| 2016-10-13 20:00:34 |
bugproxy |
bug |
|
|
added bug |
| 2016-10-13 20:00:37 |
bugproxy |
tags |
|
architecture-ppc64le bugnameltc-145787 severity-critical targetmilestone-inin1610 |
|
| 2016-10-13 20:00:52 |
bugproxy |
attachment added |
|
sosreport https://bugs.launchpad.net/bugs/1633207/+attachment/4760577/+files/sosreport-satheesh.145787-20160901024653.tar.xz |
|
| 2016-10-13 20:00:55 |
bugproxy |
ubuntu: assignee |
|
Taco Screen team (taco-screen-team) |
|
| 2016-10-13 20:00:58 |
bugproxy |
affects |
ubuntu |
libvirt (Ubuntu) |
|
| 2016-10-18 07:23:57 |
Christian Ehrhardt |
libvirt (Ubuntu): status |
New |
Incomplete |
|
| 2016-10-18 07:24:04 |
Christian Ehrhardt |
bug |
|
|
added subscriber ChristianEhrhardt |
| 2016-10-18 13:02:03 |
Christian Ehrhardt |
libvirt (Ubuntu): status |
Incomplete |
Confirmed |
|
| 2016-10-27 08:09:57 |
Christian Ehrhardt |
bug |
|
|
added subscriber Ubuntu Server Team |
| 2016-10-27 14:48:07 |
Christian Ehrhardt |
libvirt (Ubuntu): importance |
Undecided |
Medium |
|
| 2016-10-27 14:49:56 |
Christian Ehrhardt |
tags |
architecture-ppc64le bugnameltc-145787 severity-critical targetmilestone-inin1610 |
architecture-ppc64le bugnameltc-145787 regression-release severity-critical targetmilestone-inin1610 |
|
| 2016-10-28 09:56:26 |
Christian Ehrhardt |
bug |
|
|
added subscriber Guido Günther |
| 2016-11-14 10:23:59 |
Christian Ehrhardt |
libvirt (Ubuntu): status |
Confirmed |
In Progress |
|
| 2016-11-22 07:10:09 |
Launchpad Janitor |
libvirt (Ubuntu): status |
In Progress |
Fix Released |
|
| 2016-11-22 08:09:56 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Yakkety |
|
| 2016-11-22 08:09:56 |
Christian Ehrhardt |
bug task added |
|
libvirt (Ubuntu Yakkety) |
|
| 2016-11-22 08:10:03 |
Christian Ehrhardt |
libvirt (Ubuntu Yakkety): status |
New |
Triaged |
|
| 2016-11-22 08:10:06 |
Christian Ehrhardt |
libvirt (Ubuntu Yakkety): importance |
Undecided |
Low |
|
| 2016-12-01 09:05:24 |
Christian Ehrhardt |
description |
---Problem Description---
VM fails to start with dac security driver added
---uname output---
Linux ltc-test-ci1 4.4.0-9136-generic #55-Ubuntu SMP Fri Aug 26 05:56:24 UTC 2016 ppc64le ppc64le ppc64le GNU/Linux
Machine Type = power 8 ppc64le
---Steps to Reproduce---
VM fails to start with dac security driver added
1. Define a VM with both apparmor and dac security driver( Used XML as below)
#virsh dumpxml virt-tests-vm1
<domain type='kvm'>
<name>virt-tests-vm1</name>
<uuid>0491f0cd-eb14-4992-be4c-53a1adf1d314</uuid>
<memory unit='KiB'>33554432</memory>
<currentMemory unit='KiB'>33554432</currentMemory>
<vcpu placement='static'>32</vcpu>
<resource>
<partition>/machine</partition>
</resource>
<os>
<type arch='ppc64le' machine='pseries-2.6'>hvm</type>
<boot dev='hd'/>
</os>
<cpu>
<topology sockets='1' cores='32' threads='1'/>
</cpu>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<devices>
<emulator>/usr/bin/kvm</emulator>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/var/lib/libvirt/images/sath/avocado-fvt-wrapper/data/avocado-vt/images/ubuntu-16.10-ppc64le.qcow2'/>
<target dev='sda' bus='scsi'/>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>
<controller type='usb' index='0'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</controller>
<controller type='pci' index='0' model='pci-root'/>
<controller type='scsi' index='0'>
<address type='spapr-vio' reg='0x2000'/>
</controller>
<interface type='bridge'>
<mac address='52:54:00:e2:e3:e4'/>
<source bridge='virbr0'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
</interface>
<serial type='pty'>
<target port='0'/>
<address type='spapr-vio' reg='0x30000000'/>
</serial>
<console type='pty'>
<target type='serial' port='0'/>
<address type='spapr-vio' reg='0x30000000'/>
</console>
<memballoon model='virtio'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</memballoon>
<panic model='pseries'/>
</devices>
<seclabel type='dynamic' model='apparmor' relabel='yes'/>
<seclabel type='dynamic' model='dac' relabel='yes'/>
</domain>
2. virsh start virt-tests-vm1
#virsh start virt-tests-vm1
error: Failed to start domain virt-tests-vm1
error: internal error: cannot load AppArmor profile 'libvirt-0491f0cd-eb14-4992-be4c-53a1adf1d314'------NOK
3. After removing dac line from xml(<seclabel type='dynamic' model='dac' relabel='yes'/>) VM started fine
#virsh start virt-tests-vm1
Domain virt-tests-vm1 started
Userspace tool common name: ii libvirt-bin 2.1.0-1ubuntu5 ppc64el programs for the libvirt library
The userspace tool has the following bit modes: both
Userspace package: ii libvirt-bin 2.1.0-1ubuntu5 ppc64el programs for the libvirt library |
[Impact]
* Due to an upstream change in libvirt 2.0 users of libvirt >=2.0
(that is >=Yakkety) can't use non apparmor security labels anymore.
* That means old guest definitions that should still work fail to start
now
* The issue was in virt-aa-helper, the proposed fix was tested and then
brought upstream. This is a backport of the upstream accepted fix.
[Test Case]
* Testcase with virt-aa-helper on a minimal xml:
$ cat << EOF > /tmp/test.xml
<domain type='kvm'>
<name>test-seclabel</name>
<uuid>12345678-9abc-def1-2345-6789abcdef00</uuid>
<memory unit='KiB'>1</memory>
<os><type arch='x86_64'>hvm</type></os>
<seclabel type='dynamic' model='apparmor' relabel='yes'/>
<seclabel type='dynamic' model='dac' relabel='yes'/>
</domain>
EOF
$ /usr/lib/libvirt/virt-aa-helper -d -r -p 0 \
-u libvirt-12345678-9abc-def1-2345-6789abcdef00 < /tmp/test.xml
Current Result:
virt-aa-helper: error: could not parse XML
virt-aa-helper: error: could not get VM definition
Expected Result is to emit a valid apparmor profile
* The more complex test is to create a guest (whatever way you like) and
add an empty dac security label (as shown above) to then start the
guest.
Current Result:
error: Failed to start domain yakkety-doubleseclabel
error: internal error: cannot load AppArmor profile 'libvirt-8746b00d-aad1-4346-8784-2d4331465153'
Expected Result:
properly staring the guest
[Regression Potential]
* The change is in the parsing of domain info in domain.conf. While no
local nor upstream tests broke anything one could think of very special
xml configuation that now might fail parsing. OTOH the new change now
skips some of the parsing, so even if we miss to consider something it
shouldn't fail, but instead "forget" to read some data correctly. The
part that we skip are seclabels which are created dynamically anyway.
