2014-04-14 19:49:50 |
Serge Hallyn |
description |
I couldn't boot any guest VMs with virsh until I modified /etc/apparmor.d/abstractions/libvirt-qemu:
jad@kvmhost:~$ sudo bzr diff /etc/apparmor.d/
=== modified file 'apparmor.d/abstractions/libvirt-qemu'
--- apparmor.d/abstractions/libvirt-qemu 2010-04-30 15:33:20 +0000
+++ apparmor.d/abstractions/libvirt-qemu 2010-05-12 17:26:56 +0000
@@ -8,6 +8,8 @@
capability dac_override,
capability dac_read_search,
capability chown,
+ capability setgid,
+ capability setuid,
# this is needed with libcap-ng support, however it breaks a lot of things
# atm, so just silence the denial until libcap-ng works right. LP: #522845
... and restarted apparmor and libvirtd.
Without `capability setgid`, the qemu guest log file contained:
LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin QEMU_
AUDIO_DRV=none /usr/bin/kvm -S -M pc-0.11 -enable-kvm -m 512 -smp 1 -name dm1 -u
uid 79d03a71-3be6-19df-1070-791239480888 -chardev socket,id=monitor,path=/var/li
b/libvirt/qemu/dm1.monitor,server,nowait -monitor chardev:monitor -boot c -drive
file=/var/vm/dm1/disk0.qcow2,if=ide,index=0,boot=on -drive file=/var/vm/dm1/disk1.qcow2,if=ide,index=1 -net nic,macaddr=52:54:00:bf:75:90,vlan=0,model=virtio,name=virtio.0 -net tap,fd=50,vlan=0,name=tap.0 -serial none -parallel none -usb -vnc 127.0.0.1:0 -vga cirrus
libvir: QEMU error : cannot change to '109' group: Operation not permitted
Without `capability setuid`, the qemu guest log file contained:
LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin QEMU_AUDIO_DRV=none /usr/bin/kvm -S -M pc-0.11 -enable-kvm -m 512 -smp 1 -name dm1 -uuid 79d03a71-3be6-19df-1070-791239480888 -chardev socket,id=monitor,path=/var/lib/libvirt/qemu/dm1.monitor,server,nowait -monitor chardev:monitor -boot c -drive file=/var/vm/dm1/disk0.qcow2,if=ide,index=0,boot=on -drive file=/var/vm/dm1/disk1.qcow2,if=ide,index=1 -net nic,macaddr=52:54:00:bf:75:90,vlan=0,model=virtio,name=virtio.0 -net tap,fd=50,vlan=0,name=tap.0 -serial none -parallel none -usb -vnc 127.0.0.1:0 -vga cirrus
libvir: QEMU error : cannot change to '104' user: Operation not permitted
I don't really know if these changes were the right thing to do, but it did allow me to boot the VMs with virsh.
jad@kvmhost:~$ lsb_release -rd
Description: Ubuntu 10.04 LTS
Release: 10.04
jad@kvmhost:~$ apt-cache policy libvirt-bin kvm qemu-kvm
libvirt-bin:
Installed: 0.7.5-5ubuntu27
Candidate: 0.7.5-5ubuntu27
Version table:
*** 0.7.5-5ubuntu27 0
500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages
100 /var/lib/dpkg/status
kvm:
Installed: 1:84+dfsg-0ubuntu16+0.12.3+noroms+0ubuntu9
Candidate: 1:84+dfsg-0ubuntu16+0.12.3+noroms+0ubuntu9
Version table:
*** 1:84+dfsg-0ubuntu16+0.12.3+noroms+0ubuntu9 0
500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages
100 /var/lib/dpkg/status
qemu-kvm:
Installed: 0.12.3+noroms-0ubuntu9
Candidate: 0.12.3+noroms-0ubuntu9
Version table:
*** 0.12.3+noroms-0ubuntu9 0
500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages
100 /var/lib/dpkg/status |
IMPACT: libvir cannot setuid to run VMs as non-root
REGRESSION POTENTIAL: there should be none, we are only allowing libvirt to setuid and setgid, not changing any code
TEST CASE:
I couldn't boot any guest VMs with virsh until I modified /etc/apparmor.d/abstractions/libvirt-qemu:
jad@kvmhost:~$ sudo bzr diff /etc/apparmor.d/
=== modified file 'apparmor.d/abstractions/libvirt-qemu'
--- apparmor.d/abstractions/libvirt-qemu 2010-04-30 15:33:20 +0000
+++ apparmor.d/abstractions/libvirt-qemu 2010-05-12 17:26:56 +0000
@@ -8,6 +8,8 @@
capability dac_override,
capability dac_read_search,
capability chown,
+ capability setgid,
+ capability setuid,
# this is needed with libcap-ng support, however it breaks a lot of things
# atm, so just silence the denial until libcap-ng works right. LP: #522845
... and restarted apparmor and libvirtd.
