2022-09-22 09:15:08 |
Isaac True |
bug |
|
|
added bug |
2022-09-22 09:27:31 |
Isaac True |
attachment added |
|
ubuntu22.04-riscv64.xml https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1990499/+attachment/5618021/+files/ubuntu22.04-riscv64.xml |
|
2022-09-27 08:24:01 |
Christian Ehrhardt |
libvirt (Ubuntu): status |
New |
Confirmed |
|
2022-09-27 08:31:14 |
Christian Ehrhardt |
libvirt (Ubuntu): status |
Confirmed |
Triaged |
|
2022-10-04 06:34:24 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~paelzer/ubuntu/+source/libvirt/+git/libvirt/+merge/430945 |
|
2022-10-04 06:36:19 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~paelzer/ubuntu/+source/libvirt/+git/libvirt/+merge/430946 |
|
2022-10-04 06:49:18 |
Christian Ehrhardt |
description |
I am trying to adapt the guide to booting the riscv64 QEMU image from https://wiki.ubuntu.com/RISC-V to work with libvirt, but I'm running into an AppArmor issue:
Sep 22 11:07:06 Isaac-Laptop libvirtd[6243]: internal error: Child process (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -r -u libvirt-86ff0d62-f2fc-4f21-b84a-dc8c3e8097ff) unexpected exit status 1: 2022-09-22 09:07:06.069+0000: 34566
75: info : libvirt version: 8.0.0, package: 1ubuntu7.1 (Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 19 May 2022 08:14:48 +0200)#0122022-09-22 09:07:06.069+0000: 3456675: info : hostname: Isaac-Laptop#0122022-09-22 09:07:06.069+0000: 34
56675: error : virStorageFileBackendFileRead:109 : Failed to open file '/dev/zvol/rpool/vm/ubuntu-22.04-riscv64': Permission denied#012virt-aa-helper: error: /usr/lib/u-boot/qemu-riscv64_smode/uboot.elf#012virt-aa-helper: error: skipped restricted fi
le#012virt-aa-helper: error: invalid VM definition
This seems to be caused by the U-Boot path not being permitted by AppArmor to be used by libvirt.
I'm using the following XML snippet for setting the loader and kernel (adapted from the QEMU instructions):
<os>
<type arch="riscv64" machine="virt">hvm</type>
<loader readonly="yes" type="rom">/usr/lib/riscv64-linux-gnu/opensbi/generic/fw_jump.elf</loader>
<kernel>/usr/lib/u-boot/qemu-riscv64_smode/uboot.elf</kernel>
</os>
Moving the U-Boot binary to /var/tmp/uboot.elf resolves this issue, but libvirt then generates another AppArmor error due to the fw_jump.elf file:
Sep 22 11:12:09 Isaac-Laptop libvirtd[6243]: internal error: Child process (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -r -u libvirt-86ff0d62-f2fc-4f21-b84a-dc8c3e8097ff) unexpected exit status 1: 2022-09-22 09:12:09.664+0000: 3461255: info : libvirt version: 8.0.0, package: 1ubuntu7.1 (Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 19 May 2022 08:14:48 +0200)#0122022-09-22 09:12:09.664+0000: 3461255: info : hostname: Isaac-Laptop#0122022-09-22 09:12:09.664+0000: 3461255: error : virStorageFileBackendFileRead:109 : Failed to open file '/dev/zvol/rpool/vm/ubuntu-22.04-riscv64': Permission denied#012virt-aa-helper: error: /usr/lib/riscv64-linux-gnu/opensbi/generic/fw_jump.elf#012virt-aa-helper: error: skipped restricted file#012virt-aa-helper: error: invalid VM definition
Moving this to /var/tmp/fw_jump.elf also resolves this issue and allows the VM to boot.
Should these two file paths be added to the AppArmor rules? Maybe the equivalent paths for all architectures should be added?
---
$ lsb_release -rd
Description: Ubuntu 22.04.1 LTS
Release: 22.04
$ apt policy libvirt0
libvirt0:
Installed: 8.0.0-1ubuntu7.1
Candidate: 8.0.0-1ubuntu7.1
Version table:
*** 8.0.0-1ubuntu7.1 500
500 http://de.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
100 /var/lib/dpkg/status
8.0.0-1ubuntu7 500
500 http://de.archive.ubuntu.com/ubuntu jammy/main amd64 Packages |
[ Impact ]
* Riscv gets more and more common, but still lacking
real (or powerful) HW it is often used in an emulated
environment. So far people usually directly call qemu,
but for the benefit of better lifecycle management and
many comfort features they start to drive it through
libvirt. But when doing so they are blocked by the
apparmor guest isolation.
