2016-02-17 18:14:25 |
Simon Déziel |
bug |
|
|
added bug |
2016-02-17 22:33:16 |
Serge Hallyn |
libvirt (Ubuntu): status |
New |
Confirmed |
|
2016-02-21 17:38:49 |
Alberto Salvia Novella |
libvirt (Ubuntu): importance |
Undecided |
High |
|
2016-02-26 04:41:19 |
Serge Hallyn |
libvirt (Ubuntu): status |
Confirmed |
Triaged |
|
2016-08-05 02:47:54 |
Matt LaPlante |
bug |
|
|
added subscriber Matt LaPlante |
2016-08-16 03:43:11 |
Robie Basak |
bug |
|
|
added subscriber Ubuntu Server Team |
2016-08-16 03:43:19 |
Robie Basak |
tags |
amd64 apport-bug xenial |
amd64 apport-bug bitesize server-next xenial |
|
2016-10-07 08:20:59 |
Stefan Bader |
nominated for series |
|
Ubuntu Xenial |
|
2016-10-07 08:20:59 |
Stefan Bader |
bug task added |
|
libvirt (Ubuntu Xenial) |
|
2016-10-07 08:21:26 |
Stefan Bader |
libvirt (Ubuntu Xenial): importance |
Undecided |
Medium |
|
2016-10-07 08:21:26 |
Stefan Bader |
libvirt (Ubuntu Xenial): status |
New |
Triaged |
|
2016-10-07 13:03:36 |
Simon Déziel |
attachment added |
|
Guest definition that triggers the bug https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+attachment/4756708/+files/apt.xml |
|
2016-10-18 08:25:59 |
Christian Ehrhardt |
libvirt (Ubuntu Xenial): assignee |
|
ChristianEhrhardt (paelzer) |
|
2016-10-18 08:26:02 |
Christian Ehrhardt |
libvirt (Ubuntu): assignee |
|
ChristianEhrhardt (paelzer) |
|
2016-10-18 08:26:22 |
Christian Ehrhardt |
bug |
|
|
added subscriber ChristianEhrhardt |
2016-10-26 15:13:07 |
MNLipp |
bug |
|
|
added subscriber MNLipp |
2016-10-26 20:42:27 |
Simon Déziel |
attachment added |
|
aa-libvirt-qemu.patch https://bugs.launchpad.net/bugs/1546674/+attachment/4767869/+files/aa-libvirt-qemu.patch |
|
2016-10-26 20:42:27 |
Simon Déziel |
attachment added |
|
apparmor-syslog.log https://bugs.launchpad.net/bugs/1546674/+attachment/4767870/+files/apparmor-syslog.log |
|
2016-10-27 00:26:02 |
Ubuntu Foundations Team Bug Bot |
tags |
amd64 apport-bug bitesize server-next xenial |
amd64 apport-bug bitesize patch server-next xenial |
|
2016-10-27 00:26:12 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Review Team |
2016-11-14 10:24:05 |
Christian Ehrhardt |
libvirt (Ubuntu): status |
Triaged |
In Progress |
|
2016-11-14 14:19:50 |
Simon Déziel |
description |
With libvirt-bin 1.3.1, starting a QEMU guest results in those AA denials:
Feb 17 12:06:23 simon-laptop kernel: [15734.513696] audit: type=1400 audit(1455728783.639:73): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/nsswitch.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 17 12:06:23 simon-laptop kernel: [15734.513718] audit: type=1400 audit(1455728783.639:74): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/host.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 17 12:06:23 simon-laptop kernel: [15734.513734] audit: type=1400 audit(1455728783.639:75): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 17 12:06:23 simon-laptop kernel: [15734.513885] audit: type=1400 audit(1455728783.639:76): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
virt-aa-helper's AA profile hasn't changed recently so it seems like the helper is doing more in this release.
