Ubuntu
libvirt package

Bug #1546674
Activity log

Activity log for bug #1546674

Date	Who	What changed	Old value	New value	Message
2016-02-17 18:14:25	Simon Déziel	bug			added bug
2016-02-17 22:33:16	Serge Hallyn	libvirt (Ubuntu): status	New	Confirmed
2016-02-21 17:38:49	Alberto Salvia Novella	libvirt (Ubuntu): importance	Undecided	High
2016-02-26 04:41:19	Serge Hallyn	libvirt (Ubuntu): status	Confirmed	Triaged
2016-08-05 02:47:54	Matt LaPlante	bug			added subscriber Matt LaPlante
2016-08-16 03:43:11	Robie Basak	bug			added subscriber Ubuntu Server Team
2016-08-16 03:43:19	Robie Basak	tags	amd64 apport-bug xenial	amd64 apport-bug bitesize server-next xenial
2016-10-07 08:20:59	Stefan Bader	nominated for series		Ubuntu Xenial
2016-10-07 08:20:59	Stefan Bader	bug task added		libvirt (Ubuntu Xenial)
2016-10-07 08:21:26	Stefan Bader	libvirt (Ubuntu Xenial): importance	Undecided	Medium
2016-10-07 08:21:26	Stefan Bader	libvirt (Ubuntu Xenial): status	New	Triaged
2016-10-07 13:03:36	Simon Déziel	attachment added		Guest definition that triggers the bug https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+attachment/4756708/+files/apt.xml
2016-10-18 08:25:59	Christian Ehrhardt 	libvirt (Ubuntu Xenial): assignee		ChristianEhrhardt (paelzer)
2016-10-18 08:26:02	Christian Ehrhardt 	libvirt (Ubuntu): assignee		ChristianEhrhardt (paelzer)
2016-10-18 08:26:22	Christian Ehrhardt 	bug			added subscriber ChristianEhrhardt
2016-10-26 15:13:07	MNLipp	bug			added subscriber MNLipp
2016-10-26 20:42:27	Simon Déziel	attachment added		aa-libvirt-qemu.patch https://bugs.launchpad.net/bugs/1546674/+attachment/4767869/+files/aa-libvirt-qemu.patch
2016-10-26 20:42:27	Simon Déziel	attachment added		apparmor-syslog.log https://bugs.launchpad.net/bugs/1546674/+attachment/4767870/+files/apparmor-syslog.log
2016-10-27 00:26:02	Ubuntu Foundations Team Bug Bot	tags	amd64 apport-bug bitesize server-next xenial	amd64 apport-bug bitesize patch server-next xenial
2016-10-27 00:26:12	Ubuntu Foundations Team Bug Bot	bug			added subscriber Ubuntu Review Team
2016-11-14 10:24:05	Christian Ehrhardt 	libvirt (Ubuntu): status	Triaged	In Progress
2016-11-14 14:19:50	Simon Déziel	description	With libvirt-bin 1.3.1, starting a QEMU guest results in those AA denials: Feb 17 12:06:23 simon-laptop kernel: [15734.513696] audit: type=1400 audit(1455728783.639:73): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/nsswitch.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513718] audit: type=1400 audit(1455728783.639:74): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/host.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513734] audit: type=1400 audit(1455728783.639:75): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513885] audit: type=1400 audit(1455728783.639:76): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 virt-aa-helper's AA profile hasn't changed recently so it seems like the helper is doing more in this release. Additional information: $ lsb_release -rd Description: Ubuntu Xenial Xerus (development branch) Release: 16.04 $ apt-cache policy apparmor libvirt-bin apparmor: Installed: 2.10-3ubuntu1 Candidate: 2.10-3ubuntu1 Version table: * 2.10-3ubuntu1 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status libvirt-bin: Installed: 1.3.1-1ubuntu1 Candidate: 1.3.1-1ubuntu1 Version table: * 1.3.1-1ubuntu1 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: libvirt-bin 1.3.1-1ubuntu1 ProcVersionSignature: Ubuntu 4.4.0-5.20-generic 4.4.1 Uname: Linux 4.4.0-5-generic x86_64 NonfreeKernelModules: zfs zunicode zcommon znvpair zavl ApportVersion: 2.20-0ubuntu3 Architecture: amd64 CurrentDesktop: Unity Date: Wed Feb 17 13:08:04 2016 KernLog: SourcePackage: libvirt UpgradeStatus: No upgrade log present (probably fresh install) modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf'] modified.conffile..etc.libvirt.qemu.networks.default.xml: [deleted]	Reproducing steps: 1) Sync Xenial cloud-image uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=xenial 2) Create a test guest with: uvt-kvm create --memory 2048 --cpu 4 --password=ubuntu xenial-kernel-test release=xenial arch=amd64 label=daily 3) Create a zvol zfs create -V 8G zlxd/xenial-kernel-test 4) Copy the qcow2 data to the zvol qemu-img convert -O raw \ /var/lib/uvtool/libvirt/images/xenial-kernel-test.qcow \ /dev/zvol/zlxd/xenial-kernel-test 5) Update the guest definition to use the zvol <disk type='file' device='disk'> <driver name='qemu' type='raw' cache='none'/> <source file='/dev/zvol/zlxd/xenial-kernel-test'/> <target dev='vda' bus='virtio'/> </disk> 6) boot the guest virsh start xenial-kernel-test 7) check for apparmor denial messages dmesg \| tail \| grep apparmor Without the fix, Apparmor would report denials when accessing /etc/nsswitch.conf, /etc/host.conf, /etc/gai.conf, /run/resolvconf/resolv.conf and /dev/zvolX (where X corresponds to the zvol number). Starting the guest should be much slower than usual. With the fix in place, the only Apparmor denial would be about reading the /dev/zvolx device. This causes no visible problem nor slowdown. Original description: With libvirt-bin 1.3.1, starting a QEMU guest results in those AA denials: Feb 17 12:06:23 simon-laptop kernel: [15734.513696] audit: type=1400 audit(1455728783.639:73): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/nsswitch.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513718] audit: type=1400 audit(1455728783.639:74): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/host.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513734] audit: type=1400 audit(1455728783.639:75): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513885] audit: type=1400 audit(1455728783.639:76): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 virt-aa-helper's AA profile hasn't changed recently so it seems like the helper is doing more in this release. Additional information: $ lsb_release -rd Description: Ubuntu Xenial Xerus (development branch) Release: 16.04 $ apt-cache policy apparmor libvirt-bin apparmor: Installed: 2.10-3ubuntu1 Candidate: 2.10-3ubuntu1 Version table: * 2.10-3ubuntu1 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status libvirt-bin: Installed: 1.3.1-1ubuntu1 Candidate: 1.3.1-1ubuntu1 Version table: * 1.3.1-1ubuntu1 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: libvirt-bin 1.3.1-1ubuntu1 ProcVersionSignature: Ubuntu 4.4.0-5.20-generic 4.4.1 Uname: Linux 4.4.0-5-generic x86_64 NonfreeKernelModules: zfs zunicode zcommon znvpair zavl ApportVersion: 2.20-0ubuntu3 Architecture: amd64 CurrentDesktop: Unity Date: Wed Feb 17 13:08:04 2016 KernLog: SourcePackage: libvirt UpgradeStatus: No upgrade log present (probably fresh install) modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf'] modified.conffile..etc.libvirt.qemu.networks.default.xml: [deleted]
2016-11-14 14:21:50	Simon Déziel	description	Reproducing steps: 1) Sync Xenial cloud-image uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=xenial 2) Create a test guest with: uvt-kvm create --memory 2048 --cpu 4 --password=ubuntu xenial-kernel-test release=xenial arch=amd64 label=daily 3) Create a zvol zfs create -V 8G zlxd/xenial-kernel-test 4) Copy the qcow2 data to the zvol qemu-img convert -O raw \ /var/lib/uvtool/libvirt/images/xenial-kernel-test.qcow \ /dev/zvol/zlxd/xenial-kernel-test 5) Update the guest definition to use the zvol <disk type='file' device='disk'> <driver name='qemu' type='raw' cache='none'/> <source file='/dev/zvol/zlxd/xenial-kernel-test'/> <target dev='vda' bus='virtio'/> </disk> 6) boot the guest virsh start xenial-kernel-test 7) check for apparmor denial messages dmesg \| tail \| grep apparmor Without the fix, Apparmor would report denials when accessing /etc/nsswitch.conf, /etc/host.conf, /etc/gai.conf, /run/resolvconf/resolv.conf and /dev/zvolX (where X corresponds to the zvol number). Starting the guest should be much slower than usual. With the fix in place, the only Apparmor denial would be about reading the /dev/zvolx device. This causes no visible problem nor slowdown. Original description: With libvirt-bin 1.3.1, starting a QEMU guest results in those AA denials: Feb 17 12:06:23 simon-laptop kernel: [15734.513696] audit: type=1400 audit(1455728783.639:73): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/nsswitch.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513718] audit: type=1400 audit(1455728783.639:74): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/host.