* Fix by allowing virt-aa-helper to consider adding
the paths that Ubuntu delivers the boot elements
for riscv64. That means only guests configuring
for it in the XML can access that - and even those
just read-only
[ Test Plan ]
$ wget https://cdimage.ubuntu.com/releases/22.04.1/release/ubuntu-22.04.1-preinstalled-server-riscv64+unmatched.img.xz
$ mv ubuntu-22.04.1-preinstalled-server-riscv64+unmatched.img /var/lib/libvirt/images/
$ cat << EoF > riscv-guest.xml
<domain type='qemu'>
<name>ubuntu22.10-riscv64</name>
<os>
<type arch='riscv64' machine='virt'>hvm</type>
<kernel>/usr/lib/u-boot/qemu-riscv64_smode/uboot.elf</kernel>
<loader readonly="yes" type="rom">/usr/lib/riscv64-linux-gnu/opensbi/generic/fw_jump.elf</loader>
</os>
<memory unit="GiB">2</memory>
<vcpu placement="static">4</vcpu>
<devices>
<emulator>usr/bin/qemu-system-riscv64</emulator>
<disk type='file' device='disk' cache='none'>
<driver name='qemu' type='raw'/>
<source file='/var/lib/libvirt/images/ubuntu-22.04.1-preinstalled-server-riscv64+unmatched.img'/>
<target dev='sda' bus='scsi'/>
</disk>
<controller type='scsi' model='virtio-scsi'/>
<interface type='network'>
<source network='default'/>
<target dev='vnet0'/>
</interface>
<console type='pty'>
<target type='serial' port='0'/>
</console>
</devices>
</domain>
EOF
$ virsh define riscv-guest.xml
$ virsh start ubuntu22.10-riscv64
error: Failed to start domain 'ubuntu22.10-riscv64'
error: internal error: cannot load AppArmor profile 'libvirt-e4089ffc-671d-4d28-9fa5-d0d52dc2d67f'
And in the journal I pick up the mentioned error:
internal error: Child process (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -c -u libvirt-e4089ffc-671d-4d28-9fa5-d0d52dc2d67f) unexpected exit status 1: virt-aa-helper: error: /usr/lib/u-boot/qemu-riscv64_smode/uboot.elf
virt-aa-helper: error: skipped restricted file
virt-aa-helper: error: invalid VM definition
internal error: cannot load AppArmor profile 'libvirt-e4089ffc-671d-4d28-9fa5-d0d52dc2d67f'
With the fix in place virt-aa-helper will no more spill those messages to the log and create a per-guest file that allows the access to those files.
[ Where problems could occur ]
* This is not reducing, but allowing more access and therefore
has much smaller regression risk than vice versa. To be on the
save side (as with other roms and such) we only add this to
the guest rules when configured on the host and never with a
write rule. Together that is considered safe.
* So much for safety, on the functional side if we messed up
virt-aa-helper the potential regressions would be
a) break when executed -> no apparmor rules breaking guest start
b) runs, but emits odd rules -> guest could access more
Gladly the change is rather small and both risks are considered
highly unlikely, but in any case that is how the potential risk would
most likely surface.
[ Other Info ]
* n/a
---- original report ----
I am trying to adapt the guide to booting the riscv64 QEMU image from https://wiki.ubuntu.com/RISC-V to work with libvirt, but I'm running into an AppArmor issue:
Sep 22 11:07:06 Isaac-Laptop libvirtd[6243]: internal error: Child process (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -r -u libvirt-86ff0d62-f2fc-4f21-b84a-dc8c3e8097ff) unexpected exit status 1: 2022-09-22 09:07:06.069+0000: 34566
75: info : libvirt version: 8.0.0, package: 1ubuntu7.1 (Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 19 May 2022 08:14:48 +0200)#0122022-09-22 09:07:06.069+0000: 3456675: info : hostname: Isaac-Laptop#0122022-09-22 09:07:06.069+0000: 34
56675: error : virStorageFileBackendFileRead:109 : Failed to open file '/dev/zvol/rpool/vm/ubuntu-22.04-riscv64': Permission denied#012virt-aa-helper: error: /usr/lib/u-boot/qemu-riscv64_smode/uboot.elf#012virt-aa-helper: error: skipped restricted fi
le#012virt-aa-helper: error: invalid VM definition
This seems to be caused by the U-Boot path not being permitted by AppArmor to be used by libvirt.
I'm using the following XML snippet for setting the loader and kernel (adapted from the QEMU instructions):
<os>
<type arch="riscv64" machine="virt">hvm</type>
<loader readonly="yes" type="rom">/usr/lib/riscv64-linux-gnu/opensbi/generic/fw_jump.elf</loader>
<kernel>/usr/lib/u-boot/qemu-riscv64_smode/uboot.elf</kernel>
</os>
Moving the U-Boot binary to /var/tmp/uboot.elf resolves this issue, but libvirt then generates another AppArmor error due to the fw_jump.elf file:
Sep 22 11:12:09 Isaac-Laptop libvirtd[6243]: internal error: Child process (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -r -u libvirt-86ff0d62-f2fc-4f21-b84a-dc8c3e8097ff) unexpected exit status 1: 2022-09-22 09:12:09.664+0000: 3461255: info : libvirt version: 8.0.0, package: 1ubuntu7.1 (Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 19 May 2022 08:14:48 +0200)#0122022-09-22 09:12:09.664+0000: 3461255: info : hostname: Isaac-Laptop#0122022-09-22 09:12:09.664+0000: 3461255: error : virStorageFileBackendFileRead:109 : Failed to open file '/dev/zvol/rpool/vm/ubuntu-22.04-riscv64': Permission denied#012virt-aa-helper: error: /usr/lib/riscv64-linux-gnu/opensbi/generic/fw_jump.elf#012virt-aa-helper: error: skipped restricted file#012virt-aa-helper: error: invalid VM definition
Moving this to /var/tmp/fw_jump.elf also resolves this issue and allows the VM to boot.
