Ubuntu
libvirt package

Bug #1403648
Activity log

Activity log for bug #1403648

Date	Who	What changed	Old value	New value	Message
2014-12-17 21:23:18	Dave Chiluk	bug			added bug
2014-12-17 21:25:50	Dave Chiluk	bug task added		ceph (Juju Charms Collection)
2014-12-17 21:28:27	Jamie Strandboge	libvirt (Ubuntu): status	New	Incomplete
2014-12-17 21:31:34	Dave Chiluk	summary	Apparmor denies libvirt access to a number of important directories.	Apparmor denies qemu access to a number of important directories.
2014-12-17 21:38:01	Dave Chiluk	attachment added		xml https://bugs.launchpad.net/charms/+source/ceph/+bug/1403648/+attachment/4283134/+files/xml
2014-12-17 21:45:33	Dave Chiluk	tags	amd64 apport-bug trusty uec-images	amd64 apport-bug cts trusty uec-images
2014-12-17 21:49:39	Dave Chiluk	attachment added		xml https://bugs.launchpad.net/charms/+source/ceph/+bug/1403648/+attachment/4283152/+files/xml
2014-12-17 21:50:52	Dave Chiluk	attachment removed	xml https://bugs.launchpad.net/charms/+source/ceph/+bug/1403648/+attachment/4283134/+files/xml
2014-12-17 21:51:42	Dave Chiluk	attachment added		xml.txt https://bugs.launchpad.net/charms/+source/ceph/+bug/1403648/+attachment/4283154/+files/xml.txt
2014-12-17 21:51:46	Dave Chiluk	attachment added		xml.txt https://bugs.launchpad.net/charms/+source/ceph/+bug/1403648/+attachment/4283155/+files/xml.txt
2014-12-17 22:01:16	Jamie Strandboge	libvirt (Ubuntu): status	Incomplete	New
2014-12-19 19:20:28	Serge Hallyn	libvirt (Ubuntu): importance	Undecided	High
2014-12-19 19:20:47	Serge Hallyn	libvirt (Ubuntu): status	New	Confirmed
2015-01-06 16:04:10	Serge Hallyn	nominated for series		Ubuntu Utopic
2015-01-06 16:04:10	Serge Hallyn	bug task added		libvirt (Ubuntu Utopic)
2015-01-06 16:04:10	Serge Hallyn	nominated for series		Ubuntu Trusty
2015-01-06 16:04:10	Serge Hallyn	bug task added		libvirt (Ubuntu Trusty)
2015-01-06 16:29:02	Serge Hallyn	libvirt (Ubuntu Trusty): importance	Undecided	High
2015-01-06 16:29:05	Serge Hallyn	libvirt (Ubuntu Utopic): importance	Undecided	High
2015-01-06 17:34:21	Launchpad Janitor	libvirt (Ubuntu): status	Confirmed	Fix Released
2015-01-07 16:39:21	Dave Chiluk	description	Apparmor denise libvirt access to a number of important directories. syslog.4:Dec 12 17:18:08 nuc2 kernel: [54334.001494] type=1400 audit(1418404688.659:48): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.537222] type=1400 audit(1418404689.195:49): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.745412] type=1400 audit(1418404689.403:50): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.808978] type=1400 audit(1418404689.467:51): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.858862] type=1400 audit(1418404689.515:52): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.909608] type=1400 audit(1418404689.567:53): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.976979] type=1400 audit(1418404689.635:54): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.978163] type=1400 audit(1418408725.790:56): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/var/lib/charm/ceph/ceph.conf" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.979670] type=1400 audit(1418408725.790:57): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/tmp/" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.979680] type=1400 audit(1418408725.790:58): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/var/tmp/" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 In this case the machine was installed using juju and maas. Specific charms in play on this machine are ceph, and nova-compute. I'm not sure if the juju charms need to be updated or if the libvirt template needs to be updated or something else altogether. It's important to not that without ceph apparmor still denies access to /tmp and /var/tmp ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: libvirt-bin 1.2.2-0ubuntu13.1.7 ProcVersionSignature: User Name 3.13.0-35.62-generic 3.13.11.6 Uname: Linux 3.13.0-35-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.6 Architecture: amd64 Date: Wed Dec 17 21:15:20 2014 KernLog: ProcEnviron: TERM=xterm PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: libvirt UpgradeStatus: No upgrade log present (probably fresh install) modified.conffile..etc.default.libvirt.bin: [modified] modified.conffile..etc.libvirt.libvirtd.conf: [modified] modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf'] mtime.conffile..etc.default.libvirt.bin: 2014-12-12T02:21:56.792085 mtime.conffile..etc.libvirt.libvirtd.conf: 