| 2016-11-14 14:31:32 |
Simon Déziel |
bug |
|
|
added bug |
| 2016-11-22 10:06:25 |
Christian Ehrhardt |
libvirt (Ubuntu): status |
New |
Confirmed |
|
| 2016-11-22 10:06:27 |
Christian Ehrhardt |
libvirt (Ubuntu): importance |
Undecided |
Medium |
|
| 2016-11-22 10:06:31 |
Christian Ehrhardt |
bug |
|
|
added subscriber ChristianEhrhardt |
| 2016-11-22 10:06:38 |
Christian Ehrhardt |
bug |
|
|
added subscriber Ubuntu Server Team |
| 2016-11-24 08:38:44 |
Christian Ehrhardt |
bug watch added |
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786650 |
|
| 2016-11-24 08:38:44 |
Christian Ehrhardt |
bug watch added |
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796088 |
|
| 2016-11-24 08:38:47 |
Christian Ehrhardt |
libvirt (Ubuntu): status |
Confirmed |
Triaged |
|
| 2016-11-24 08:44:31 |
Christian Ehrhardt |
libvirt (Ubuntu): assignee |
|
ChristianEhrhardt (paelzer) |
|
| 2016-12-01 06:40:29 |
Launchpad Janitor |
libvirt (Ubuntu): status |
Triaged |
Fix Released |
|
| 2017-01-25 17:12:13 |
Simon Déziel |
description |
Libvirt qemu-kvm guests backed by zvols (ZFS volumes) generate useless noise due to virt-aa-helper trying to read the backing device in the host (/dev/zdX). Other host's devs are already denied in virt-aa-helper's profile:
# for hostdev
/sys/devices/ r,
/sys/devices/** r,
/sys/bus/usb/devices/ r,
/sys/bus/usb/devices/** r,
deny /dev/sd* r,
deny /dev/dm-* r,
deny /dev/mapper/ r,
deny /dev/mapper/* r,
Adding "deny /dev/zd[0-9]* r," would silence Apparmor. |
When a qemu-kvm guest is using a zvol or a DRBD volume or a NVME partition, Apparmor denial messages are logged due to virt-aa-helper trying to access the volume/device. Those should be silenced as it's already done for Logical Volumes.
[Test Case]
1) Create a KVM guest
2) Edit the guest's XML profile to reference a zvol|DRBD volume|NVME partition
<disk type='block' device='disk'>
<driver name='qemu' type='raw' cache='none'/>
<source dev='/dev/zvol/data/foo'/>
<target dev='vda' bus='virtio'/>
</disk>
3) Start the guest
4) Check dmesg for any Apparmor denials, there should be none with the patch
*Without* the patch, one would see those (or similar) denials:
audit: type=1400 audit(1479809919.223:4083): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/dev/zd0" pid=16715 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[Regression Potential]
Adding a couple of explicit denials to the virt-aa-helper profile shouldn't cause no harm because Apparmor already denies those, this is just about silencing this.
[Original description]
Libvirt qemu-kvm guests backed by zvols (ZFS volumes) generate useless noise due to virt-aa-helper trying to read the backing device in the host (/dev/zdX). Other host's devs are already denied in virt-aa-helper's profile:
# for hostdev
/sys/devices/ r,
/sys/devices/** r,
/sys/bus/usb/devices/ r,
/sys/bus/usb/devices/** r,
deny /dev/sd* r,
deny /dev/dm-* r,
deny /dev/mapper/ r,
deny /dev/mapper/* r,
Adding "deny /dev/zd[0-9]* r," would silence Apparmor. |
|
| 2017-01-26 14:06:36 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Xenial |
|
| 2017-01-26 14:06:36 |
Christian Ehrhardt |
bug task added |
|
libvirt (Ubuntu Xenial) |
|
| 2017-01-26 14:06:45 |
Christian Ehrhardt |
libvirt (Ubuntu Xenial): status |
New |
Triaged |
|
| 2017-01-26 14:06:47 |
Christian Ehrhardt |
libvirt (Ubuntu Xenial): importance |
Undecided |
Low |
|
| 2017-02-06 14:54:08 |
Christian Ehrhardt |
description |
When a qemu-kvm guest is using a zvol or a DRBD volume or a NVME partition, Apparmor denial messages are logged due to virt-aa-helper trying to access the volume/device. Those should be silenced as it's already done for Logical Volumes.