* Also the changed flag is local to virt-aa-helper.c so and guarded by
that flag in domain_conf.c so it should be a no-op to anybody but virt-
aa-helper for sure.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
---Problem Description---
VM fails to start with dac security driver added
---uname output---
Linux ltc-test-ci1 4.4.0-9136-generic #55-Ubuntu SMP Fri Aug 26 05:56:24 UTC 2016 ppc64le ppc64le ppc64le GNU/Linux
Machine Type = power 8 ppc64le
---Steps to Reproduce---
VM fails to start with dac security driver added
1. Define a VM with both apparmor and dac security driver( Used XML as below)
#virsh dumpxml virt-tests-vm1
<domain type='kvm'>
<name>virt-tests-vm1</name>
<uuid>0491f0cd-eb14-4992-be4c-53a1adf1d314</uuid>
<memory unit='KiB'>33554432</memory>
<currentMemory unit='KiB'>33554432</currentMemory>
<vcpu placement='static'>32</vcpu>
<resource>
<partition>/machine</partition>
</resource>
<os>
<type arch='ppc64le' machine='pseries-2.6'>hvm</type>
<boot dev='hd'/>
</os>
<cpu>
<topology sockets='1' cores='32' threads='1'/>
</cpu>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<devices>
<emulator>/usr/bin/kvm</emulator>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/var/lib/libvirt/images/sath/avocado-fvt-wrapper/data/avocado-vt/images/ubuntu-16.10-ppc64le.qcow2'/>
<target dev='sda' bus='scsi'/>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>
<controller type='usb' index='0'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</controller>
<controller type='pci' index='0' model='pci-root'/>
<controller type='scsi' index='0'>
<address type='spapr-vio' reg='0x2000'/>
</controller>
<interface type='bridge'>
<mac address='52:54:00:e2:e3:e4'/>
<source bridge='virbr0'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
</interface>
<serial type='pty'>
<target port='0'/>
<address type='spapr-vio' reg='0x30000000'/>
</serial>
<console type='pty'>
<target type='serial' port='0'/>
<address type='spapr-vio' reg='0x30000000'/>
</console>
<memballoon model='virtio'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</memballoon>
<panic model='pseries'/>
</devices>
<seclabel type='dynamic' model='apparmor' relabel='yes'/>
<seclabel type='dynamic' model='dac' relabel='yes'/>
</domain>
2. virsh start virt-tests-vm1
#virsh start virt-tests-vm1
error: Failed to start domain virt-tests-vm1
error: internal error: cannot load AppArmor profile 'libvirt-0491f0cd-eb14-4992-be4c-53a1adf1d314'------NOK
3. After removing dac line from xml(<seclabel type='dynamic' model='dac' relabel='yes'/>) VM started fine
#virsh start virt-tests-vm1
Domain virt-tests-vm1 started
Userspace tool common name: ii libvirt-bin 2.1.0-1ubuntu5 ppc64el programs for the libvirt library
The userspace tool has the following bit modes: both
Userspace package: ii libvirt-bin 2.1.0-1ubuntu5 ppc64el programs for the libvirt library |
|
| 2016-12-01 09:06:04 |
Christian Ehrhardt |
description |
[Impact]
* Due to an upstream change in libvirt 2.0 users of libvirt >=2.0
(that is >=Yakkety) can't use non apparmor security labels anymore.
* That means old guest definitions that should still work fail to start
now
* The issue was in virt-aa-helper, the proposed fix was tested and then
brought upstream. This is a backport of the upstream accepted fix.
[Test Case]
* Testcase with virt-aa-helper on a minimal xml:
$ cat << EOF > /tmp/test.xml
<domain type='kvm'>
<name>test-seclabel</name>
<uuid>12345678-9abc-def1-2345-6789abcdef00</uuid>
<memory unit='KiB'>1</memory>
<os><type arch='x86_64'>hvm</type></os>
<seclabel type='dynamic' model='apparmor' relabel='yes'/>
<seclabel type='dynamic' model='dac' relabel='yes'/>
</domain>
EOF
$ /usr/lib/libvirt/virt-aa-helper -d -r -p 0 \
-u libvirt-12345678-9abc-def1-2345-6789abcdef00 < /tmp/test.xml
Current Result:
virt-aa-helper: error: could not parse XML
virt-aa-helper: error: could not get VM definition
Expected Result is to emit a valid apparmor profile
* The more complex test is to create a guest (whatever way you like) and
add an empty dac security label (as shown above) to then start the
guest.
Current Result:
error: Failed to start domain yakkety-doubleseclabel
error: internal error: cannot load AppArmor profile 'libvirt-8746b00d-aad1-4346-8784-2d4331465153'
Expected Result:
properly staring the guest
[Regression Potential]
* The change is in the parsing of domain info in domain.conf. While no
local nor upstream tests broke anything one could think of very special
xml configuation that now might fail parsing. OTOH the new change now
skips some of the parsing, so even if we miss to consider something it
shouldn't fail, but instead "forget" to read some data correctly. The
part that we skip are seclabels which are created dynamically anyway.
* Also the changed flag is local to virt-aa-helper.c so and guarded by
that flag in domain_conf.c so it should be a no-op to anybody but virt-
aa-helper for sure.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
---Problem Description---
VM fails to start with dac security driver added
---uname output---
Linux ltc-test-ci1 4.4.0-9136-generic #55-Ubuntu SMP Fri Aug 26 05:56:24 UTC 2016 ppc64le ppc64le ppc64le GNU/Linux
Machine Type = power 8 ppc64le
---Steps to Reproduce---
VM fails to start with dac security driver added
1. Define a VM with both apparmor and dac security driver( Used XML as below)
#virsh dumpxml virt-tests-vm1
<domain type='kvm'>
<name>virt-tests-vm1</name>
<uuid>0491f0cd-eb14-4992-be4c-53a1adf1d314</uuid>
<memory unit='KiB'>33554432</memory>
<currentMemory unit='KiB'>33554432</currentMemory>
<vcpu placement='static'>32</vcpu>
<resource>
<partition>/machine</partition>
</resource>
<os>
<type arch='ppc64le' machine='pseries-2.6'>hvm</type>
<boot dev='hd'/>
</os>
<cpu>
<topology sockets='1' cores='32' threads='1'/>
</cpu>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<devices>
<emulator>/usr/bin/kvm</emulator>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/var/lib/libvirt/images/sath/avocado-fvt-wrapper/data/avocado-vt/images/ubuntu-16.10-ppc64le.qcow2'/>
<target dev='sda' bus='scsi'/>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>
<controller type='usb' index='0'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</controller>
<controller type='pci' index='0' model='pci-root'/>
<controller type='scsi' index='0'>
<address type='spapr-vio' reg='0x2000'/>
</controller>
<interface type='bridge'>
<mac address='52:54:00:e2:e3:e4'/>
<source bridge='virbr0'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
</interface>
<serial type='pty'>
<target port='0'/>
<address type='spapr-vio' reg='0x30000000'/>
</serial>
<console type='pty'>
<target type='serial' port='0'/>
<address type='spapr-vio' reg='0x30000000'/>
</console>
<memballoon model='virtio'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</memballoon>
<panic model='pseries'/>
</devices>
<seclabel type='dynamic' model='apparmor' relabel='yes'/>
<seclabel type='dynamic' model='dac' relabel='yes'/>
</domain>
2. virsh start virt-tests-vm1
#virsh start virt-tests-vm1
error: Failed to start domain virt-tests-vm1
error: internal error: cannot load AppArmor profile 'libvirt-0491f0cd-eb14-4992-be4c-53a1adf1d314'------NOK
3. After removing dac line from xml(<seclabel type='dynamic' model='dac' relabel='yes'/>) VM started fine
#virsh start virt-tests-vm1
Domain virt-tests-vm1 started
Userspace tool common name: ii libvirt-bin 2.1.0-1ubuntu5 ppc64el programs for the libvirt library
The userspace tool has the following bit modes: both
Userspace package: ii libvirt-bin 2.1.0-1ubuntu5 ppc64el programs for the libvirt library |
[Impact]
* Due to an upstream change in libvirt 2.0 users of libvirt >=2.0
(that is >=Yakkety) can't use non apparmor security labels anymore.
* That means old guest definitions that should still work fail to start
now
* The issue was in virt-aa-helper, the proposed fix was tested and then
brought upstream. This is a backport of the upstream accepted fix.
[Test Case]
* Testcase with virt-aa-helper on a minimal xml:
$ cat << EOF > /tmp/test.xml
<domain type='kvm'>
<name>test-seclabel</name>
<uuid>12345678-9abc-def1-2345-6789abcdef00</uuid>
<memory unit='KiB'>1</memory>
<os><type arch='x86_64'>hvm</type></os>
<seclabel type='dynamic' model='apparmor' relabel='yes'/>
<seclabel type='dynamic' model='dac' relabel='yes'/>
</domain>
EOF
$ /usr/lib/libvirt/virt-aa-helper -d -r -p 0 \
-u libvirt-12345678-9abc-def1-2345-6789abcdef00 < /tmp/test.xml
Current Result:
virt-aa-helper: error: could not parse XML
virt-aa-helper: error: could not get VM definition
Expected Result is to emit a valid apparmor profile
* The more complex test is to create a guest (whatever way you like) and
add an empty dac security label (as shown above) to then start the
guest.
Current Result:
error: Failed to start domain yakkety-doubleseclabel
error: internal error: cannot load AppArmor profile 'libvirt-8746b00d-aad1-4346-8784-2d4331465153'
Expected Result:
properly staring the guest
[Regression Potential]
* The change is in the parsing of domain info in domain.conf. While no
local nor upstream tests broke anything one could think of very special
xml configuation that now might fail parsing. OTOH the new change now
skips some of the parsing, so even if we miss to consider something it
shouldn't fail, but instead "forget" to read some data correctly. The
part that we skip are seclabels which are created dynamically anyway.
