexwbaule) wrote : | #14 |
The Ubuntu 14.04.3 LTS has this issue too.
Fresh install, today. All updates applied (upgrade and dist-upgrade).
When the update package will be released ?
The lastest version is:
root@ubuntu-kvm:~# dpkg -l | grep libvirt;
ii libvirt-bin 1.2.2-0ubuntu13
iU libvirt0 1.2.2-0ubuntu13
First the Directory is not created: (/var/lib/
Aug 26 23:34:59 ubuntu-kvm kernel: [ 1198.433256] audit: type=1400 audit(144064289
| Serge Hallyn (serge-hallyn) wrote : | #15 |
Fix is simple enough, I've added it to my list of things to SRU to trusty. I'm hoping to get to it this week.
| Changed in libvirt (Ubuntu Trusty): | |
| importance: | Undecided → High |
| AlexWBaule (alexwbaule) wrote : | #16 |
Hi Serge,
Can you post here the fix ?
So I do the fix on my server until it comes out the package.
Tks.
| AlexWBaule (alexwbaule) wrote : | #17 |
Hi again Serge, i see the source. Sorry, i think is some configuration file, but is in c source file, need to compile. Ignore my request .
| Serge Hallyn (serge-hallyn) wrote : Re: [Bug 1393842] Re: libvirt does not grant qemu-guest-agent channel perms | #18 |
I'll push the package for sru today, and post the debdiff here so you
can build your own.
| Serge Hallyn (serge-hallyn) wrote : | #19 |
| description: | updated |
| description: | updated |
| AlexWBaule (alexwbaule) wrote : | #20 |
Tks Serge ! i got the diff, rebuild the package and Ok, it's work.
Hello Mark, or anyone else affected,
Accepted libvirt into trusty-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-
Further information regarding the verification process can be found at https:/
| Changed in libvirt (Ubuntu Trusty): | |
| status: | New → Fix Committed |
| tags: | added: verification-needed |
| Matteo Panella (mpanella) wrote : | #22 |
Hi Serge,
at first glance the libvirt version in -proposed works when the profile is generated, but virt-aa-helper chokes on profile updates (e.g. media change via virt-manager):
virt-aa-helper: error: /var/lib/
virt-aa-helper: error: skipped restricted file
virt-aa-helper: error: invalid VM definition
A simple action like changing cdrom media requires taking down the guest and starting it back up again as soon as a guest agent channel is added, so marking as verification failed.
| tags: |
added: verification-done removed: verification-needed |
| tags: |
added: verification-failed removed: verification-done |
| The Loeki (the-loeki) wrote : | #23 |
Confirmed. Update in proposed works as mpanella says
| The Loeki (the-loeki) wrote : | #24 |
bummer workaround:
for xml in /etc/libvirt/
| Serge Hallyn (serge-hallyn) wrote : | #25 |
Just to be sure - does the same thing happen in wily? That is, is the upstream fix insufficient, or was the SRU missing a piece?
| Changed in libvirt (Ubuntu Trusty): | |
| status: | Fix Committed → Confirmed |
| Matteo Panella (mpanella) wrote : | #26 |
I don't have a KVM-capable machine with Wily ready at hand, sorry. I'll try to get one ASAP.
| rahul (rhlnair87) wrote : | #27 |
I am facing the same issue, tried upgrading to 1.2.2-0ubuntu13
| Serge Hallyn (serge-hallyn) wrote : | #28 |
Hi,
Using a centos 7 dvd iso and the 'rhel 7 or above' choice when creating a VM in virt-manager,
using the stock trusty image i was able to reproduce this.
Using 1.2.2-0ubuntu13
So this *does* solve the issue for me.
| Serge Hallyn (serge-hallyn) wrote : | #29 |
@rahul,
can you show the error message yo ugot when you tried with the upgraded libvirt?
| Serge Hallyn (serge-hallyn) wrote : | #30 |
@rahul
ping?
This issue starting to happen for me after upgrade from Wily to Xenial. Bunch of VMs have org.qemu.
| Serge Hallyn (serge-hallyn) wrote : Re: [Bug 1393842] Re: libvirt does not grant qemu-guest-agent channel perms | #32 |
Thanks - two most likely explanations are that there was a regression
in the apparmor policy, or the filename has changed Could you check
syslog for a related DENIED message in syslog and post it here?
> Could you check syslog for a related DENIED message in syslog and post it here?