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513734] audit: type=1400 audit(1455728783.639:75): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513885] audit: type=1400 audit(1455728783.639:76): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 virt-aa-helper's AA profile hasn't changed recently so it seems like the helper is doing more in this release. Additional information: $ lsb_release -rd Description: Ubuntu Xenial Xerus (development branch) Release: 16.04 $ apt-cache policy apparmor libvirt-bin apparmor: Installed: 2.10-3ubuntu1 Candidate: 2.10-3ubuntu1 Version table: * 2.10-3ubuntu1 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status libvirt-bin: Installed: 1.3.1-1ubuntu1 Candidate: 1.3.1-1ubuntu1 Version table: * 1.3.1-1ubuntu1 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: libvirt-bin 1.3.1-1ubuntu1 ProcVersionSignature: Ubuntu 4.4.0-5.20-generic 4.4.1 Uname: Linux 4.4.0-5-generic x86_64 NonfreeKernelModules: zfs zunicode zcommon znvpair zavl ApportVersion: 2.20-0ubuntu3 Architecture: amd64 CurrentDesktop: Unity Date: Wed Feb 17 13:08:04 2016 KernLog: SourcePackage: libvirt UpgradeStatus: No upgrade log present (probably fresh install) modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf'] modified.conffile..etc.libvirt.qemu.networks.default.xml: [deleted]	Reproducing steps: 1) Sync Xenial cloud-image uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=xenial 2) Create a test guest with: uvt-kvm create --memory 2048 --cpu 4 --password=ubuntu xenial-kernel-test release=xenial arch=amd64 label=daily 3) Create a zvol zfs create -V 8G zlxd/xenial-kernel-test 4) Copy the qcow2 data to the zvol qemu-img convert -O raw \ /var/lib/uvtool/libvirt/images/xenial-kernel-test.qcow \ /dev/zvol/zlxd/xenial-kernel-test 5) Update the guest definition to use the zvol <disk type='file' device='disk'> <driver name='qemu' type='raw' cache='none'/> <source file='/dev/zvol/zlxd/xenial-kernel-test'/> <target dev='vda' bus='virtio'/> </disk> 6) boot the guest virsh start xenial-kernel-test 7) check for apparmor denial messages dmesg \| tail \| grep apparmor Without the fix, Apparmor would report denials when accessing /etc/nsswitch.conf, /etc/host.conf, /etc/gai.conf, /run/resolvconf/resolv.conf and /dev/zdX (where X corresponds to the zvol number). Starting the guest should be much slower than usual. With the fix in place, the only Apparmor denial would be about reading the /dev/zdx device. This causes no visible problem nor slowdown. Original description: With libvirt-bin 1.3.1, starting a QEMU guest results in those AA denials: Feb 17 12:06:23 simon-laptop kernel: [15734.513696] audit: type=1400 audit(1455728783.639:73): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/nsswitch.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513718] audit: type=1400 audit(1455728783.639:74): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/host.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513734] audit: type=1400 audit(1455728783.639:75): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513885] audit: type=1400 audit(1455728783.639:76): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 virt-aa-helper's AA profile hasn't changed recently so it seems like the helper is doing more in this release. Additional information: $ lsb_release -rd Description: Ubuntu Xenial Xerus (development branch) Release: 16.04 $ apt-cache policy apparmor libvirt-bin apparmor: Installed: 2.10-3ubuntu1 Candidate: 2.10-3ubuntu1 Version table: * 2.10-3ubuntu1 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status libvirt-bin: Installed: 1.3.1-1ubuntu1 Candidate: 1.3.1-1ubuntu1 Version table: * 1.3.1-1ubuntu1 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: libvirt-bin 1.3.1-1ubuntu1 ProcVersionSignature: Ubuntu 4.4.0-5.20-generic 4.4.1 Uname: Linux 4.4.0-5-generic x86_64 NonfreeKernelModules: zfs zunicode zcommon znvpair zavl ApportVersion: 2.20-0ubuntu3 Architecture: amd64 CurrentDesktop: Unity Date: Wed Feb 17 13:08:04 2016 KernLog: SourcePackage: libvirt UpgradeStatus: No upgrade log present (probably fresh install) modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf'] modified.conffile..etc.libvirt.qemu.networks.default.xml: [deleted]