2014-12-12T02:21:49.403764	[Impact] * Log files become overloaded with apparmor denials when [Test Case] * Launch a qemu instance using libvirt. * See logged apparmor error in /var/log/syslog [Regression Potential] * Current defaults are to deny access to these files, but users may have modified apparmor to permit access to silence these warnings. Since we don't want to break these users, and permitting access to /tmp and /var/tmp is not considered to be a great increase in security risk we will proceed with permissive for the SRU, and restrictive policies going forward for development. __________________________________________________________________________ Apparmor denise libvirt access to a number of important directories. syslog.4:Dec 12 17:18:08 nuc2 kernel: [54334.001494] type=1400 audit(1418404688.659:48): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.537222] type=1400 audit(1418404689.195:49): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.745412] type=1400 audit(1418404689.403:50): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.808978] type=1400 audit(1418404689.467:51): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.858862] type=1400 audit(1418404689.515:52): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.909608] type=1400 audit(1418404689.567:53): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.976979] type=1400 audit(1418404689.635:54): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.978163] type=1400 audit(1418408725.790:56): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/var/lib/charm/ceph/ceph.conf" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.979670] type=1400 audit(1418408725.790:57): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/tmp/" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.979680] type=1400 audit(1418408725.790:58): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/var/tmp/" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 In this case the machine was installed using juju and maas. Specific charms in play on this machine are ceph, and nova-compute. I'm not sure if the juju charms need to be updated or if the libvirt template needs to be updated or something else altogether. It's important to not that without ceph apparmor still denies access to /tmp and /var/tmp ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: libvirt-bin 1.2.2-0ubuntu13.1.7 ProcVersionSignature: User Name 3.13.0-35.62-generic 3.13.11.6 Uname: Linux 3.13.0-35-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.6 Architecture: amd64 Date: Wed Dec 17 21:15:20 2014 KernLog: ProcEnviron: TERM=xterm PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: libvirt UpgradeStatus: No upgrade log present (probably fresh install) modified.conffile..etc.default.libvirt.bin: [modified] modified.conffile..etc.libvirt.libvirtd.conf: [modified] modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf'] mtime.conffile..etc.default.libvirt.bin: 2014-12-12T02:21:56.792085 mtime.conffile..etc.libvirt.libvirtd.conf: 2014-12-12T02:21:49.403764
2015-01-07 16:39:40	Dave Chiluk	description	[Impact] * Log files become overloaded with apparmor denials when [Test Case] * Launch a qemu instance using libvirt. * See logged apparmor error in /var/log/syslog [Regression Potential] * Current defaults are to deny access to these files, but users may have modified apparmor to permit access to silence these warnings. Since we don't want to break these users, and permitting access to /tmp and /var/tmp is not considered to be a great increase in security risk we will proceed with permissive for the SRU, and restrictive policies going forward for development. __________________________________________________________________________ Apparmor denise libvirt access to a number of important directories. syslog.4:Dec 12 17:18:08 nuc2 kernel: [54334.001494] type=1400 audit(1418404688.659:48): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.537222] type=1400 audit(1418404689.195:49): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.745412] type=1400 audit(1418404689.403:50): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.808978] type=1400 audit(1418404689.467:51): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.858862] type=1400 audit(1418404689.515:52): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.909608] type=1400 audit(1418404689.567:53): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.976979] type=1400 audit(1418404689.635:54): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.978163] type=1400 audit(1418408725.790:56): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/var/lib/charm/ceph/ceph.conf" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.979670] type=1400 audit(1418408725.790:57): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/tmp/" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.979680] type=1400 audit(1418408725.790:58): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/var/tmp/" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 In this case the machine was installed using juju and maas. Specific charms in play on this machine are ceph, and nova-compute. I'm not sure if the juju charms need to be updated or if the libvirt template needs to be updated or something else altogether. It's important to not that without ceph apparmor still denies access to /tmp and /var/tmp ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: libvirt-bin 1.2.2-0ubuntu13.1.7 ProcVersionSignature: User Name 3.13.0-35.62-generic 3.13.11.6 Uname: Linux 3.13.0-35-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.6 Architecture: amd64 Date: Wed Dec 17 21:15:20 2014 KernLog: ProcEnviron: TERM=xterm PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: libvirt UpgradeStatus: No upgrade log present (probably fresh install) modified.conffile..etc.default.libvirt.bin: [modified] modified.conffile..etc.libvirt.libvirtd.conf: [modified] modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf'] mtime.conffile..etc.default.libvirt.bin: 2014-12-12T02:21:56.792085 mtime.conffile..etc.libvirt.libvirtd.conf: 2014-12-12T02:21:49.403764	[Impact] * Log files become overloaded with apparmor denials when [Test Case] * Launch a qemu instance using libvirt. * See logged apparmor error in /var/log/syslog [Regression Potential] * Current defaults are to deny access to these files, but users may have modified apparmor to permit access to silence these warnings. Since we don't want to break these users and permitting access to /tmp and /var/tmp is not considered to be a great increase in security risk we will proceed with permissive for the SRU, and restrictive policies going forward for development. __________________________________________________________________________ Apparmor denise libvirt access to a number of important directories. syslog.4:Dec 12 17:18:08 nuc2 kernel: [54334.001494] type=1400 audit(1418404688.659:48): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.537222] type=1400 audit(1418404689.195:49): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.745412] type=1400 audit(1418404689.403:50): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.808978] type=1400 audit(1418404689.467:51): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.858862] type=1400 audit(1418404689.515:52): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.909608] type=1400 audit(1418404689.567:53): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.976979] type=1400 audit(1418404689.635:54): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.978163] type=1400 audit(1418408725.790:56): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/var/lib/charm/ceph/ceph.conf" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.979670] type=1400 audit(1418408725.790:57): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/tmp/" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.979680] type=1400 audit(1418408725.790:58): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/var/tmp/" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 In this case the machine was installed using juju and maas. Specific charms in play on this machine are ceph, and nova-compute. I'm not sure if the juju charms need to be updated or if the libvirt template needs to be updated or something else altogether. It's important to not that without ceph apparmor still denies access to /tmp and /var/tmp ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: libvirt-bin 1.2.2-0ubuntu13.1.7 ProcVersionSignature: User Name 3.13.0-35.62-generic 3.13.11.6 Uname: Linux 3.13.0-35-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.6 Architecture: amd64 Date: Wed Dec 17 21:15:20 2014 KernLog: ProcEnviron: TERM=xterm PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: libvirt UpgradeStatus: No upgrade log present (probably fresh install) modified.conffile..etc.default.libvirt.bin: [modified] modified.conffile..etc.libvirt.libvirtd.conf: [modified] modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf'] mtime.conffile..etc.default.libvirt.bin: 2014-12-12T02:21:56.792085 mtime.conffile..etc.libvirt.libvirtd.conf: 2014-12-12T02:21:49.403764