* Also the changed flag is local to virt-aa-helper.c so and guarded by
that flag in domain_conf.c so it should be a no-op to anybody but virt-
aa-helper for sure.
[Other Info]
* N/A
---Problem Description---
VM fails to start with dac security driver added
---uname output---
Linux ltc-test-ci1 4.4.0-9136-generic #55-Ubuntu SMP Fri Aug 26 05:56:24 UTC 2016 ppc64le ppc64le ppc64le GNU/Linux
Machine Type = power 8 ppc64le
---Steps to Reproduce---
VM fails to start with dac security driver added
1. Define a VM with both apparmor and dac security driver( Used XML as below)
#virsh dumpxml virt-tests-vm1
<domain type='kvm'>
<name>virt-tests-vm1</name>
<uuid>0491f0cd-eb14-4992-be4c-53a1adf1d314</uuid>
<memory unit='KiB'>33554432</memory>
<currentMemory unit='KiB'>33554432</currentMemory>
<vcpu placement='static'>32</vcpu>
<resource>
<partition>/machine</partition>
</resource>
<os>
<type arch='ppc64le' machine='pseries-2.6'>hvm</type>
<boot dev='hd'/>
</os>
<cpu>
<topology sockets='1' cores='32' threads='1'/>
</cpu>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<devices>
<emulator>/usr/bin/kvm</emulator>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/var/lib/libvirt/images/sath/avocado-fvt-wrapper/data/avocado-vt/images/ubuntu-16.10-ppc64le.qcow2'/>
<target dev='sda' bus='scsi'/>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>
<controller type='usb' index='0'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</controller>
<controller type='pci' index='0' model='pci-root'/>
<controller type='scsi' index='0'>
<address type='spapr-vio' reg='0x2000'/>
</controller>
<interface type='bridge'>
<mac address='52:54:00:e2:e3:e4'/>
<source bridge='virbr0'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
</interface>
<serial type='pty'>
<target port='0'/>
<address type='spapr-vio' reg='0x30000000'/>
</serial>
<console type='pty'>
<target type='serial' port='0'/>
<address type='spapr-vio' reg='0x30000000'/>
</console>
<memballoon model='virtio'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</memballoon>
<panic model='pseries'/>
</devices>
<seclabel type='dynamic' model='apparmor' relabel='yes'/>
<seclabel type='dynamic' model='dac' relabel='yes'/>
</domain>
2. virsh start virt-tests-vm1
#virsh start virt-tests-vm1
error: Failed to start domain virt-tests-vm1
error: internal error: cannot load AppArmor profile 'libvirt-0491f0cd-eb14-4992-be4c-53a1adf1d314'------NOK
3. After removing dac line from xml(<seclabel type='dynamic' model='dac' relabel='yes'/>) VM started fine
#virsh start virt-tests-vm1
Domain virt-tests-vm1 started
Userspace tool common name: ii libvirt-bin 2.1.0-1ubuntu5 ppc64el programs for the libvirt library
The userspace tool has the following bit modes: both
Userspace package: ii libvirt-bin 2.1.0-1ubuntu5 ppc64el programs for the libvirt library |
|
| 2016-12-01 19:55:19 |
Brian Murray |
libvirt (Ubuntu Yakkety): status |
Triaged |
Fix Committed |
|
| 2016-12-01 19:55:21 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2016-12-01 19:55:27 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
| 2016-12-01 19:55:36 |
Brian Murray |
tags |
architecture-ppc64le bugnameltc-145787 regression-release severity-critical targetmilestone-inin1610 |
architecture-ppc64le bugnameltc-145787 regression-release severity-critical targetmilestone-inin1610 verification-needed |
|
| 2016-12-12 07:07:08 |
Christian Ehrhardt |
tags |
architecture-ppc64le bugnameltc-145787 regression-release severity-critical targetmilestone-inin1610 verification-needed |
architecture-ppc64le bugnameltc-145787 regression-release severity-critical targetmilestone-inin1610 verification-done |
|
| 2016-12-12 22:25:12 |
Launchpad Janitor |
libvirt (Ubuntu Yakkety): status |
Fix Committed |
Fix Released |
|
| 2016-12-12 22:25:21 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