2016-11-14 14:49:13	Simon Déziel	description	Reproducing steps: 1) Sync Xenial cloud-image uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=xenial 2) Create a test guest with: uvt-kvm create --memory 2048 --cpu 4 --password=ubuntu xenial-kernel-test release=xenial arch=amd64 label=daily 3) Create a zvol zfs create -V 8G zlxd/xenial-kernel-test 4) Copy the qcow2 data to the zvol qemu-img convert -O raw \ /var/lib/uvtool/libvirt/images/xenial-kernel-test.qcow \ /dev/zvol/zlxd/xenial-kernel-test 5) Update the guest definition to use the zvol <disk type='file' device='disk'> <driver name='qemu' type='raw' cache='none'/> <source file='/dev/zvol/zlxd/xenial-kernel-test'/> <target dev='vda' bus='virtio'/> </disk> 6) boot the guest virsh start xenial-kernel-test 7) check for apparmor denial messages dmesg \| tail \| grep apparmor Without the fix, Apparmor would report denials when accessing /etc/nsswitch.conf, /etc/host.conf, /etc/gai.conf, /run/resolvconf/resolv.conf and /dev/zdX (where X corresponds to the zvol number). Starting the guest should be much slower than usual. With the fix in place, the only Apparmor denial would be about reading the /dev/zdx device. This causes no visible problem nor slowdown. Original description: With libvirt-bin 1.3.1, starting a QEMU guest results in those AA denials: Feb 17 12:06:23 simon-laptop kernel: [15734.513696] audit: type=1400 audit(1455728783.639:73): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/nsswitch.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513718] audit: type=1400 audit(1455728783.639:74): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/host.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513734] audit: type=1400 audit(1455728783.639:75): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513885] audit: type=1400 audit(1455728783.639:76): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 virt-aa-helper's AA profile hasn't changed recently so it seems like the helper is doing more in this release. Additional information: $ lsb_release -rd Description: Ubuntu Xenial Xerus (development branch) Release: 16.04 $ apt-cache policy apparmor libvirt-bin apparmor: Installed: 2.10-3ubuntu1 Candidate: 2.10-3ubuntu1 Version table: * 2.10-3ubuntu1 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status libvirt-bin: Installed: 1.3.1-1ubuntu1 Candidate: 1.3.1-1ubuntu1 Version table: * 1.3.1-1ubuntu1 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: libvirt-bin 1.3.1-1ubuntu1 ProcVersionSignature: Ubuntu 4.4.0-5.20-generic 4.4.1 Uname: Linux 4.4.0-5-generic x86_64 NonfreeKernelModules: zfs zunicode zcommon znvpair zavl ApportVersion: 2.20-0ubuntu3 Architecture: amd64 CurrentDesktop: Unity Date: Wed Feb 17 13:08:04 2016 KernLog: SourcePackage: libvirt UpgradeStatus: No upgrade log present (probably fresh install) modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf'] modified.conffile..etc.libvirt.qemu.networks.default.xml: [deleted]	Reproducing steps: 1) Sync Xenial cloud-image uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=xenial 2) Create a test guest with: uvt-kvm create --memory 2048 --cpu 4 --password=ubuntu xenial-kernel-test release=xenial arch=amd64 label=daily 3) Create a zvol zfs create -V 8G zlxd/xenial-kernel-test 4) Copy the qcow2 data to the zvol qemu-img convert -O raw \ /var/lib/uvtool/libvirt/images/xenial-kernel-test.qcow \ /dev/zvol/zlxd/xenial-kernel-test 5) Update the guest definition to use the zvol <disk type='file' device='disk'> <driver name='qemu' type='raw' cache='none'/> <source file='/dev/zvol/zlxd/xenial-kernel-test'/> <target dev='vda' bus='virtio'/> </disk> 6) boot the guest virsh start xenial-kernel-test 7) check for apparmor denial messages dmesg \| tail \| grep apparmor Without the fix, Apparmor would report denials when accessing /etc/nsswitch.conf, /etc/host.conf, /etc/gai.conf, /run/resolvconf/resolv.conf and /dev/zdX (where X corresponds to the zvol number). Starting the guest should be much slower than usual. With the fix in place, the only Apparmor denial would be about reading the /dev/zdx device (see LP: #1641618). This causes no visible problem nor slowdown. Original description: With libvirt-bin 1.3.1, starting a QEMU guest results in those AA denials: Feb 17 12:06:23 simon-laptop kernel: [15734.513696] audit: type=1400 audit(1455728783.639:73): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/nsswitch.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513718] audit: type=1400 audit(1455728783.639:74): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/host.