2015-01-07 16:40:24	Dave Chiluk	description	[Impact] * Log files become overloaded with apparmor denials when [Test Case] * Launch a qemu instance using libvirt. * See logged apparmor error in /var/log/syslog [Regression Potential] * Current defaults are to deny access to these files, but users may have modified apparmor to permit access to silence these warnings. Since we don't want to break these users and permitting access to /tmp and /var/tmp is not considered to be a great increase in security risk we will proceed with permissive for the SRU, and restrictive policies going forward for development. __________________________________________________________________________ Apparmor denise libvirt access to a number of important directories. syslog.4:Dec 12 17:18:08 nuc2 kernel: [54334.001494] type=1400 audit(1418404688.659:48): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.537222] type=1400 audit(1418404689.195:49): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.745412] type=1400 audit(1418404689.403:50): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.808978] type=1400 audit(1418404689.467:51): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.858862] type=1400 audit(1418404689.515:52): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.909608] type=1400 audit(1418404689.567:53): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.976979] type=1400 audit(1418404689.635:54): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.978163] type=1400 audit(1418408725.790:56): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/var/lib/charm/ceph/ceph.conf" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.979670] type=1400 audit(1418408725.790:57): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/tmp/" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.979680] type=1400 audit(1418408725.790:58): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/var/tmp/" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 In this case the machine was installed using juju and maas. Specific charms in play on this machine are ceph, and nova-compute. I'm not sure if the juju charms need to be updated or if the libvirt template needs to be updated or something else altogether. It's important to not that without ceph apparmor still denies access to /tmp and /var/tmp ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: libvirt-bin 1.2.2-0ubuntu13.1.7 ProcVersionSignature: User Name 3.13.0-35.62-generic 3.13.11.6 Uname: Linux 3.13.0-35-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.6 Architecture: amd64 Date: Wed Dec 17 21:15:20 2014 KernLog: ProcEnviron: TERM=xterm PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: libvirt UpgradeStatus: No upgrade log present (probably fresh install) modified.conffile..etc.default.libvirt.bin: [modified] modified.conffile..etc.libvirt.libvirtd.conf: [modified] modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf'] mtime.conffile..etc.default.libvirt.bin: 2014-12-12T02:21:56.792085 mtime.conffile..etc.libvirt.libvirtd.conf: 2014-12-12T02:21:49.403764	[Impact] * Log files become overloaded with apparmor denials when launching large numbers of qemu virtual machines such as the case in an openstack cloud. [Test Case] * Launch a qemu instance using libvirt. * See logged apparmor error in /var/log/syslog [Regression Potential] * Current defaults are to deny access to these files, but users may have modified apparmor to permit access to silence these warnings. Since we don't want to break these users and permitting access to /tmp and /var/tmp is not considered to be a great increase in security risk we will proceed with permissive for the SRU, and restrictive policies going forward for development. __________________________________________________________________________ Apparmor denise libvirt access to a number of important directories. syslog.4:Dec 12 17:18:08 nuc2 kernel: [54334.001494] type=1400 audit(1418404688.659:48): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.537222] type=1400 audit(1418404689.195:49): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.745412] type=1400 audit(1418404689.403:50): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.808978] type=1400 audit(1418404689.467:51): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.858862] type=1400 audit(1418404689.515:52): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.909608] type=1400 audit(1418404689.567:53): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.976979] type=1400 audit(1418404689.635:54): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.978163] type=1400 audit(1418408725.790:56): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/var/lib/charm/ceph/ceph.conf" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.979670] type=1400 audit(1418408725.790:57): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/tmp/" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.979680] type=1400 audit(1418408725.790:58): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/var/tmp/" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 In this case the machine was installed using juju and maas. Specific charms in play on this machine are ceph, and nova-compute. I'm not sure if the juju charms need to be updated or if the libvirt template needs to be updated or something else altogether. It's important to not that without ceph apparmor still denies access to /tmp and /var/tmp ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: libvirt-bin 1.2.2-0ubuntu13.1.7 ProcVersionSignature: User Name 3.13.0-35.62-generic 3.13.11.6 Uname: Linux 3.13.0-35-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.6 Architecture: amd64 Date: Wed Dec 17 21:15:20 2014 KernLog: ProcEnviron: TERM=xterm PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: libvirt UpgradeStatus: No upgrade log present (probably fresh install) modified.conffile..etc.default.libvirt.bin: [modified] modified.conffile..etc.libvirt.libvirtd.conf: [modified] modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf'] mtime.conffile..etc.default.libvirt.bin: 2014-12-12T02:21:56.792085 mtime.conffile..etc.libvirt.libvirtd.conf: 2014-12-12T02:21:49.403764
2015-01-07 17:00:41	Serge Hallyn	bug			added subscriber Ubuntu Stable Release Updates Team
2015-01-07 17:51:36	Chris J Arges	libvirt (Ubuntu Trusty): status	New	Fix Committed
2015-01-07 17:51:40	Chris J Arges	bug			added subscriber SRU Verification
2015-01-07 17:51:42	Chris J Arges	tags	amd64 apport-bug cts trusty uec-images	amd64 apport-bug cts trusty uec-images verification-needed
2015-01-07 17:54:04	Chris J Arges	libvirt (Ubuntu Utopic): status	New	Fix Committed
2015-01-14 16:21:08	Dave Chiluk	tags	amd64 apport-bug cts trusty uec-images verification-needed	amd64 apport-bug cts trusty uec-images verification-done-trusty verification-needed-utopic
2015-01-14 16:21:26	Dave Chiluk	tags	amd64 apport-bug cts trusty uec-images verification-done-trusty verification-needed-utopic	amd64 apport-bug cts trusty uec-images verification-done-trusty verification-needed
2015-01-14 17:00:42	Dave Chiluk	tags	amd64 apport-bug cts trusty uec-images verification-done-trusty verification-needed	amd64 apport-bug cts trusty uec-images verification-done-trusty verification-done-utopic verification-needed
2015-01-14 17:00:51	Dave Chiluk	tags	amd64 apport-bug cts trusty uec-images verification-done-trusty verification-done-utopic verification-needed	amd64 apport-bug cts trusty uec-images verification-done verification-done-trusty verification-done-utopic
2015-01-14 17:22:03	Dave Chiluk	libvirt (Ubuntu Trusty): assignee		Dave Chiluk (chiluk)
2015-01-14 17:22:05	Dave Chiluk	libvirt (Ubuntu Utopic): assignee		Dave Chiluk (chiluk)
2015-01-14 17:22:11	Dave Chiluk	libvirt (Ubuntu): assignee		Dave Chiluk (chiluk)
2015-01-14 17:22:15	Dave Chiluk	ceph (Juju Charms Collection): status	New	Incomplete
2015-01-14 17:22:22	Dave Chiluk	ceph (Juju Charms Collection): status	Incomplete	Invalid
2015-01-14 17:22:32	Dave Chiluk	bug task deleted	ceph (Juju Charms Collection)
2015-01-29 18:46:32	Launchpad Janitor	libvirt (Ubuntu Trusty): status	Fix Committed	Fix Released
2015-01-29 18:46:48	Brian Murray	removed subscriber Ubuntu Stable Release Updates Team
2015-01-30 08:21:44	Ante Karamatić	libvirt (Ubuntu Trusty): status	Fix Released	Confirmed
2015-01-30 08:21:49	Ante Karamatić	libvirt (Ubuntu): status	Fix Released	Confirmed
2015-01-30 08:21:55	Ante Karamatić	libvirt (Ubuntu Utopic): status	Fix Committed	Confirmed
2015-01-30 09:01:37	Yoshi Kadokawa	bug			added subscriber Yoshi Kadokawa
2015-01-30 10:21:44	Launchpad Janitor	libvirt (Ubuntu): status	Confirmed	Fix Released
2015-01-30 18:54:11	Dave Chiluk	libvirt (Ubuntu Trusty): status	Confirmed	Fix Released
2015-01-30 18:54:22	Dave Chiluk	libvirt (Ubuntu Utopic): status	Confirmed	Fix Released

Ubuntulibvirt package

Activity log for bug #1403648

Ubuntu
libvirt package