Additional information:
$ lsb_release -rd
Description: Ubuntu Xenial Xerus (development branch)
Release: 16.04
$ apt-cache policy apparmor libvirt-bin
apparmor:
Installed: 2.10-3ubuntu1
Candidate: 2.10-3ubuntu1
Version table:
*** 2.10-3ubuntu1 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
libvirt-bin:
Installed: 1.3.1-1ubuntu1
Candidate: 1.3.1-1ubuntu1
Version table:
*** 1.3.1-1ubuntu1 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: libvirt-bin 1.3.1-1ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-5.20-generic 4.4.1
Uname: Linux 4.4.0-5-generic x86_64
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
ApportVersion: 2.20-0ubuntu3
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Feb 17 13:08:04 2016
KernLog:
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf']
modified.conffile..etc.libvirt.qemu.networks.default.xml: [deleted] |
Reproducing steps:
1) Sync Xenial cloud-image
uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=xenial
2) Create a test guest with:
uvt-kvm create --memory 2048 --cpu 4 --password=ubuntu xenial-kernel-test release=xenial arch=amd64 label=daily
3) Create a zvol
zfs create -V 8G zlxd/xenial-kernel-test
4) Copy the qcow2 data to the zvol
qemu-img convert -O raw \
/var/lib/uvtool/libvirt/images/xenial-kernel-test.qcow \
/dev/zvol/zlxd/xenial-kernel-test
5) Update the guest definition to use the zvol
<disk type='file' device='disk'>
<driver name='qemu' type='raw' cache='none'/>
<source file='/dev/zvol/zlxd/xenial-kernel-test'/>
<target dev='vda' bus='virtio'/>
</disk>
6) boot the guest
virsh start xenial-kernel-test
7) check for apparmor denial messages
dmesg | tail | grep apparmor
Without the fix, Apparmor would report denials when accessing /etc/nsswitch.conf, /etc/host.conf, /etc/gai.conf, /run/resolvconf/resolv.conf and /dev/zvolX (where X corresponds to the zvol number). Starting the guest should be much slower than usual.
With the fix in place, the only Apparmor denial would be about reading the /dev/zvolx device. This causes no visible problem nor slowdown.
Original description:
With libvirt-bin 1.3.1, starting a QEMU guest results in those AA denials:
Feb 17 12:06:23 simon-laptop kernel: [15734.513696] audit: type=1400 audit(1455728783.639:73): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/nsswitch.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 17 12:06:23 simon-laptop kernel: [15734.513718] audit: type=1400 audit(1455728783.639:74): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/host.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 17 12:06:23 simon-laptop kernel: [15734.513734] audit: type=1400 audit(1455728783.639:75): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 17 12:06:23 simon-laptop kernel: [15734.513885] audit: type=1400 audit(1455728783.639:76): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
virt-aa-helper's AA profile hasn't changed recently so it seems like the helper is doing more in this release.
Additional information:
$ lsb_release -rd
Description: Ubuntu Xenial Xerus (development branch)
Release: 16.04
$ apt-cache policy apparmor libvirt-bin
apparmor:
Installed: 2.10-3ubuntu1
Candidate: 2.10-3ubuntu1
Version table:
*** 2.10-3ubuntu1 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
libvirt-bin:
Installed: 1.3.1-1ubuntu1
Candidate: 1.3.1-1ubuntu1
Version table:
*** 1.3.1-1ubuntu1 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: libvirt-bin 1.3.1-1ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-5.20-generic 4.4.1
Uname: Linux 4.4.0-5-generic x86_64
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
ApportVersion: 2.20-0ubuntu3
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Feb 17 13:08:04 2016
KernLog:
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf']
modified.conffile..etc.libvirt.qemu.networks.default.xml: [deleted] |
|
2016-11-14 14:21:50 |
Simon Déziel |
description |
Reproducing steps:
1) Sync Xenial cloud-image
uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=xenial
2) Create a test guest with:
uvt-kvm create --memory 2048 --cpu 4 --password=ubuntu xenial-kernel-test release=xenial arch=amd64 label=daily
3) Create a zvol
zfs create -V 8G zlxd/xenial-kernel-test
4) Copy the qcow2 data to the zvol
qemu-img convert -O raw \
/var/lib/uvtool/libvirt/images/xenial-kernel-test.qcow \
/dev/zvol/zlxd/xenial-kernel-test
5) Update the guest definition to use the zvol
<disk type='file' device='disk'>
<driver name='qemu' type='raw' cache='none'/>
<source file='/dev/zvol/zlxd/xenial-kernel-test'/>
<target dev='vda' bus='virtio'/>
</disk>
6) boot the guest
virsh start xenial-kernel-test
7) check for apparmor denial messages
dmesg | tail | grep apparmor
Without the fix, Apparmor would report denials when accessing /etc/nsswitch.conf, /etc/host.conf, /etc/gai.conf, /run/resolvconf/resolv.conf and /dev/zvolX (where X corresponds to the zvol number). Starting the guest should be much slower than usual.