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513734] audit: type=1400 audit(1455728783.639:75): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513885] audit: type=1400 audit(1455728783.639:76): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 virt-aa-helper's AA profile hasn't changed recently so it seems like the helper is doing more in this release. Additional information: $ lsb_release -rd Description: Ubuntu Xenial Xerus (development branch) Release: 16.04 $ apt-cache policy apparmor libvirt-bin apparmor: Installed: 2.10-3ubuntu1 Candidate: 2.10-3ubuntu1 Version table: * 2.10-3ubuntu1 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status libvirt-bin: Installed: 1.3.1-1ubuntu1 Candidate: 1.3.1-1ubuntu1 Version table: * 1.3.1-1ubuntu1 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: libvirt-bin 1.3.1-1ubuntu1 ProcVersionSignature: Ubuntu 4.4.0-5.20-generic 4.4.1 Uname: Linux 4.4.0-5-generic x86_64 NonfreeKernelModules: zfs zunicode zcommon znvpair zavl ApportVersion: 2.20-0ubuntu3 Architecture: amd64 CurrentDesktop: Unity Date: Wed Feb 17 13:08:04 2016 KernLog: SourcePackage: libvirt UpgradeStatus: No upgrade log present (probably fresh install) modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf'] modified.conffile..etc.libvirt.qemu.networks.default.xml: [deleted]
2016-11-22 07:10:09	Launchpad Janitor	libvirt (Ubuntu): status	In Progress	Fix Released
2016-11-22 09:04:04	Christian Ehrhardt 	description	Reproducing steps: 1) Sync Xenial cloud-image uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=xenial 2) Create a test guest with: uvt-kvm create --memory 2048 --cpu 4 --password=ubuntu xenial-kernel-test release=xenial arch=amd64 label=daily 3) Create a zvol zfs create -V 8G zlxd/xenial-kernel-test 4) Copy the qcow2 data to the zvol qemu-img convert -O raw \ /var/lib/uvtool/libvirt/images/xenial-kernel-test.qcow \ /dev/zvol/zlxd/xenial-kernel-test 5) Update the guest definition to use the zvol <disk type='file' device='disk'> <driver name='qemu' type='raw' cache='none'/> <source file='/dev/zvol/zlxd/xenial-kernel-test'/> <target dev='vda' bus='virtio'/> </disk> 6) boot the guest virsh start xenial-kernel-test 7) check for apparmor denial messages dmesg \| tail \| grep apparmor Without the fix, Apparmor would report denials when accessing /etc/nsswitch.conf, /etc/host.conf, /etc/gai.conf, /run/resolvconf/resolv.conf and /dev/zdX (where X corresponds to the zvol number). Starting the guest should be much slower than usual. With the fix in place, the only Apparmor denial would be about reading the /dev/zdx device (see LP: #1641618). This causes no visible problem nor slowdown. Original description: With libvirt-bin 1.3.1, starting a QEMU guest results in those AA denials: Feb 17 12:06:23 simon-laptop kernel: [15734.513696] audit: type=1400 audit(1455728783.639:73): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/nsswitch.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513718] audit: type=1400 audit(1455728783.639:74): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/host.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513734] audit: type=1400 audit(1455728783.639:75): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513885] audit: type=1400 audit(1455728783.639:76): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 virt-aa-helper's AA profile hasn't changed recently so it seems like the helper is doing more in this release. Additional information: $ lsb_release -rd Description: Ubuntu Xenial Xerus (development branch) Release: 16.04 $ apt-cache policy apparmor libvirt-bin apparmor: Installed: 2.10-3ubuntu1 Candidate: 2.10-3ubuntu1 Version table: * 2.10-3ubuntu1 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status libvirt-bin: Installed: 1.3.1-1ubuntu1 Candidate: 1.3.1-1ubuntu1 Version table: * 1.3.1-1ubuntu1 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: libvirt-bin 1.3.1-1ubuntu1 ProcVersionSignature: Ubuntu 4.4.0-5.20-generic 4.4.1 Uname: Linux 4.4.0-5-generic x86_64 NonfreeKernelModules: zfs zunicode zcommon znvpair zavl ApportVersion: 2.20-0ubuntu3 Architecture: amd64 CurrentDesktop: Unity Date: Wed Feb 17 13:08:04 2016 KernLog: SourcePackage: libvirt UpgradeStatus: No upgrade log present (probably fresh install) modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf'] modified.conffile..etc.libvirt.qemu.networks.default.xml: [deleted]	[Impact] * Apparmor denies several hostname related accesses by libvirt causing severe slowdowns in some cases. [Test Case] * Note: while there are various ways to trigger it - many have seen the issue, but often it is unclear when exactly it will trigger or does no more. So some of the repo-cases have proven to be unreliable - thanks Simon for this Repro howto listed here. (simplified as it turned out zvols are not needed according to comment #22) 1) Sync Xenial cloud-image uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=xenial 2) Create a test guest with: uvt-kvm create --memory 2048 --cpu 4 --password=ubuntu xenial-kernel-test release=xenial arch=amd64 label=daily 3) strop it and add an extra volume in a way like this snippet $ virsh shutdown xenial-kernel-test $ virsh edit xenial-kernel-test <disk type='file' device='disk'> <driver name='qemu' type='raw' cache='none'/> <source file='/dev/sda4'/> <target dev='vdc' bus='virtio'/> </disk> 4) start the guest virsh start xenial-kernel-test 6) check for apparmor denial messages dmesg \| tail \| grep apparmor Without the fix, Apparmor would report denials when accessing /etc/nsswitch.conf, /etc/host.conf, /etc/gai.conf, /run/resolvconf/resolv.conf and /dev/zdX (where X corresponds to the zvol number). Starting the guest should be much slower than usual. With the fix in place no related Apparmor denials show up. [Regression Potential] * The fix is rather small and "only" opens up apparmor confinement a bit. That makes us assume that the potential for regression should be minimal. ############### Original description: With libvirt-bin 1.3.1, starting a QEMU guest results in those AA denials: Feb 17 12:06:23 simon-laptop kernel: [15734.513696] audit: type=1400 audit(1455728783.639:73): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/nsswitch.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513718] audit: type=1400 audit(1455728783.639:74): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/host.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513734] audit: type=1400 audit(1455728783.639:75): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513885] audit: type=1400 audit(1455728783.639:76): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 virt-aa-helper's AA profile hasn't changed recently so it seems like the helper is doing more in this release. Additional information: $ lsb_release -rd Description: Ubuntu Xenial Xerus (development branch) Release: 16.04 $ apt-cache policy apparmor libvirt-bin apparmor: Installed: 2.10-3ubuntu1 Candidate: 2.10-3ubuntu1 Version table: * 2.10-3ubuntu1 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status libvirt-bin: Installed: 1.3.1-1ubuntu1 Candidate: 1.3.1-1ubuntu1 Version table: * 1.3.1-1ubuntu1 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: libvirt-bin 1.3.1-1ubuntu1 ProcVersionSignature: Ubuntu 4.4.0-5.20-generic 4.4.1 Uname: Linux 4.4.0-5-generic x86_64 NonfreeKernelModules: zfs zunicode zcommon znvpair zavl ApportVersion: 2.20-0ubuntu3 Architecture: amd64 CurrentDesktop: Unity Date: Wed Feb 17 13:08:04 2016 KernLog: SourcePackage: libvirt UpgradeStatus: No upgrade log present (probably fresh install) modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf'] modified.conffile..etc.libvirt.qemu.networks.default.xml: [deleted]
2016-11-23 22:31:47	Martin Pitt	libvirt (Ubuntu): status	Fix Released	In Progress
2016-12-01 06:40:29	Launchpad Janitor	libvirt (Ubuntu): status	In Progress	Fix Released
2016-12-12 07:42:16	Martin Pitt	libvirt (Ubuntu Xenial): status	Triaged	Fix Committed
2016-12-12 07:42:17	Martin Pitt	bug			added subscriber Ubuntu Stable Release Updates Team
2016-12-12 07:42:19	Martin Pitt	bug			added subscriber SRU Verification
2016-12-12 07:42:27	Martin Pitt	tags	amd64 apport-bug bitesize patch server-next xenial	amd64 apport-bug bitesize patch server-next verification-needed xenial
2016-12-12 14:34:56	Simon Déziel	tags	amd64 apport-bug bitesize patch server-next verification-needed xenial	amd64 apport-bug bitesize patch server-next verification-done xenial
2017-01-13 00:08:36	Launchpad Janitor	libvirt (Ubuntu Xenial): status	Fix Committed	Fix Released
2017-01-13 00:08:45	Brian Murray	removed subscriber Ubuntu Stable Release Updates Team

Ubuntulibvirt package

Activity log for bug #1546674

Ubuntu
libvirt package