[SRU] virt-aa-helper denied access to qcow2 backing file running nova in a snap

Bug #1644507 reported by James Page on 2016-11-24
20
This bug affects 2 people
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Medium
Corey Bryant
Xenial
Medium
Corey Bryant
Zesty
Medium
Corey Bryant
Artful
Medium
Corey Bryant

Bug Description

[Impact]
The apparmor profile for virt-aa-helper allows access to qcow2 backing images in some well know locations for OpenStack Nova:

  /var/lib/nova/images/** r,
  /var/lib/nova/instances/_base/** r,
  /var/lib/nova/instances/snapshots/** r,

which is great when openstack is installed using deb's from the archive; I'm working on a snap for a Nova hypervisor, and the base images are stored in:

  /var/snap/nova-hypervisor/common/instances/_base

so instances fail to boot as the generated profile for the instance does not contain access to the backing file as virt-aa-helper is DENIED access to it:

[ 5144.554120] audit: type=1400 audit(1479983132.426:49771): apparmor="DENIED" operation="open" profile="libvirt-d140e3d0-071d-453f-99f2-a777fd1a1c3d" name="/var/snap/nova-hypervisor/common/instances/_base/a9dd2a42f4d46f9d8a628643d9aede38924668e6" pid=663 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=115 ouid=115

switched virt-aa-helper into complain mode:

[ 5531.325617] audit: type=1400 audit(1479983519.193:49776): apparmor="ALLOWED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/var/snap/nova-hypervisor/common/instances/_base/a9dd2a42f4d46f9d8a628643d9aede38924668e6" pid=5509 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=115

and the instance booted successfully.

The actual disk for the instance is covered by:

  /**/disk{,.*} r,

unfortunately the base image does not have a nice general-izable path in the same way.

We could do:

  /var/**/images/** r,
  /var/**/_base/** r,
  /var/**/snapshots/** r,

which would capture other locations for the openstack instances path in the event that its not the default path for nova.

[Testcase]

Run snap-test from the following to deploy openstack from snaps:
github.com/openstack-snaps/snap-test

[Regression Potential]
Minimal regression potential, as this augments the existing virt-aa-helper to allow a new path to be accessed.

Changed in libvirt (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Tyler Hicks (tyhicks) wrote :

libvirt already has the ability to inject AppArmor rules into the profile that it generates for a domain when you set/modify the path to a disk image. You can test this manually by running `virsh edit DOMAIN`, adjusting one of the paths in the xml, and then looking at the corresponding change in /etc/apparmor.d/libvirt/libvirt-*.files.

I'm confused about why this isn't working for you. Maybe you're going through libvirt to set/update the paths to your images?

Can you post a sample XML file and the AppArmor denials that you're seeing when using the XML file?

Changed in libvirt (Ubuntu):
status: Triaged → Incomplete
Jamie Strandboge (jdstrand) wrote :

If you are wanting to use the deb libvirt from the archive with the snapped nova from Canonical then you are going to need to adjust the profile for virt-aa-helper to account for that, just like we adjusted the profile when moving from eucalyptus to nova. I suggest just adding:

  /var/snap/nova-hypervisor/common/instances/_base/** r,

Changed in libvirt (Ubuntu):
status: Incomplete → Triaged
tags: added: virt-aa-helper
Changed in libvirt (Ubuntu):
assignee: nobody → Corey Bryant (corey.bryant)
Changed in libvirt (Ubuntu Xenial):
status: New → Triaged
Changed in libvirt (Ubuntu Zesty):
status: New → Triaged
importance: Undecided → Medium
Changed in libvirt (Ubuntu Xenial):
importance: Undecided → Medium
Changed in libvirt (Ubuntu Zesty):
assignee: nobody → Corey Bryant (corey.bryant)
Changed in libvirt (Ubuntu Xenial):
assignee: nobody → Corey Bryant (corey.bryant)
Changed in libvirt (Ubuntu Artful):
status: Triaged → Fix Released
summary: - virt-aa-helper denied access to qcow2 backing file running nova in a
- snap
+ [SRU] virt-aa-helper denied access to qcow2 backing file running nova in
+ a snap
description: updated

Hello James, or anyone else affected,

Accepted libvirt into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libvirt/2.5.0-3ubuntu5.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in libvirt (Ubuntu Zesty):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-zesty
Changed in libvirt (Ubuntu Xenial):
status: Triaged → Fix Committed
tags: added: verification-needed-xenial
Andy Whitcroft (apw) wrote :

Hello James, or anyone else affected,

Accepted libvirt into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libvirt/1.3.1-1ubuntu10.11 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Corey Bryant (corey.bryant) wrote :

Hi Andy,

I've verified this on both xenial-proposed [1] and zesty-proposed [2].

I tested using https://github.com/openstack-snaps/snap-test to deploy a minimal OpenStack cloud, deployed an instance on top of it, and created a snapshot from that instance.

Thanks,
Corey

[1] xenial-proposed
libvirt-bin:
  Installed: 1.3.1-1ubuntu10.11

[2] zesty-proposed
libvirt-bin:
  Installed: 2.5.0-3ubuntu5.3

tags: added: verification-done verification-done-xenial verification-done-zesty
removed: verification-needed verification-needed-xenial verification-needed-zesty

Note to SRU Team: we want this to go to -updates (probably next week, all pre-reqs except time in proposed are complete) before accepting 1705132 which is in -unapproved waiting for this one here to complete.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 2.5.0-3ubuntu5.3

---------------
libvirt (2.5.0-3ubuntu5.3) zesty; urgency=medium

  * d/p/ubuntu/0004-apparmor-apply-ubuntu-delta.patch: Allow access to base
    images and snapshots stored in nova-hypervisor snap's $SNAP_COMMON
    directory, enabling use of the libvirt deb from the nova-hypervisor
    snap (LP: #1644507).

 -- Corey Bryant <email address hidden> Thu, 22 Jun 2017 14:39:39 -0400

Changed in libvirt (Ubuntu Zesty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for libvirt has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 1.3.1-1ubuntu10.11

---------------
libvirt (1.3.1-1ubuntu10.11) xenial; urgency=medium

  * d/apparmor/usr.lib.libvirt.virt-aa-helper: Allow access to base
    images and snapshots stored in nova-hypervisor snap's $SNAP_COMMON
    directory, enabling use of the libvirt deb from the nova-hypervisor
    snap (LP: #1644507).

 -- Corey Bryant <email address hidden> Thu, 22 Jun 2017 14:43:11 -0400

Changed in libvirt (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers