2017-10-24 10:41:58 |
Christian Ehrhardt |
bug |
|
|
added bug |
2017-10-24 10:42:06 |
Christian Ehrhardt |
tags |
|
virt-aa-helper |
|
2017-10-24 10:42:12 |
Christian Ehrhardt |
libvirt (Ubuntu): status |
New |
Confirmed |
|
2017-10-24 10:44:31 |
Christian Ehrhardt |
description |
TODO |
On something like:
$ virsh attach-device <guest> <xml>
The rule rendered is:
"/tmp/B.img" rw,
This is missing the k flag needed on qemu >=2.10.
This applies to block and file definitions:
<disk type='block'>
<driver name='qemu'/>
<source dev='/tmp/B.img'/>
<target dev='sdb'/>
</disk>
<disk type='file'>
<driver name='qemu'/>
<source file='/tmp/F.img'/>
<target dev='sdc'/>
</disk>
Both are rendered correctly as:
"/tmp/F.img" rwk,
If being part of the domain xml instead of being a hot-add. |
|
2017-10-24 12:33:45 |
Christian Ehrhardt |
libvirt (Ubuntu): importance |
Undecided |
Critical |
|
2017-10-24 12:34:21 |
Christian Ehrhardt |
tags |
virt-aa-helper |
regression-release virt-aa-helper |
|
2017-10-24 15:33:47 |
Christian Ehrhardt |
description |
On something like:
$ virsh attach-device <guest> <xml>
The rule rendered is:
"/tmp/B.img" rw,
This is missing the k flag needed on qemu >=2.10.
This applies to block and file definitions:
<disk type='block'>
<driver name='qemu'/>
<source dev='/tmp/B.img'/>
<target dev='sdb'/>
</disk>
<disk type='file'>
<driver name='qemu'/>
<source file='/tmp/F.img'/>
<target dev='sdc'/>
</disk>
Both are rendered correctly as:
"/tmp/F.img" rwk,
If being part of the domain xml instead of being a hot-add. |
[Impact]
* Qemu 2.10 started to lock image files to ensure no data corruption
occurs. Unfurtunately that isn't covered by the apparmor rules we had
for images so far - it need to add "k" permission.
* This was spotted and done in Artful, but the tests for the hot-add of
disks were hidden behind some other known not-too-bad issues. So by
fixing those tests I realized that hot-add of disks is currently broken
in Artful.
[Test Case]
# Get a very minimal Testguest that keeps running to attach something
$ qemu-img create /tmp/A.img 1M
cat <<EOF > testguest.xml
<domain type='kvm'>
<name>testguest</name>
<uuid>deadbeef-dead-beef-dead-beefdeadbeef</uuid>
<memory unit='KiB'>1024</memory>
<vcpu placement='static'>1</vcpu>
<os>
<type arch='x86_64' machine='pc-i440fx-zesty'>hvm</type>
<boot dev='hd'/>
</os>
<features>
<acpi/>
<apic/>
<pae/>
</features>
<devices>
<emulator>/usr/bin/kvm-spice</emulator>
<disk type='file' device='disk'>
<driver name='qemu'/>
<source file='/tmp/A.img'/>
<target dev='vda'/>
</disk>
</devices>
<seclabel type='dynamic' model='apparmor' relabel='yes'/>
</domain>
EOF
$ virsh define testguest.xml
$ virsh start testguest
# Prepare Disk
$ qemu-img create /tmp/F.img 1M
$ cat <<EOF >diskF.xml
<disk type='file'>
<driver name='qemu'/>
<source file='/tmp/F.img'/>
<target dev='sdc'/>
</disk>
EOF
# Then attach:
$ virsh attach-device testguest diskF.xml
* This should work, but fails without the fix as:
error: internal error: unable to execute QEMU command 'device_add':
Property 'scsi-hd.drive' can't find value 'drive-scsi0-0-0-1'
With a related apparmor denial:
apparmor="DENIED" operation="file_lock" profile="libvirt-7d781722-69b7-8801-fe96-caf37b7a8969" name="/tmp/tmpKzZQR0/device_disk.img" pid=17582 comm="qemu" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
* With the fix the file is rwk and works to be attached
[Regression Potential]
* This is only adding apparmor lock permissions to files added after
start. Thereby the only thing that comes to mind is if now things are
locked that were not before, and thereby cause issues. But OTOH no one
but qemu should lock the image files in use - and if someone else does
he now correctly sees qemu holding the lock. Seems safe to me.
[Other Info]
* This is an release/upgrade-regression which should be fixed
asap. I already wrote and submitted a fix to upstream, but given that
this can break a lot of use cases we ahve to fix fast and reroll in
case upstream decides to modify.
---
On something like:
$ virsh attach-device <guest> <xml>
The rule rendered is:
"/tmp/B.img" rw,
This is missing the k flag needed on qemu >=2.10.