Should these two file paths be added to the AppArmor rules? Maybe the equivalent paths for all architectures should be added?
---
$ lsb_release -rd
Description: Ubuntu 22.04.1 LTS
Release: 22.04
$ apt policy libvirt0
libvirt0:
Installed: 8.0.0-1ubuntu7.1
Candidate: 8.0.0-1ubuntu7.1
Version table:
*** 8.0.0-1ubuntu7.1 500
500 http://de.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
100 /var/lib/dpkg/status
8.0.0-1ubuntu7 500
500 http://de.archive.ubuntu.com/ubuntu jammy/main amd64 Packages |
|
2022-10-04 22:34:33 |
Sergio Durigan Junior |
description |
[ Impact ]
* Riscv gets more and more common, but still lacking
real (or powerful) HW it is often used in an emulated
environment. So far people usually directly call qemu,
but for the benefit of better lifecycle management and
many comfort features they start to drive it through
libvirt. But when doing so they are blocked by the
apparmor guest isolation.
* Fix by allowing virt-aa-helper to consider adding
the paths that Ubuntu delivers the boot elements
for riscv64. That means only guests configuring
for it in the XML can access that - and even those
just read-only
[ Test Plan ]
$ wget https://cdimage.ubuntu.com/releases/22.04.1/release/ubuntu-22.04.1-preinstalled-server-riscv64+unmatched.img.xz
$ mv ubuntu-22.04.1-preinstalled-server-riscv64+unmatched.img /var/lib/libvirt/images/
$ cat << EoF > riscv-guest.xml
<domain type='qemu'>
<name>ubuntu22.10-riscv64</name>
<os>
<type arch='riscv64' machine='virt'>hvm</type>
<kernel>/usr/lib/u-boot/qemu-riscv64_smode/uboot.elf</kernel>
<loader readonly="yes" type="rom">/usr/lib/riscv64-linux-gnu/opensbi/generic/fw_jump.elf</loader>
</os>
<memory unit="GiB">2</memory>
<vcpu placement="static">4</vcpu>
<devices>
<emulator>usr/bin/qemu-system-riscv64</emulator>
<disk type='file' device='disk' cache='none'>
<driver name='qemu' type='raw'/>
<source file='/var/lib/libvirt/images/ubuntu-22.04.1-preinstalled-server-riscv64+unmatched.img'/>
<target dev='sda' bus='scsi'/>
</disk>
<controller type='scsi' model='virtio-scsi'/>
<interface type='network'>
<source network='default'/>
<target dev='vnet0'/>
</interface>
<console type='pty'>
<target type='serial' port='0'/>
</console>
</devices>
</domain>
EOF
$ virsh define riscv-guest.xml
$ virsh start ubuntu22.10-riscv64
error: Failed to start domain 'ubuntu22.10-riscv64'
error: internal error: cannot load AppArmor profile 'libvirt-e4089ffc-671d-4d28-9fa5-d0d52dc2d67f'
And in the journal I pick up the mentioned error:
internal error: Child process (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -c -u libvirt-e4089ffc-671d-4d28-9fa5-d0d52dc2d67f) unexpected exit status 1: virt-aa-helper: error: /usr/lib/u-boot/qemu-riscv64_smode/uboot.elf
virt-aa-helper: error: skipped restricted file
virt-aa-helper: error: invalid VM definition
internal error: cannot load AppArmor profile 'libvirt-e4089ffc-671d-4d28-9fa5-d0d52dc2d67f'
With the fix in place virt-aa-helper will no more spill those messages to the log and create a per-guest file that allows the access to those files.
[ Where problems could occur ]
* This is not reducing, but allowing more access and therefore
has much smaller regression risk than vice versa. To be on the
save side (as with other roms and such) we only add this to
the guest rules when configured on the host and never with a
write rule. Together that is considered safe.
* So much for safety, on the functional side if we messed up
virt-aa-helper the potential regressions would be
a) break when executed -> no apparmor rules breaking guest start
b) runs, but emits odd rules -> guest could access more
Gladly the change is rather small and both risks are considered
highly unlikely, but in any case that is how the potential risk would
most likely surface.
[ Other Info ]
* n/a
---- original report ----
I am trying to adapt the guide to booting the riscv64 QEMU image from https://wiki.ubuntu.com/RISC-V to work with libvirt, but I'm running into an AppArmor issue:
Sep 22 11:07:06 Isaac-Laptop libvirtd[6243]: internal error: Child process (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -r -u libvirt-86ff0d62-f2fc-4f21-b84a-dc8c3e8097ff) unexpected exit status 1: 2022-09-22 09:07:06.069+0000: 34566
75: info : libvirt version: 8.0.0, package: 1ubuntu7.1 (Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 19 May 2022 08:14:48 +0200)#0122022-09-22 09:07:06.069+0000: 3456675: info : hostname: Isaac-Laptop#0122022-09-22 09:07:06.069+0000: 34
56675: error : virStorageFileBackendFileRead:109 : Failed to open file '/dev/zvol/rpool/vm/ubuntu-22.04-riscv64': Permission denied#012virt-aa-helper: error: /usr/lib/u-boot/qemu-riscv64_smode/uboot.elf#012virt-aa-helper: error: skipped restricted fi
le#012virt-aa-helper: error: invalid VM definition
This seems to be caused by the U-Boot path not being permitted by AppArmor to be used by libvirt.