[Test Case]
1) Create a KVM guest
2) Edit the guest's XML profile to reference a zvol|DRBD volume|NVME partition
<disk type='block' device='disk'>
<driver name='qemu' type='raw' cache='none'/>
<source dev='/dev/zvol/data/foo'/>
<target dev='vda' bus='virtio'/>
</disk>
3) Start the guest
4) Check dmesg for any Apparmor denials, there should be none with the patch
*Without* the patch, one would see those (or similar) denials:
audit: type=1400 audit(1479809919.223:4083): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/dev/zd0" pid=16715 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[Regression Potential]
Adding a couple of explicit denials to the virt-aa-helper profile shouldn't cause no harm because Apparmor already denies those, this is just about silencing this.
[Original description]
Libvirt qemu-kvm guests backed by zvols (ZFS volumes) generate useless noise due to virt-aa-helper trying to read the backing device in the host (/dev/zdX). Other host's devs are already denied in virt-aa-helper's profile:
# for hostdev
/sys/devices/ r,
/sys/devices/** r,
/sys/bus/usb/devices/ r,
/sys/bus/usb/devices/** r,
deny /dev/sd* r,
deny /dev/dm-* r,
deny /dev/mapper/ r,
deny /dev/mapper/* r,
Adding "deny /dev/zd[0-9]* r," would silence Apparmor. |
When a qemu-kvm guest is using a zvol or a DRBD volume or a NVME partition, Apparmor denial messages are logged due to virt-aa-helper trying to access the volume/device. Those should be silenced as it's already done for Logical Volumes.
[Impact]
* libvirt driving guests on more recent backing devices floods logs and
dmesg due to non critical apparmor denials.
* those can distract from real issues and therefore (as with similar
cases in the past) should be silenced by explicit denials.
[Test Case]
1) Create a KVM guest
2) Edit the guest's XML profile to reference a zvol|DRBD volume|NVME partition
<disk type='block' device='disk'>
<driver name='qemu' type='raw' cache='none'/>
<source dev='/dev/zvol/data/foo'/>
<target dev='vda' bus='virtio'/>
</disk>
3) Start the guest
4) Check dmesg for any Apparmor denials, there should be none with the patch
*Without* the patch, one would see those (or similar) denials:
audit: type=1400 audit(1479809919.223:4083): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/dev/zd0" pid=16715 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[Regression Potential]
Adding a couple of explicit denials to the virt-aa-helper profile shouldn't cause no harm because Apparmor already denies those, this is just about silencing this.
[Original description]
Libvirt qemu-kvm guests backed by zvols (ZFS volumes) generate useless noise due to virt-aa-helper trying to read the backing device in the host (/dev/zdX). Other host's devs are already denied in virt-aa-helper's profile:
# for hostdev
/sys/devices/ r,
/sys/devices/** r,
/sys/bus/usb/devices/ r,
/sys/bus/usb/devices/** r,
deny /dev/sd* r,
deny /dev/dm-* r,
deny /dev/mapper/ r,
deny /dev/mapper/* r,
Adding "deny /dev/zd[0-9]* r," would silence Apparmor. |
|
| 2017-02-07 16:23:13 |
Christian Ehrhardt |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2017-02-09 03:56:17 |
Chris J Arges |
libvirt (Ubuntu Xenial): status |
Triaged |
Fix Committed |
|
| 2017-02-09 03:56:20 |
Chris J Arges |
bug |
|
|
added subscriber SRU Verification |
| 2017-02-09 03:56:25 |
Chris J Arges |
tags |
|
verification-needed |
|
| 2017-02-09 16:00:00 |
Simon Déziel |
tags |
verification-needed |
verification-done |
|
| 2017-02-16 18:40:56 |
Launchpad Janitor |
libvirt (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
| 2017-02-16 18:41:17 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