Without `capability setgid`, the qemu guest log file contained:
LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin QEMU_
AUDIO_DRV=none /usr/bin/kvm -S -M pc-0.11 -enable-kvm -m 512 -smp 1 -name dm1 -u
uid 79d03a71-3be6-19df-1070-791239480888 -chardev socket,id=monitor,path=/var/li
b/libvirt/qemu/dm1.monitor,server,nowait -monitor chardev:monitor -boot c -drive
file=/var/vm/dm1/disk0.qcow2,if=ide,index=0,boot=on -drive file=/var/vm/dm1/disk1.qcow2,if=ide,index=1 -net nic,macaddr=52:54:00:bf:75:90,vlan=0,model=virtio,name=virtio.0 -net tap,fd=50,vlan=0,name=tap.0 -serial none -parallel none -usb -vnc 127.0.0.1:0 -vga cirrus
libvir: QEMU error : cannot change to '109' group: Operation not permitted
Without `capability setuid`, the qemu guest log file contained:
LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin QEMU_AUDIO_DRV=none /usr/bin/kvm -S -M pc-0.11 -enable-kvm -m 512 -smp 1 -name dm1 -uuid 79d03a71-3be6-19df-1070-791239480888 -chardev socket,id=monitor,path=/var/lib/libvirt/qemu/dm1.monitor,server,nowait -monitor chardev:monitor -boot c -drive file=/var/vm/dm1/disk0.qcow2,if=ide,index=0,boot=on -drive file=/var/vm/dm1/disk1.qcow2,if=ide,index=1 -net nic,macaddr=52:54:00:bf:75:90,vlan=0,model=virtio,name=virtio.0 -net tap,fd=50,vlan=0,name=tap.0 -serial none -parallel none -usb -vnc 127.0.0.1:0 -vga cirrus
libvir: QEMU error : cannot change to '104' user: Operation not permitted
I don't really know if these changes were the right thing to do, but it did allow me to boot the VMs with virsh.
jad@kvmhost:~$ lsb_release -rd
Description: Ubuntu 10.04 LTS
Release: 10.04
jad@kvmhost:~$ apt-cache policy libvirt-bin kvm qemu-kvm
libvirt-bin:
Installed: 0.7.5-5ubuntu27
Candidate: 0.7.5-5ubuntu27
Version table:
*** 0.7.5-5ubuntu27 0
500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages
100 /var/lib/dpkg/status
kvm:
Installed: 1:84+dfsg-0ubuntu16+0.12.3+noroms+0ubuntu9
Candidate: 1:84+dfsg-0ubuntu16+0.12.3+noroms+0ubuntu9
Version table:
*** 1:84+dfsg-0ubuntu16+0.12.3+noroms+0ubuntu9 0
500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages
100 /var/lib/dpkg/status
qemu-kvm:
Installed: 0.12.3+noroms-0ubuntu9
Candidate: 0.12.3+noroms-0ubuntu9
Version table:
*** 0.12.3+noroms-0ubuntu9 0
500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages
100 /var/lib/dpkg/status |
|