I'm using the following XML snippet for setting the loader and kernel (adapted from the QEMU instructions):
<os>
<type arch="riscv64" machine="virt">hvm</type>
<loader readonly="yes" type="rom">/usr/lib/riscv64-linux-gnu/opensbi/generic/fw_jump.elf</loader>
<kernel>/usr/lib/u-boot/qemu-riscv64_smode/uboot.elf</kernel>
</os>
Moving the U-Boot binary to /var/tmp/uboot.elf resolves this issue, but libvirt then generates another AppArmor error due to the fw_jump.elf file:
Sep 22 11:12:09 Isaac-Laptop libvirtd[6243]: internal error: Child process (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -r -u libvirt-86ff0d62-f2fc-4f21-b84a-dc8c3e8097ff) unexpected exit status 1: 2022-09-22 09:12:09.664+0000: 3461255: info : libvirt version: 8.0.0, package: 1ubuntu7.1 (Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 19 May 2022 08:14:48 +0200)#0122022-09-22 09:12:09.664+0000: 3461255: info : hostname: Isaac-Laptop#0122022-09-22 09:12:09.664+0000: 3461255: error : virStorageFileBackendFileRead:109 : Failed to open file '/dev/zvol/rpool/vm/ubuntu-22.04-riscv64': Permission denied#012virt-aa-helper: error: /usr/lib/riscv64-linux-gnu/opensbi/generic/fw_jump.elf#012virt-aa-helper: error: skipped restricted file#012virt-aa-helper: error: invalid VM definition
Moving this to /var/tmp/fw_jump.elf also resolves this issue and allows the VM to boot.
Should these two file paths be added to the AppArmor rules? Maybe the equivalent paths for all architectures should be added?
---
$ lsb_release -rd
Description: Ubuntu 22.04.1 LTS
Release: 22.04
$ apt policy libvirt0
libvirt0:
Installed: 8.0.0-1ubuntu7.1
Candidate: 8.0.0-1ubuntu7.1
Version table:
*** 8.0.0-1ubuntu7.1 500
500 http://de.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
100 /var/lib/dpkg/status
8.0.0-1ubuntu7 500
500 http://de.archive.ubuntu.com/ubuntu jammy/main amd64 Packages |
[ Impact ]
* Riscv gets more and more common, but still lacking
real (or powerful) HW it is often used in an emulated
environment. So far people usually directly call qemu,
but for the benefit of better lifecycle management and
many comfort features they start to drive it through
libvirt. But when doing so they are blocked by the
apparmor guest isolation.
* Fix by allowing virt-aa-helper to consider adding
the paths that Ubuntu delivers the boot elements
for riscv64. That means only guests configuring
for it in the XML can access that - and even those
just read-only
[ Test Plan ]
# apt install -y libvirt-daemon-system qemu-system
# wget https://cdimage.ubuntu.com/releases/22.04.1/release/ubuntu-22.04.1-preinstalled-server-riscv64+unmatched.img.xz
# unxz ubuntu-22.04.1-preinstalled-server-riscv64+unmatched.img.xz
# mv ubuntu-22.04.1-preinstalled-server-riscv64+unmatched.img /var/lib/libvirt/images/
# cat << EOF > riscv-guest.xml
<domain type='qemu'>
<name>ubuntu22.10-riscv64</name>
<os>
<type arch='riscv64' machine='virt'>hvm</type>
<kernel>/usr/lib/u-boot/qemu-riscv64_smode/uboot.elf</kernel>
<loader readonly="yes" type="rom">/usr/lib/riscv64-linux-gnu/opensbi/generic/fw_jump.elf</loader>
</os>
<memory unit="GiB">2</memory>
<vcpu placement="static">4</vcpu>
<devices>
<emulator>usr/bin/qemu-system-riscv64</emulator>
<disk type='file' device='disk' cache='none'>
<driver name='qemu' type='raw'/>
<source file='/var/lib/libvirt/images/ubuntu-22.04.1-preinstalled-server-riscv64+unmatched.img'/>
<target dev='sda' bus='scsi'/>
</disk>
<controller type='scsi' model='virtio-scsi'/>
<interface type='network'>
<source network='default'/>
<target dev='vnet0'/>
</interface>
<console type='pty'>
<target type='serial' port='0'/>
</console>
</devices>
</domain>
EOF
# virsh define riscv-guest.xml
# virsh start ubuntu22.10-riscv64
error: Failed to start domain 'ubuntu22.10-riscv64'
error: internal error: cannot load AppArmor profile 'libvirt-e4089ffc-671d-4d28-9fa5-d0d52dc2d67f'
And in the journal I pick up the mentioned error:
internal error: Child process (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -c -u libvirt-e4089ffc-671d-4d28-9fa5-d0d52dc2d67f) unexpected exit status 1: virt-aa-helper: error: /usr/lib/u-boot/qemu-riscv64_smode/uboot.elf
virt-aa-helper: error: skipped restricted file
virt-aa-helper: error: invalid VM definition
internal error: cannot load AppArmor profile 'libvirt-e4089ffc-671d-4d28-9fa5-d0d52dc2d67f'
With the fix in place virt-aa-helper will no more spill those messages to the log and create a per-guest file that allows the access to those files.
[ Where problems could occur ]
* This is not reducing, but allowing more access and therefore
has much smaller regression risk than vice versa. To be on the
save side (as with other roms and such) we only add this to
the guest rules when configured on the host and never with a
write rule. Together that is considered safe.
* So much for safety, on the functional side if we messed up
virt-aa-helper the potential regressions would be
a) break when executed -> no apparmor rules breaking guest start
b) runs, but emits odd rules -> guest could access more
Gladly the change is rather small and both risks are considered
highly unlikely, but in any case that is how the potential risk would
most likely surface.
[ Other Info ]
* n/a
---- original report ----
I am trying to adapt the guide to booting the riscv64 QEMU image from https://wiki.ubuntu.com/RISC-V to work with libvirt, but I'm running into an AppArmor issue:
Sep 22 11:07:06 Isaac-Laptop libvirtd[6243]: internal error: Child process (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -r -u libvirt-86ff0d62-f2fc-4f21-b84a-dc8c3e8097ff) unexpected exit status 1: 2022-09-22 09:07:06.069+0000: 34566
75: info : libvirt version: 8.0.0, package: 1ubuntu7.1 (Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 19 May 2022 08:14:48 +0200)#0122022-09-22 09:07:06.069+0000: 3456675: info : hostname: Isaac-Laptop#0122022-09-22 09:07:06.069+0000: 34
56675: error : virStorageFileBackendFileRead:109 : Failed to open file '/dev/zvol/rpool/vm/ubuntu-22.04-riscv64': Permission denied#012virt-aa-helper: error: /usr/lib/u-boot/qemu-riscv64_smode/uboot.elf#012virt-aa-helper: error: skipped restricted fi
le#012virt-aa-helper: error: invalid VM definition
This seems to be caused by the U-Boot path not being permitted by AppArmor to be used by libvirt.
I'm using the following XML snippet for setting the loader and kernel (adapted from the QEMU instructions):
<os>
<type arch="riscv64" machine="virt">hvm</type>
<loader readonly="yes" type="rom">/usr/lib/riscv64-linux-gnu/opensbi/generic/fw_jump.elf</loader>
<kernel>/usr/lib/u-boot/qemu-riscv64_smode/uboot.elf</kernel>
</os>
Moving the U-Boot binary to /var/tmp/uboot.elf resolves this issue, but libvirt then generates another AppArmor error due to the fw_jump.elf file:
Sep 22 11:12:09 Isaac-Laptop libvirtd[6243]: internal error: Child process (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -r -u libvirt-86ff0d62-f2fc-4f21-b84a-dc8c3e8097ff) unexpected exit status 1: 2022-09-22 09:12:09.664+0000: 3461255: info : libvirt version: 8.0.0, package: 1ubuntu7.1 (Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 19 May 2022 08:14:48 +0200)#0122022-09-22 09:12:09.664+0000: 3461255: info : hostname: Isaac-Laptop#0122022-09-22 09:12:09.664+0000: 3461255: error : virStorageFileBackendFileRead:109 : Failed to open file '/dev/zvol/rpool/vm/ubuntu-22.04-riscv64': Permission denied#012virt-aa-helper: error: /usr/lib/riscv64-linux-gnu/opensbi/generic/fw_jump.elf#012virt-aa-helper: error: skipped restricted file#012virt-aa-helper: error: invalid VM definition
Moving this to /var/tmp/fw_jump.elf also resolves this issue and allows the VM to boot.
Should these two file paths be added to the AppArmor rules? Maybe the equivalent paths for all architectures should be added?
---
$ lsb_release -rd
Description: Ubuntu 22.04.1 LTS
Release: 22.04
$ apt policy libvirt0
libvirt0:
Installed: 8.0.0-1ubuntu7.1
Candidate: 8.0.0-1ubuntu7.1
Version table:
*** 8.0.0-1ubuntu7.1 500
500 http://de.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
100 /var/lib/dpkg/status
8.0.0-1ubuntu7 500
500 http://de.archive.ubuntu.com/ubuntu jammy/main amd64 Packages |
|
2022-10-05 07:24:41 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Jammy |
|
2022-10-05 07:24:41 |
Christian Ehrhardt |
bug task added |
|
libvirt (Ubuntu Jammy) |
|
2022-10-05 07:34:45 |
Christian Ehrhardt |
libvirt (Ubuntu Jammy): status |
New |
Triaged |
|
2022-10-05 07:34:50 |
Christian Ehrhardt |
libvirt (Ubuntu): status |
Triaged |
Fix Committed |
|
2022-10-05 07:39:30 |
Christian Ehrhardt |
description |
[ Impact ]
* Riscv gets more and more common, but still lacking
real (or powerful) HW it is often used in an emulated
environment. So far people usually directly call qemu,
but for the benefit of better lifecycle management and
many comfort features they start to drive it through
libvirt. But when doing so they are blocked by the
apparmor guest isolation.