[ 3398.651077] audit: type=1400 audit(145585842
[ 3398.664393] audit: type=1400 audit(145585842
[ 3399.035892] audit: type=1400 audit(145585842
> or the filename has changed
I doesn't rename anything in upgrade process. But just to be sure - what I need to check here?
| Serge Hallyn (serge-hallyn) wrote : | #34 |
Looking at the source, virt-aa-helper should still be doing the right
thing to add an exception for that channel.
For a VM which has that channel, could you post the
/etc/apparmor.
replacing <uuid> with the vm's uuid, of course.
~$ cat /etc/apparmor.
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
"/var/
"/var/
"/var/
"/run/
"/var/
"/run/
"/var/
"/dev/net/tun" rw,
| Serge Hallyn (serge-hallyn) wrote : | #36 |
Confirmed this has regressed in xenial
| Changed in libvirt (Ubuntu): | |
| status: | Fix Released → Triaged |
| Serge Hallyn (serge-hallyn) wrote : | #37 |
Adding 'capability mknod' to /etc/apparmor.
I'm not sure we want to add that to all VMs. Do we need to add it to the policy during virt-aa-helper?
| Jamie Strandboge (jdstrand) wrote : | #38 |
I'm not keen on allowing mknod in the general case. It makes a lot of sense to me add it (with comment ideally) via virt-aa-helper.
| Serge Hallyn (serge-hallyn) wrote : | #39 |
I'm trying:
Index: libvirt/
=======
--- libvirt.
+++ libvirt/
@@ -939,6 +939,14 @@ add_file_
}
static int
+is_qemu_
+{
+
+ return channels-
+ STREQ_NULLABLE(
+}
+
+static int
get_files(
{
virBuffer buf = VIR_BUFFER_
@@ -1034,6 +1042,8 @@ get_files(
+ if (is_qemu_
+ virBufferAsprin
if (vah_add_
| Launchpad Janitor (janitor) wrote : | #40 |
This bug was fixed in the package libvirt - 1.3.1-1ubuntu6
---------------
libvirt (1.3.1-1ubuntu6) xenial; urgency=medium
* d/apparmor/
(LP: #1554761)
* d/p/ubuntu/
capability if there is a qemu guest agent. (LP: #1393842)
-- Serge Hallyn <email address hidden> Wed, 09 Mar 2016 18:45:08 -0800
| Changed in libvirt (Ubuntu): | |
| status: | Triaged → Fix Released |
| Jamie Strandboge (jdstrand) wrote : | #41 |
I understand why you are doing this, but this means that a malicious guest is now able to create, for example, a block device with only DAC protecting the host. Since qemu on Ubuntu runs as non-root, this isn't completely horrible, but since apparmor doesn't have fine-grained mediation of mknod, it would be better if the guest agent were modified to use a socket (perhaps abstract?) so the mknod was not required.
| Serge Hallyn (serge-hallyn) wrote : | #42 |
Quoting Jamie Strandboge (<email address hidden>):
> I understand why you are doing this, but this means that a malicious
> guest is now able to create, for example, a block device with only DAC
> protecting the host. Since qemu on Ubuntu runs as non-root, this isn't
> completely horrible, but since apparmor doesn't have fine-grained
> mediation of mknod, it would be better if the guest agent were modified
> to use a socket (perhaps abstract?) so the mknod was not required.
Agreed that would be better. Do you want to open a bug against the QEMU
project and qemu package to that effect?
| Changed in libvirt (Ubuntu): | |
| status: | Fix Released → Triaged |
| Anthony Kamau (ak-launchpad) wrote : | #43 |
I've been struggling with this for nearly 2 hours before I realized that I was running a virtualbox vm in headless mode. Was trying to create a qemu-kvm vm and it kept failing with symptoms similar to those reported here.
What would be good is getting qemu-kvm to at least check if another hypervisor is currently running, then allude that fact to the moronic end-user and save the sucker from wasting 2 hours on a Saturday afternoon chasing his tail!
This is the error I was getting:
=======
[Sat, 26 Mar 2016 15:47:21 virt-manager 490] DEBUG (error:84) error dialog message:
summary=Unable to complete install: 'internal error: process exited while connecting to monitor: ioctl(KVM_
failed to initialize KVM: Device or resource busy
'
details=Unable to complete install: 'internal error: process exited while connecting to monitor: ioctl(KVM_
failed to initialize KVM: Device or resource busy
'
Traceback (most recent call last):
File "/usr/share/
callback(
File "/usr/share/
guest.
File "/usr/share/
noboot)
File "/usr/share/
dom = self.conn.
File "/usr/lib/
if ret is None:raise libvirtError(
libvirtError: internal error: process exited while connecting to monitor: ioctl(KVM_
failed to initialize KVM: Device or resource busy
| Anthony Kamau (ak-launchpad) wrote : | #44 |
In comparison, when attempting to lunch a VitualBox VM, it fails with a slightly better error message at least directing one to investigate what else would be using a hypervisor. But it also suggests some rather drastic steps to do with recompiling the kernel to remove KVM kernel extension - wow:
=======
Failed to open a session for the virtual machine core-plus-vm.
VT-x is being used by another hypervisor (VERR_VMX_
VirtualBox can't operate in VMX root mode. Please disable the KVM kernel extension, recompile your kernel and reboot (VERR_VMX_
Result Code: NS_ERROR_FAILURE (0x80004005)
Component: ConsoleWrap
Interface: IConsole {872da645-
| Serge Hallyn (serge-hallyn) wrote : | #45 |
Hi,
this should be fixed in libvirt 1.3.1-1ubuntu8. I'm not sure why it didn't get auto-closed.
Please report if this is stlil broken for you.
| Changed in libvirt (Ubuntu): | |
| status: | Triaged → Fix Released |
Hello Mark, or anyone else affected,
Accepted libvirt into trusty-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-
Further information regarding the verification process can be found at https:/
| Changed in libvirt (Ubuntu Trusty): | |
| status: | Confirmed → Fix Committed |
| tags: | removed: verification-failed |
| tags: | added: verification-needed |
| Serge Hallyn (serge-hallyn) wrote : verified | #47 |
With current trusty package I got the error popup as predicted.
After upgrading to -proposed and rebooting, it succeeded.
tag verification-done
untag verification-needed
done
| tags: | removed: verification-needed |
| Ankur (ankur22388) wrote : | #48 |
Hi All, I am using ubuntu 14.04.4 LTS
VERSION="14.04.4 LTS, Trusty Tahr"
root1@root1-
ii libvirt-bin 1.2.2-0ubuntu13
ii libvirt-dev 1.2.2-0ubuntu13
ii libvirt0 1.2.2-0ubuntu13
libvirt: QEMU Driver error : internal error: process exited while connecting to monitor: qemu-system-x86_64: -chardev socket,
Still I am getting this error, how to fix this?
I tried upgrading the package but its already at newest version
| Kafui Odzangba Dake (odzangba) wrote : | #49 |
This bug still affects 14.04. Upgrading libvirt to 1.2.2-0ubuntu13
$ dpkg -l | grep libvirt
ii libvirt-bin 1.2.2-0ubuntu13
ii libvirt0 1.2.2-0ubuntu13
$ lsb_release -rd
Description: Ubuntu 14.04.4 LTS
Release: 14.04
$ apt-cache policy libvirt-bin
libvirt-bin:
Installed: 1.2.2-0ubuntu13
Candidate: 1.2.2-0ubuntu13
Version table:
*** 1.2.2-0ubuntu13
500 http://
100 /var/lib/
1.
500 http://
1.
500 http://
1.
500 http://
Full error message:
Unable to complete install: 'internal error: process exited while connecting to monitor: qemu-system-x86_64: -chardev socket,
qemu-system-x86_64: -chardev socket,
'
Traceback (most recent call last):
File "/usr/share/
callback(
File "/usr/share/
guest.
File "/usr/share/
noboot)
File "/usr/share/
dom = self.conn.
File "/usr/lib/
if ret is None:raise libvirtError(
libvirtError: internal error: process exited while connecting to monitor: qemu-system-x86_64: -chardev socket,
qemu-system-x86_64: -chardev socket,
| tags: |
added: verification-failed removed: verification-done |
| Serge Hallyn (serge-hallyn) wrote : | #50 |
Did you reboot the system after the upgrade?
(restarting apparmor should suffice, but since this package fixed it for me I'd like to make sure about whether the core fix failed for you, or just the upgrade experience)
| Kafui Odzangba Dake (odzangba) wrote : | #51 |
Hi Serge, I rebooted the kvm host after the upgrade and still got the error. I can provide additional info from my kvm host if you need.
| Serge Hallyn (serge-hallyn) wrote : | #52 |
Hi,
no, thanks, actually since this fix patches virt-aa-helper itself, just creating a new vm after the upgrade should have sufficed. No reboot should have been needed. However trying to start a pre-existing vm that previously failed would not work, as the policy needs to be re-generated.