This applies to block and file definitions:
<disk type='block'>
<driver name='qemu'/>
<source dev='/tmp/B.img'/>
<target dev='sdb'/>
</disk>
<disk type='file'>
<driver name='qemu'/>
<source file='/tmp/F.img'/>
<target dev='sdc'/>
</disk>
Both are rendered correctly as:
"/tmp/F.img" rwk,
If being part of the domain xml instead of being a hot-add. |
|
2017-10-24 15:44:56 |
Christian Ehrhardt |
bug task added |
|
cloud-archive |
|
2017-10-24 18:43:35 |
Andy Whitcroft |
libvirt (Ubuntu Artful): status |
Confirmed |
Fix Committed |
|
2017-10-24 18:43:36 |
Andy Whitcroft |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2017-10-24 18:43:38 |
Andy Whitcroft |
bug |
|
|
added subscriber SRU Verification |
2017-10-24 18:43:40 |
Andy Whitcroft |
tags |
regression-release virt-aa-helper |
regression-release verification-needed verification-needed-artful virt-aa-helper |
|
2017-10-25 08:26:00 |
Christian Ehrhardt |
tags |
regression-release verification-needed verification-needed-artful virt-aa-helper |
regression-release verification-done verification-done-artful virt-aa-helper |
|
2017-10-26 19:00:46 |
Corey Bryant |
nominated for series |
|
cloud-archive/pike |
|
2017-10-26 19:00:46 |
Corey Bryant |
bug task added |
|
cloud-archive/pike |
|
2017-10-26 19:01:43 |
Corey Bryant |
cloud-archive/pike: status |
New |
Triaged |
|
2017-10-26 19:02:23 |
Corey Bryant |
cloud-archive: status |
New |
Triaged |
|
2017-10-26 19:02:28 |
Corey Bryant |
cloud-archive/pike: importance |
Undecided |
Critical |
|
2017-10-26 19:02:30 |
Corey Bryant |
cloud-archive: importance |
Undecided |
Critical |
|
2017-10-26 19:02:36 |
Corey Bryant |
nominated for series |
|
cloud-archive/queens |
|
2017-10-26 19:02:36 |
Corey Bryant |
bug task added |
|
cloud-archive/queens |
|
2017-10-26 21:12:35 |
Martin Pitt |
attachment added |
|
pitti's reproducer https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1726804/+attachment/4997114/+files/reproducer.sh |
|
2017-10-26 21:13:40 |
Martin Pitt |
bug |
|
|
added subscriber Martin Pitt |
2017-10-31 18:04:21 |
Corey Bryant |
cloud-archive/pike: status |
Triaged |
Fix Committed |
|
2017-10-31 18:04:23 |
Corey Bryant |
tags |
regression-release verification-done verification-done-artful virt-aa-helper |
regression-release verification-done verification-done-artful verification-pike-needed virt-aa-helper |
|
2017-10-31 18:07:49 |
Corey Bryant |
cloud-archive/queens: status |
Triaged |
Fix Released |
|
2017-10-31 18:08:11 |
Corey Bryant |
cloud-archive/queens: status |
Fix Released |
Fix Committed |
|
2017-10-31 18:08:14 |
Corey Bryant |
tags |
regression-release verification-done verification-done-artful verification-pike-needed virt-aa-helper |
regression-release verification-done verification-done-artful verification-pike-needed verification-queens-needed virt-aa-helper |
|
2017-11-01 00:27:49 |
Launchpad Janitor |
libvirt (Ubuntu Artful): status |
Fix Committed |
Fix Released |
|
2017-11-01 00:28:09 |
Chris Halse Rogers |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2017-11-05 09:41:40 |
Launchpad Janitor |
libvirt (Ubuntu): status |
Fix Committed |
Fix Released |
|
2017-11-12 15:47:00 |
XiaoRuiguo |
bug |
|
|
added subscriber XiaoRuiguo |
2017-12-15 09:07:20 |
Christian Ehrhardt |
tags |
regression-release verification-done verification-done-artful verification-pike-needed verification-queens-needed virt-aa-helper |
qemu-file-locking regression-release verification-done verification-done-artful verification-pike-needed verification-queens-needed virt-aa-helper |
|
2018-01-02 20:55:36 |
Corey Bryant |
cloud-archive/queens: status |
Fix Committed |
Fix Released |
|
2018-01-02 20:58:13 |
Corey Bryant |
tags |
qemu-file-locking regression-release verification-done verification-done-artful verification-pike-needed verification-queens-needed virt-aa-helper |
qemu-file-locking regression-release verification-done verification-done-artful verification-pike-done verification-queens-needed virt-aa-helper |
|
2018-01-02 20:59:55 |
Corey Bryant |
cloud-archive/pike: status |
Fix Committed |
Fix Released |
|