With the fix in place, the only Apparmor denial would be about reading the /dev/zvolx device. This causes no visible problem nor slowdown.
Original description:
With libvirt-bin 1.3.1, starting a QEMU guest results in those AA denials:
Feb 17 12:06:23 simon-laptop kernel: [15734.513696] audit: type=1400 audit(1455728783.639:73): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/nsswitch.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 17 12:06:23 simon-laptop kernel: [15734.513718] audit: type=1400 audit(1455728783.639:74): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/host.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 17 12:06:23 simon-laptop kernel: [15734.513734] audit: type=1400 audit(1455728783.639:75): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 17 12:06:23 simon-laptop kernel: [15734.513885] audit: type=1400 audit(1455728783.639:76): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
virt-aa-helper's AA profile hasn't changed recently so it seems like the helper is doing more in this release.
Additional information:
$ lsb_release -rd
Description: Ubuntu Xenial Xerus (development branch)
Release: 16.04
$ apt-cache policy apparmor libvirt-bin
apparmor:
Installed: 2.10-3ubuntu1
Candidate: 2.10-3ubuntu1
Version table:
*** 2.10-3ubuntu1 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
libvirt-bin:
Installed: 1.3.1-1ubuntu1
Candidate: 1.3.1-1ubuntu1
Version table:
*** 1.3.1-1ubuntu1 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: libvirt-bin 1.3.1-1ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-5.20-generic 4.4.1
Uname: Linux 4.4.0-5-generic x86_64
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
ApportVersion: 2.20-0ubuntu3
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Feb 17 13:08:04 2016
KernLog:
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf']
modified.conffile..etc.libvirt.qemu.networks.default.xml: [deleted] |
Reproducing steps:
1) Sync Xenial cloud-image
uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=xenial
2) Create a test guest with:
uvt-kvm create --memory 2048 --cpu 4 --password=ubuntu xenial-kernel-test release=xenial arch=amd64 label=daily
3) Create a zvol
zfs create -V 8G zlxd/xenial-kernel-test
4) Copy the qcow2 data to the zvol
qemu-img convert -O raw \
/var/lib/uvtool/libvirt/images/xenial-kernel-test.qcow \
/dev/zvol/zlxd/xenial-kernel-test
5) Update the guest definition to use the zvol
<disk type='file' device='disk'>
<driver name='qemu' type='raw' cache='none'/>
<source file='/dev/zvol/zlxd/xenial-kernel-test'/>
<target dev='vda' bus='virtio'/>
</disk>
6) boot the guest
virsh start xenial-kernel-test
7) check for apparmor denial messages
dmesg | tail | grep apparmor
Without the fix, Apparmor would report denials when accessing /etc/nsswitch.conf, /etc/host.conf, /etc/gai.conf, /run/resolvconf/resolv.conf and /dev/zdX (where X corresponds to the zvol number). Starting the guest should be much slower than usual.
With the fix in place, the only Apparmor denial would be about reading the /dev/zdx device. This causes no visible problem nor slowdown.
Original description:
With libvirt-bin 1.3.1, starting a QEMU guest results in those AA denials:
Feb 17 12:06:23 simon-laptop kernel: [15734.513696] audit: type=1400 audit(1455728783.639:73): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/nsswitch.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 17 12:06:23 simon-laptop kernel: [15734.513718] audit: type=1400 audit(1455728783.639:74): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/host.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 17 12:06:23 simon-laptop kernel: [15734.513734] audit: type=1400 audit(1455728783.639:75): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 17 12:06:23 simon-laptop kernel: [15734.513885] audit: type=1400 audit(1455728783.639:76): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
virt-aa-helper's AA profile hasn't changed recently so it seems like the helper is doing more in this release.
Additional information:
$ lsb_release -rd
Description: Ubuntu Xenial Xerus (development branch)
Release: 16.04
$ apt-cache policy apparmor libvirt-bin
apparmor:
Installed: 2.10-3ubuntu1
Candidate: 2.10-3ubuntu1
Version table:
*** 2.10-3ubuntu1 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
libvirt-bin:
Installed: 1.3.1-1ubuntu1
Candidate: 1.3.1-1ubuntu1
Version table:
*** 1.3.1-1ubuntu1 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: libvirt-bin 1.3.1-1ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-5.20-generic 4.4.1
Uname: Linux 4.4.0-5-generic x86_64
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
ApportVersion: 2.20-0ubuntu3
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Feb 17 13:08:04 2016
KernLog:
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf']
modified.conffile..etc.libvirt.qemu.networks.default.xml: [deleted] |
|
2016-11-14 14:49:13 |
Simon Déziel |
description |
Reproducing steps:
1) Sync Xenial cloud-image
uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=xenial
2) Create a test guest with:
uvt-kvm create --memory 2048 --cpu 4 --password=ubuntu xenial-kernel-test release=xenial arch=amd64 label=daily
3) Create a zvol
zfs create -V 8G zlxd/xenial-kernel-test
4) Copy the qcow2 data to the zvol
qemu-img convert -O raw \
/var/lib/uvtool/libvirt/images/xenial-kernel-test.qcow \
/dev/zvol/zlxd/xenial-kernel-test
5) Update the guest definition to use the zvol
<disk type='file' device='disk'>
<driver name='qemu' type='raw' cache='none'/>
<source file='/dev/zvol/zlxd/xenial-kernel-test'/>
<target dev='vda' bus='virtio'/>
</disk>
6) boot the guest
virsh start xenial-kernel-test
7) check for apparmor denial messages
dmesg | tail | grep apparmor
Without the fix, Apparmor would report denials when accessing /etc/nsswitch.conf, /etc/host.conf, /etc/gai.conf, /run/resolvconf/resolv.conf and /dev/zdX (where X corresponds to the zvol number). Starting the guest should be much slower than usual.
With the fix in place, the only Apparmor denial would be about reading the /dev/zdx device. This causes no visible problem nor slowdown.
Original description:
With libvirt-bin 1.3.1, starting a QEMU guest results in those AA denials:
Feb 17 12:06:23 simon-laptop kernel: [15734.513696] audit: type=1400 audit(1455728783.639:73): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/nsswitch.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 17 12:06:23 simon-laptop kernel: [15734.513718] audit: type=1400 audit(1455728783.639:74): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/host.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 17 12:06:23 simon-laptop kernel: [15734.513734] audit: type=1400 audit(1455728783.639:75): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 17 12:06:23 simon-laptop kernel: [15734.513885] audit: type=1400 audit(1455728783.639:76): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
virt-aa-helper's AA profile hasn't changed recently so it seems like the helper is doing more in this release.
Additional information:
$ lsb_release -rd
Description: Ubuntu Xenial Xerus (development branch)
Release: 16.04
$ apt-cache policy apparmor libvirt-bin
apparmor:
Installed: 2.10-3ubuntu1
Candidate: 2.10-3ubuntu1
Version table:
*** 2.10-3ubuntu1 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
libvirt-bin:
Installed: 1.3.1-1ubuntu1
Candidate: 1.3.1-1ubuntu1
Version table:
*** 1.3.1-1ubuntu1 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: libvirt-bin 1.3.1-1ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-5.20-generic 4.4.1
Uname: Linux 4.4.0-5-generic x86_64
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
ApportVersion: 2.20-0ubuntu3
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Feb 17 13:08:04 2016
KernLog:
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf']
modified.conffile..etc.libvirt.qemu.networks.default.xml: [deleted] |
Reproducing steps:
1) Sync Xenial cloud-image
uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=xenial
2) Create a test guest with:
uvt-kvm create --memory 2048 --cpu 4 --password=ubuntu xenial-kernel-test release=xenial arch=amd64 label=daily
3) Create a zvol
zfs create -V 8G zlxd/xenial-kernel-test
4) Copy the qcow2 data to the zvol
qemu-img convert -O raw \
/var/lib/uvtool/libvirt/images/xenial-kernel-test.qcow \
/dev/zvol/zlxd/xenial-kernel-test
5) Update the guest definition to use the zvol
<disk type='file' device='disk'>
<driver name='qemu' type='raw' cache='none'/>
<source file='/dev/zvol/zlxd/xenial-kernel-test'/>
<target dev='vda' bus='virtio'/>
</disk>
6) boot the guest
virsh start xenial-kernel-test
7) check for apparmor denial messages
dmesg | tail | grep apparmor
Without the fix, Apparmor would report denials when accessing /etc/nsswitch.conf, /etc/host.conf, /etc/gai.conf, /run/resolvconf/resolv.conf and /dev/zdX (where X corresponds to the zvol number). Starting the guest should be much slower than usual.
With the fix in place, the only Apparmor denial would be about reading the /dev/zdx device (see LP: #1641618). This causes no visible problem nor slowdown.
Original description:
With libvirt-bin 1.3.1, starting a QEMU guest results in those AA denials:
Feb 17 12:06:23 simon-laptop kernel: [15734.513696] audit: type=1400 audit(1455728783.639:73): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/nsswitch.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 17 12:06:23 simon-laptop kernel: [15734.513718] audit: type=1400 audit(1455728783.639:74): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/host.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 17 12:06:23 simon-laptop kernel: [15734.513734] audit: type=1400 audit(1455728783.639:75): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 17 12:06:23 simon-laptop kernel: [15734.513885] audit: type=1400 audit(1455728783.639:76): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
virt-aa-helper's AA profile hasn't changed recently so it seems like the helper is doing more in this release.
Additional information:
$ lsb_release -rd
Description: Ubuntu Xenial Xerus (development branch)
Release: 16.04
$ apt-cache policy apparmor libvirt-bin
apparmor:
Installed: 2.10-3ubuntu1
Candidate: 2.10-3ubuntu1
Version table:
*** 2.10-3ubuntu1 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
libvirt-bin:
Installed: 1.3.1-1ubuntu1
Candidate: 1.3.1-1ubuntu1
Version table:
*** 1.3.1-1ubuntu1 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: libvirt-bin 1.3.1-1ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-5.20-generic 4.4.1
Uname: Linux 4.4.0-5-generic x86_64
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
ApportVersion: 2.20-0ubuntu3
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Feb 17 13:08:04 2016
KernLog:
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf']
modified.conffile..etc.libvirt.qemu.networks.default.xml: [deleted] |
|
2016-11-22 07:10:09 |
Launchpad Janitor |
libvirt (Ubuntu): status |
In Progress |
Fix Released |
|
2016-11-22 09:04:04 |
Christian Ehrhardt |
description |
Reproducing steps:
1) Sync Xenial cloud-image
uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=xenial
2) Create a test guest with:
uvt-kvm create --memory 2048 --cpu 4 --password=ubuntu xenial-kernel-test release=xenial arch=amd64 label=daily
3) Create a zvol
zfs create -V 8G zlxd/xenial-kernel-test
4) Copy the qcow2 data to the zvol
qemu-img convert -O raw \
/var/lib/uvtool/libvirt/images/xenial-kernel-test.qcow \
/dev/zvol/zlxd/xenial-kernel-test
5) Update the guest definition to use the zvol
<disk type='file' device='disk'>
<driver name='qemu' type='raw' cache='none'/>
<source file='/dev/zvol/zlxd/xenial-kernel-test'/>
<target dev='vda' bus='virtio'/>
</disk>
6) boot the guest
virsh start xenial-kernel-test
7) check for apparmor denial messages
dmesg | tail | grep apparmor
Without the fix, Apparmor would report denials when accessing /etc/nsswitch.conf, /etc/host.conf, /etc/gai.conf, /run/resolvconf/resolv.conf and /dev/zdX (where X corresponds to the zvol number). Starting the guest should be much slower than usual.
With the fix in place, the only Apparmor denial would be about reading the /dev/zdx device (see LP: #1641618). This causes no visible problem nor slowdown.
Original description:
With libvirt-bin 1.3.1, starting a QEMU guest results in those AA denials:
Feb 17 12:06:23 simon-laptop kernel: [15734.513696] audit: type=1400 audit(1455728783.639:73): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/nsswitch.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 17 12:06:23 simon-laptop kernel: [15734.513718] audit: type=1400 audit(1455728783.639:74): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/host.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 17 12:06:23 simon-laptop kernel: [15734.513734] audit: type=1400 audit(1455728783.639:75): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 17 12:06:23 simon-laptop kernel: [15734.513885] audit: type=1400 audit(1455728783.639:76): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
virt-aa-helper's AA profile hasn't changed recently so it seems like the helper is doing more in this release.
Additional information:
$ lsb_release -rd
Description: Ubuntu Xenial Xerus (development branch)
Release: 16.04
$ apt-cache policy apparmor libvirt-bin
apparmor:
Installed: 2.10-3ubuntu1
Candidate: 2.10-3ubuntu1
Version table:
*** 2.10-3ubuntu1 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
libvirt-bin:
Installed: 1.3.1-1ubuntu1
Candidate: 1.3.1-1ubuntu1
Version table:
*** 1.3.1-1ubuntu1 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: libvirt-bin 1.3.1-1ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-5.20-generic 4.4.1
Uname: Linux 4.4.0-5-generic x86_64
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
ApportVersion: 2.20-0ubuntu3
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Feb 17 13:08:04 2016
KernLog:
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf']
modified.conffile..etc.libvirt.qemu.networks.default.xml: [deleted] |
[Impact]
* Apparmor denies several hostname related accesses by libvirt causing
severe slowdowns in some cases.