* Fix by allowing virt-aa-helper to consider adding
the paths that Ubuntu delivers the boot elements
for riscv64. That means only guests configuring
for it in the XML can access that - and even those
just read-only
[ Test Plan ]
# apt install -y libvirt-daemon-system qemu-system
# wget https://cdimage.ubuntu.com/releases/22.04.1/release/ubuntu-22.04.1-preinstalled-server-riscv64+unmatched.img.xz
# unxz ubuntu-22.04.1-preinstalled-server-riscv64+unmatched.img.xz
# mv ubuntu-22.04.1-preinstalled-server-riscv64+unmatched.img /var/lib/libvirt/images/
# cat << EOF > riscv-guest.xml
<domain type='qemu'>
<name>ubuntu22.10-riscv64</name>
<os>
<type arch='riscv64' machine='virt'>hvm</type>
<kernel>/usr/lib/u-boot/qemu-riscv64_smode/uboot.elf</kernel>
<loader readonly="yes" type="rom">/usr/lib/riscv64-linux-gnu/opensbi/generic/fw_jump.elf</loader>
</os>
<memory unit="GiB">2</memory>
<vcpu placement="static">4</vcpu>
<devices>
<emulator>usr/bin/qemu-system-riscv64</emulator>
<disk type='file' device='disk' cache='none'>
<driver name='qemu' type='raw'/>
<source file='/var/lib/libvirt/images/ubuntu-22.04.1-preinstalled-server-riscv64+unmatched.img'/>
<target dev='sda' bus='scsi'/>
</disk>
<controller type='scsi' model='virtio-scsi'/>
<interface type='network'>
<source network='default'/>
<target dev='vnet0'/>
</interface>
<console type='pty'>
<target type='serial' port='0'/>
</console>
</devices>
</domain>
EOF
# virsh define riscv-guest.xml
# virsh start ubuntu22.10-riscv64
error: Failed to start domain 'ubuntu22.10-riscv64'
error: internal error: cannot load AppArmor profile 'libvirt-e4089ffc-671d-4d28-9fa5-d0d52dc2d67f'
And in the journal I pick up the mentioned error:
internal error: Child process (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -c -u libvirt-e4089ffc-671d-4d28-9fa5-d0d52dc2d67f) unexpected exit status 1: virt-aa-helper: error: /usr/lib/u-boot/qemu-riscv64_smode/uboot.elf
virt-aa-helper: error: skipped restricted file
virt-aa-helper: error: invalid VM definition
internal error: cannot load AppArmor profile 'libvirt-e4089ffc-671d-4d28-9fa5-d0d52dc2d67f'
With the fix in place virt-aa-helper will no more spill those messages to the log and create a per-guest file that allows the access to those files.
[ Where problems could occur ]
* This is not reducing, but allowing more access and therefore
has much smaller regression risk than vice versa. To be on the
save side (as with other roms and such) we only add this to
the guest rules when configured on the host and never with a
write rule. Together that is considered safe.
* So much for safety, on the functional side if we messed up
virt-aa-helper the potential regressions would be
a) break when executed -> no apparmor rules breaking guest start
b) runs, but emits odd rules -> guest could access more
Gladly the change is rather small and both risks are considered
highly unlikely, but in any case that is how the potential risk would
most likely surface.
[ Other Info ]
* n/a
---- original report ----
I am trying to adapt the guide to booting the riscv64 QEMU image from https://wiki.ubuntu.com/RISC-V to work with libvirt, but I'm running into an AppArmor issue:
Sep 22 11:07:06 Isaac-Laptop libvirtd[6243]: internal error: Child process (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -r -u libvirt-86ff0d62-f2fc-4f21-b84a-dc8c3e8097ff) unexpected exit status 1: 2022-09-22 09:07:06.069+0000: 34566
75: info : libvirt version: 8.0.0, package: 1ubuntu7.1 (Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 19 May 2022 08:14:48 +0200)#0122022-09-22 09:07:06.069+0000: 3456675: info : hostname: Isaac-Laptop#0122022-09-22 09:07:06.069+0000: 34
56675: error : virStorageFileBackendFileRead:109 : Failed to open file '/dev/zvol/rpool/vm/ubuntu-22.04-riscv64': Permission denied#012virt-aa-helper: error: /usr/lib/u-boot/qemu-riscv64_smode/uboot.elf#012virt-aa-helper: error: skipped restricted fi
le#012virt-aa-helper: error: invalid VM definition
This seems to be caused by the U-Boot path not being permitted by AppArmor to be used by libvirt.