Looking at your error message, the filename doesn't seem to match what we expect in the patch. The patch uses "domain-
Still perplexing that it did work for me. Perhaps adding "/var/lib/
The version of libvirt in the proposed pocket of Trusty that was purported to fix this bug report has been removed because the bugs that were to be fixed by the upload were not verified in a timely (105 days) fashion.
| Changed in libvirt (Ubuntu Trusty): | |
| status: | Fix Committed → Won't Fix |
| Jernej Jakob (jjakob) wrote : | #55 |
Still getting this bug in Trusty.
| Thomas Mayer (thomas303) wrote : | #56 |
I can confirm this bug for up-to-date xenial (16.04). Note that this is a regression for me, which happened within xenial's updates (it was working a few weeks ago with xenial).
ehler beim Starten der Domain: Kann keine Daten empfangen: Die Verbindung wurde vom Kommunikationsp
Traceback (most recent call last):
File "/usr/share/
callback(
File "/usr/share/
callback(*args, **kwargs)
File "/usr/share/
ret = fn(self, *args, **kwargs)
File "/usr/share/
self.
File "/usr/lib/
if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirtError: Kann keine Daten empfangen: Die Verbindung wurde vom Kommunikationsp
| Lior Goikhburg (goikhburg) wrote : | #57 |
1.2.2-0ubuntu13
| Christian Ehrhardt (paelzer) wrote : | #58 |
Hi,
thanks for the ping, this brought it to my attention, taking a look now ...
First of all to get Fedora/
Using uvtool to create a very basic guest based on daily cloud images
$ uvt-simplestrea
$ uvt-kvm create --password=ubuntu kvmguest-
In later versions of libvirt/qemu in Xenial for example the apparmor rules automatically get a rule for channels of the guest agent:
# for qemu guest agent channel
owner "/var/lib/
The individual guests are namespaced by the domain name (?now?) which makes it easier as there is no rule-per-channel needed as in the past.
But lets try to add a manual channel to see its path and behavior.
The raw basics of a guest channel would be:
<channel type='unix'>
<source mode='bind' />
<target type='virtio' name='org.
</channel>
Adding that (and not more) lets libvirt fill in the extra defaults.
The path that gets auto-assigned does not match the expected guest agent paths above.
That gets expanded on Xenial to:
<channel type='unix'>
<source mode='bind'/>
<target type='virtio' name='org.
<address type='virtio-
</channel>
But on Trusty it becomes:
<channel type='unix'>
<source mode='bind' path='/
<target type='virtio' name='org.
<address type='virtio-
</channel>
See the path out that is still explicit and also not following the namespaceing of later versions.
The Xenial version generates the path on guest instantiation on the expected path and works as-is.
"-chardev socket,
On Trusty this fails as reported:
$ virsh start kvmguest-
error: Failed to start domain kvmguest-
error: internal error: process exited while connecting to monitor: qemu-system-x86_64: -chardev socket,
qemu-system-x86_64: -chardev socket,
Yet there is no apparmor deny associated, it seems it just fails due to some of the underlying paths being non-existant (maybe it apparmor-fails later once they exist).
Yes that is step 1, after:
$ mkdir /var/lib/
$ mkdir /var/lib/
$ chown libvirt-qemu:kvm /var/lib/
$ chown libvirt-qemu:kvm /var/lib/
| Changed in libvirt (Ubuntu Trusty): | |
| status: | Won't Fix → Triaged |
| assignee: | nobody → ChristianEhrhardt (paelzer) |
| Christian Ehrhardt (paelzer) wrote : | #59 |
There actually is the common virt-aa-helper on channels even back then in Trusty.
This was changed a few times and the special tweak that generates the rule was dropped later as along the new namespacing there are now valid rules per entry.
Anyway for trusty backporting all those complex changes would be not in the SRU mindset, so stick to the proposal I made above.
Please - at least one of the affected users, test the ppa in [1].
If that is successful for you as well and you are willing to also help me verify the eventual SRU we could go forward with that.
My Testing from ppa seems good - log below:
#1 clean env (dir not pre-existing)
#1.1 dir exists after install - ok
#1.2 right ownership - ok
#1.3 socket created - ok
/var/
#1.4 apparmor rule - ok
owner "/var/lib/
#1.5 Guest working - ok
#2 dir pre-existing but under right ownership/perm
#2.1 - #2.5 as in #1 - ok
#2.6 - no error/conflict due to existing dir
#3 dir pre-existing but under other ownership/perm
#3.1 dir exists after install - ok
#3.2 ownership preserved from before install - ok
#3.3 - apparmor rule creates correctly - ok
#3 fails due to ownership not allowing qemu to create our example guest, but we want to preserve what a user has set up - so ok
[1]: https:/
| Christian Ehrhardt (paelzer) wrote : | #60 |
Waiting for info by users, setting status incomplete for now.