[Test Case]
* Note: while there are various ways to trigger it - many have seen the
issue, but often it is unclear when exactly it will trigger or does no
more. So some of the repo-cases have proven to be unreliable - thanks
Simon for this Repro howto listed here. (simplified as it turned out
zvols are not needed according to comment #22)
1) Sync Xenial cloud-image
uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=xenial
2) Create a test guest with:
uvt-kvm create --memory 2048 --cpu 4 --password=ubuntu xenial-kernel-test release=xenial arch=amd64 label=daily
3) strop it and add an extra volume in a way like this snippet
$ virsh shutdown xenial-kernel-test
$ virsh edit xenial-kernel-test
<disk type='file' device='disk'>
<driver name='qemu' type='raw' cache='none'/>
<source file='/dev/sda4'/>
<target dev='vdc' bus='virtio'/>
</disk>
4) start the guest
virsh start xenial-kernel-test
6) check for apparmor denial messages
dmesg | tail | grep apparmor
Without the fix, Apparmor would report denials when accessing /etc/nsswitch.conf, /etc/host.conf, /etc/gai.conf, /run/resolvconf/resolv.conf and /dev/zdX (where X corresponds to the zvol number). Starting the guest should be much slower than usual.
With the fix in place no related Apparmor denials show up.
[Regression Potential]
* The fix is rather small and "only" opens up apparmor confinement a bit.
That makes us assume that the potential for regression should be
minimal.
###############
Original description:
With libvirt-bin 1.3.1, starting a QEMU guest results in those AA denials:
Feb 17 12:06:23 simon-laptop kernel: [15734.513696] audit: type=1400 audit(1455728783.639:73): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/nsswitch.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 17 12:06:23 simon-laptop kernel: [15734.513718] audit: type=1400 audit(1455728783.639:74): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/host.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 17 12:06:23 simon-laptop kernel: [15734.513734] audit: type=1400 audit(1455728783.639:75): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 17 12:06:23 simon-laptop kernel: [15734.513885] audit: type=1400 audit(1455728783.639:76): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
virt-aa-helper's AA profile hasn't changed recently so it seems like the helper is doing more in this release.
Additional information:
$ lsb_release -rd
Description: Ubuntu Xenial Xerus (development branch)
Release: 16.04
$ apt-cache policy apparmor libvirt-bin
apparmor:
Installed: 2.10-3ubuntu1
Candidate: 2.10-3ubuntu1
Version table:
*** 2.10-3ubuntu1 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
libvirt-bin:
Installed: 1.3.1-1ubuntu1
Candidate: 1.3.1-1ubuntu1
Version table:
*** 1.3.1-1ubuntu1 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: libvirt-bin 1.3.1-1ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-5.20-generic 4.4.1
Uname: Linux 4.4.0-5-generic x86_64
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
ApportVersion: 2.20-0ubuntu3
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Feb 17 13:08:04 2016
KernLog:
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf']
modified.conffile..etc.libvirt.qemu.networks.default.xml: [deleted] |
|
2016-11-23 22:31:47 |
Martin Pitt |
libvirt (Ubuntu): status |
Fix Released |
In Progress |
|
2016-12-01 06:40:29 |
Launchpad Janitor |
libvirt (Ubuntu): status |
In Progress |
Fix Released |
|
2016-12-12 07:42:16 |
Martin Pitt |
libvirt (Ubuntu Xenial): status |
Triaged |
Fix Committed |
|
2016-12-12 07:42:17 |
Martin Pitt |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2016-12-12 07:42:19 |
Martin Pitt |
bug |
|
|
added subscriber SRU Verification |
2016-12-12 07:42:27 |
Martin Pitt |
tags |
amd64 apport-bug bitesize patch server-next xenial |
amd64 apport-bug bitesize patch server-next verification-needed xenial |
|
2016-12-12 14:34:56 |
Simon Déziel |
tags |
amd64 apport-bug bitesize patch server-next verification-needed xenial |
amd64 apport-bug bitesize patch server-next verification-done xenial |
|
2017-01-13 00:08:36 |
Launchpad Janitor |
libvirt (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2017-01-13 00:08:45 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|