I'm using the following XML snippet for setting the loader and kernel (adapted from the QEMU instructions):
<os>
<type arch="riscv64" machine="virt">hvm</type>
<loader readonly="yes" type="rom">/usr/lib/riscv64-linux-gnu/opensbi/generic/fw_jump.elf</loader>
<kernel>/usr/lib/u-boot/qemu-riscv64_smode/uboot.elf</kernel>
</os>
Moving the U-Boot binary to /var/tmp/uboot.elf resolves this issue, but libvirt then generates another AppArmor error due to the fw_jump.elf file:
Sep 22 11:12:09 Isaac-Laptop libvirtd[6243]: internal error: Child process (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -r -u libvirt-86ff0d62-f2fc-4f21-b84a-dc8c3e8097ff) unexpected exit status 1: 2022-09-22 09:12:09.664+0000: 3461255: info : libvirt version: 8.0.0, package: 1ubuntu7.1 (Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 19 May 2022 08:14:48 +0200)#0122022-09-22 09:12:09.664+0000: 3461255: info : hostname: Isaac-Laptop#0122022-09-22 09:12:09.664+0000: 3461255: error : virStorageFileBackendFileRead:109 : Failed to open file '/dev/zvol/rpool/vm/ubuntu-22.04-riscv64': Permission denied#012virt-aa-helper: error: /usr/lib/riscv64-linux-gnu/opensbi/generic/fw_jump.elf#012virt-aa-helper: error: skipped restricted file#012virt-aa-helper: error: invalid VM definition
Moving this to /var/tmp/fw_jump.elf also resolves this issue and allows the VM to boot.
Should these two file paths be added to the AppArmor rules? Maybe the equivalent paths for all architectures should be added?
---
$ lsb_release -rd
Description: Ubuntu 22.04.1 LTS
Release: 22.04
$ apt policy libvirt0
libvirt0:
Installed: 8.0.0-1ubuntu7.1
Candidate: 8.0.0-1ubuntu7.1
Version table:
*** 8.0.0-1ubuntu7.1 500
500 http://de.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
100 /var/lib/dpkg/status
8.0.0-1ubuntu7 500
500 http://de.archive.ubuntu.com/ubuntu jammy/main amd64 Packages |
[ Impact ]
* Riscv gets more and more common, but still lacking
real (or powerful) HW it is often used in an emulated
environment. So far people usually directly call qemu,
but for the benefit of better lifecycle management and
many comfort features they start to drive it through
libvirt. But when doing so they are blocked by the
apparmor guest isolation.
* Fix by allowing virt-aa-helper to consider adding
the paths that Ubuntu delivers the boot elements
for riscv64. That means only guests configuring
for it in the XML can access that - and even those
just read-only
[ Test Plan ]
# apt install -y libvirt-daemon-system qemu-system
# wget https://cdimage.ubuntu.com/releases/22.04.1/release/ubuntu-22.04.1-preinstalled-server-riscv64+unmatched.img.xz
# unxz ubuntu-22.04.1-preinstalled-server-riscv64+unmatched.img.xz
# mv ubuntu-22.04.1-preinstalled-server-riscv64+unmatched.img /var/lib/libvirt/images/
# cat << EOF > riscv-guest.xml
<domain type='qemu'>
<name>ubuntu22.10-riscv64</name>
<os>
<type arch='riscv64' machine='virt'>hvm</type>
<kernel>/usr/lib/u-boot/qemu-riscv64_smode/uboot.elf</kernel>
<loader readonly="yes" type="rom">/usr/lib/riscv64-linux-gnu/opensbi/generic/fw_jump.elf</loader>
</os>
<memory unit="GiB">2</memory>
<vcpu placement="static">4</vcpu>
<devices>
<emulator>usr/bin/qemu-system-riscv64</emulator>
<disk type='file' device='disk' cache='none'>
<driver name='qemu' type='raw'/>
<source file='/var/lib/libvirt/images/ubuntu-22.04.1-preinstalled-server-riscv64+unmatched.img'/>
<target dev='sda' bus='scsi'/>
</disk>
<controller type='scsi' model='virtio-scsi'/>
<interface type='network'>
<source network='default'/>
<target dev='vnet0'/>
</interface>
<console type='pty'>
<target type='serial' port='0'/>
</console>
</devices>
</domain>
EOF
# virsh define riscv-guest.xml
# virsh start ubuntu22.10-riscv64
error: Failed to start domain 'ubuntu22.10-riscv64'
error: internal error: cannot load AppArmor profile 'libvirt-e4089ffc-671d-4d28-9fa5-d0d52dc2d67f'
And in the journal I pick up the mentioned error:
internal error: Child process (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -c -u libvirt-e4089ffc-671d-4d28-9fa5-d0d52dc2d67f) unexpected exit status 1: virt-aa-helper: error: /usr/lib/u-boot/qemu-riscv64_smode/uboot.elf
virt-aa-helper: error: skipped restricted file
virt-aa-helper: error: invalid VM definition
internal error: cannot load AppArmor profile 'libvirt-e4089ffc-671d-4d28-9fa5-d0d52dc2d67f'
With the fix in place virt-aa-helper will no more spill those messages to the log and create a per-guest file that allows the access to those files.
[ Where problems could occur ]
* This is not reducing, but allowing more access and therefore
has much smaller regression risk than vice versa. To be on the
save side (as with other roms and such) we only add this to
the guest rules when configured on the host and never with a
write rule. Together that is considered safe.