And as a side note #56 is something else or at least worth a new bug to analyze separately. @Thomas Mayer - If you are still affected please open a new bug so we can check out the details of your case.
| Changed in libvirt (Ubuntu Trusty): | |
| status: | Triaged → Incomplete |
| Christian Ehrhardt (paelzer) wrote : | #61 |
Since it is reproducible and worth to fix I have prepared a MP for an SRU to be reviewed.
| Changed in libvirt (Ubuntu Trusty): | |
| status: | Incomplete → Triaged |
| Christian Ehrhardt (paelzer) wrote : | #62 |
Added SRU Template in anticipation of the MP review
| description: | updated |
| Christian Ehrhardt (paelzer) wrote : | #63 |
MP Review and tests were good, the package is waiting for SRU Team in trusty-unapproved now.
| Changed in libvirt (Ubuntu Trusty): | |
| status: | Triaged → In Progress |
Hello Mark, or anyone else affected,
Accepted libvirt into trusty-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-
Further information regarding the verification process can be found at https:/
| Changed in libvirt (Ubuntu Trusty): | |
| status: | In Progress → Fix Committed |
| tags: |
added: verification-needed verification-needed-trusty removed: verification-failed |
| description: | updated |
| Christian Ehrhardt (paelzer) wrote : | #65 |
# left my old dirs as-is (bad setup intentionally) after upgrade
$ dpkg -l libvirt-bin | tee
ii libvirt-bin 1.2.2-0ubuntu13
$ virsh start kvmguest-
testgachannel.
$ ll /var/lib/
drwxr-xr-x 3 ubuntu ubuntu 4096 Aug 28 11:12 channel/
drwxr-xr-x 2 ubuntu kvm 4096 Aug 28 11:19 target/
# Installs the dirs correctly if not avail (Default case)
$ rm -rf /var/lib/
$ apt install --reinstall libvirt-bin
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
libfreetype6 os-prober
Use 'apt-get autoremove' to remove them.
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 0 B/2070 kB of archives.
After this operation, 0 B of additional disk space will be used.
(Reading database ... 28258 files and directories currently installed.)
Preparing to unpack .../libvirt-
libvirt-bin stop/waiting
Unpacking libvirt-bin (1.2.2-
Processing triggers for libc-bin (2.19-0ubuntu6.13) ...
Processing triggers for man-db (2.6.7.1-1ubuntu1) ...
Processing triggers for ureadahead (0.100.0-16) ...
Setting up libvirt-bin (1.2.2-
libvirt-bin start/running, process 28874
Setting up libvirt-bin dnsmasq configuration.
$ ll /var/lib/
total 8
drwxr-xr-x 2 libvirt-qemu kvm 4096 Sep 8 07:23 ./
drwxr-xr-x 3 libvirt-qemu kvm 4096 Sep 8 07:23 ../
# Now starting fine
$ virsh start kvmguest-
Domain kvmguest-
# Rule created with namespace
$ grep target /etc/apparmor.
owner "/var/lib/
| tags: |
added: verification-done verification-done-trusty removed: utopic verification-needed verification-needed-trusty |
| Launchpad Janitor (janitor) wrote : | #66 |
This bug was fixed in the package libvirt - 1.2.2-0ubuntu13
---------------
libvirt (1.2.2-
* fix guest channel support (LP: #1393842).
- d/p/virt-
for channels within guest namespace.
- d/libvirt-
-- Christian Ehrhardt <email address hidden> Mon, 28 Aug 2017 12:14:08 +0200
| Changed in libvirt (Ubuntu Trusty): | |
| status: | Fix Committed → Fix Released |
The verification of the Stable Release Update for libvirt has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
I've done some more research into this. It appears that the qemu_ga=True argument to _add_var() on line 241 of /usr/share/
-chardev socket,
I've managed to get this working by creating /var/lib/
# mkdir -p /var/lib/
# chown -R libvirt-qemu:kvm /var/lib/
and adding the following to the bottom of /etc/apparmor.
/var/
(I'm not an apparmor expert, so there may well be a better way of doing this.)