* So much for safety, on the functional side if we messed up
virt-aa-helper the potential regressions would be
a) break when executed -> no apparmor rules breaking guest start
b) runs, but emits odd rules -> guest could access more
Gladly the change is rather small and both risks are considered
highly unlikely, but in any case that is how the potential risk would
most likely surface.
[ Other Info ]
@SRU team - 1989078 (just entered J-proposed) and 1990499 (this upload) could land together in Jammy if you want. It is just that 1989078 was delayed for quite some time waiting in -unapproved, but I'm more than happy to re-generate 8.0.0-1ubuntu7.3 with -V 8.0.0-1ubuntu7.1 - in that case we could have ONE (1) update released to users.
Avoids one extra download for many people.
And they are even thematically close (apparmor handling for less common architectures)
Ping me (paelzer) if you prefer to do it this way.
---- original report ----
I am trying to adapt the guide to booting the riscv64 QEMU image from https://wiki.ubuntu.com/RISC-V to work with libvirt, but I'm running into an AppArmor issue:
Sep 22 11:07:06 Isaac-Laptop libvirtd[6243]: internal error: Child process (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -r -u libvirt-86ff0d62-f2fc-4f21-b84a-dc8c3e8097ff) unexpected exit status 1: 2022-09-22 09:07:06.069+0000: 34566
75: info : libvirt version: 8.0.0, package: 1ubuntu7.1 (Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 19 May 2022 08:14:48 +0200)#0122022-09-22 09:07:06.069+0000: 3456675: info : hostname: Isaac-Laptop#0122022-09-22 09:07:06.069+0000: 34
56675: error : virStorageFileBackendFileRead:109 : Failed to open file '/dev/zvol/rpool/vm/ubuntu-22.04-riscv64': Permission denied#012virt-aa-helper: error: /usr/lib/u-boot/qemu-riscv64_smode/uboot.elf#012virt-aa-helper: error: skipped restricted fi
le#012virt-aa-helper: error: invalid VM definition
This seems to be caused by the U-Boot path not being permitted by AppArmor to be used by libvirt.
I'm using the following XML snippet for setting the loader and kernel (adapted from the QEMU instructions):
<os>
<type arch="riscv64" machine="virt">hvm</type>
<loader readonly="yes" type="rom">/usr/lib/riscv64-linux-gnu/opensbi/generic/fw_jump.elf</loader>
<kernel>/usr/lib/u-boot/qemu-riscv64_smode/uboot.elf</kernel>
</os>
Moving the U-Boot binary to /var/tmp/uboot.elf resolves this issue, but libvirt then generates another AppArmor error due to the fw_jump.elf file:
Sep 22 11:12:09 Isaac-Laptop libvirtd[6243]: internal error: Child process (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -r -u libvirt-86ff0d62-f2fc-4f21-b84a-dc8c3e8097ff) unexpected exit status 1: 2022-09-22 09:12:09.664+0000: 3461255: info : libvirt version: 8.0.0, package: 1ubuntu7.1 (Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 19 May 2022 08:14:48 +0200)#0122022-09-22 09:12:09.664+0000: 3461255: info : hostname: Isaac-Laptop#0122022-09-22 09:12:09.664+0000: 3461255: error : virStorageFileBackendFileRead:109 : Failed to open file '/dev/zvol/rpool/vm/ubuntu-22.04-riscv64': Permission denied#012virt-aa-helper: error: /usr/lib/riscv64-linux-gnu/opensbi/generic/fw_jump.elf#012virt-aa-helper: error: skipped restricted file#012virt-aa-helper: error: invalid VM definition
Moving this to /var/tmp/fw_jump.elf also resolves this issue and allows the VM to boot.
Should these two file paths be added to the AppArmor rules? Maybe the equivalent paths for all architectures should be added?
---
$ lsb_release -rd
Description: Ubuntu 22.04.1 LTS
Release: 22.04
$ apt policy libvirt0
libvirt0:
Installed: 8.0.0-1ubuntu7.1
Candidate: 8.0.0-1ubuntu7.1
Version table:
*** 8.0.0-1ubuntu7.1 500
500 http://de.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
100 /var/lib/dpkg/status
8.0.0-1ubuntu7 500
500 http://de.archive.ubuntu.com/ubuntu jammy/main amd64 Packages |
|
2022-10-08 09:39:20 |
Launchpad Janitor |
libvirt (Ubuntu): status |
Fix Committed |
Fix Released |
|
2022-10-17 13:33:36 |
Timo Aaltonen |
libvirt (Ubuntu Jammy): status |
Triaged |
Fix Committed |
|
2022-10-17 13:33:37 |
Timo Aaltonen |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2022-10-17 13:33:38 |
Timo Aaltonen |
bug |
|
|
added subscriber SRU Verification |
2022-10-17 13:33:41 |
Timo Aaltonen |
tags |
|
verification-needed verification-needed-jammy |
|
2022-10-17 16:16:43 |
Christian Ehrhardt |
tags |
verification-needed verification-needed-jammy |
verification-done verification-done-jammy |
|
2022-10-25 08:18:34 |
Launchpad Janitor |
libvirt (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
2022-10-25 08:18:40 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|