Ubuntu
libvirt package

apparmor=DENIED operation=open parent=3343 profile=/usr/lib/libvirt/virt-aa-helper

Bug #637544 reported by C de-Avillez
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Fix Released
Low
Jamie Strandboge

Bug Description

Running on daily ISO 20100913, with Eucalyptus 2.0+brz1239-0ubuntu2. All instances fail to start, and I see this message all around.

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: libvirt-bin 0.8.3-1ubuntu9
ProcVersionSignature: Ubuntu 2.6.35-20.29-server 2.6.35.4
Uname: Linux 2.6.35-20-server x86_64
Architecture: amd64
Date: Mon Sep 13 16:07:22 2010
ProcEnviron:
 LC_TIME=en_DK.utf8
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: libvirt

Revision history for this message
C de-Avillez (hggdh2) wrote :
Revision history for this message
C de-Avillez (hggdh2) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Here is an example message:
Sep 13 15:57:29 marula kernel: [ 7535.484814] type=1400 audit(1284407849.038:878): apparmor="DENIED" operation="open" parent=3346 profile="/usr/lib/libvirt/virt-aa-helper" name="/var/lib/eucalyptus/instances/admin/i-35280636/loader" pid=29440 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=105

We currently only allow the following in /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper:
  /var/lib/eucalyptus/instances/**/disk* r,

What is /var/lib/eucalyptus/instances/admin/i-35280636/loader? Can you also attach the domain XML for an instance that fails to start?

Changed in libvirt (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Critical
status: New → Incomplete
importance: Critical → High
Revision history for this message
C de-Avillez (hggdh2) wrote :

Sorry, Jamie, should have really read the messages... should have seen it.

loader is a new option, implemented by Scott Moser, to allow arbitrary kernels to load. I will grab the XML.

Revision history for this message
C de-Avillez (hggdh2) wrote :

Ugh!

I am in the middle of a new install, so it will be a while... If it helps any, here's the aa-helper-generated .files (when I set aa-helper to COMPLAIN mode):

#
# This profile is for the domain whose UUID matches this file.
#

#include <tunables/global>

/etc/apparmour.d/libvirt/ libvirt-ff58f570-9915-eaa8-4fa6-3cba2a827850:

profile libvirt-ff58f570-9915-eaa8-4fa6-3cba2a827850 {
  #include <abstractions/libvirt-qemu>
  #include <libvirt/libvirt-ff58f570-9915-eaa8-4fa6-3cba2a827850.files>

}

/etc/apparmor.d/libvirt/ libvirt-ff58f570-9915-eaa8-4fa6-3cba2a827850.files:

# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
  "/var/log/libvirt/**/i-3F170794.log" w,
  "/var/lib/libvirt/**/i-3F170794.monitor" rw,
  "/var/run/libvirt/**/i-3F170794.pid" rwk,
  "/var/lib/eucalyptus/instances/admin/i-3F170794/loader" rw,
  "/var/lib/eucalyptus/instances/admin/i-3F170794/disk" rw,
  "/var/lib/eucalyptus/instances/admin/i-3F170794/console.log" rw,

Changed in libvirt (Ubuntu):
status: Incomplete → New
Revision history for this message
C de-Avillez (hggdh2) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

A failure of virt-aa-helper to access a file is not necessarily fatal, as can be seen from /etc/apparmor.d/libvirt/libvirt-ff58f570-9915-eaa8-4fa6-3cba2a827850.files -- it added it to the profile just fine. While this certainly needs to be fixed in the AppArmor profile (to avoid confusion), the failure to start is something else. I've examined the kern.log and I don't see any AppArmor denials that would cause the guest to not start.

Changed in libvirt (Ubuntu):
importance: High → Low
status: New → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Based on the title of this bug, I am going to triage the virt-aa-helper denial bug as Low and if you find what is causing eucalyptus to fail to start the VMs, a new bug should perhaps be filed.

Revision history for this message
Dave Walker (davewalker) wrote :

In regards to this potentially causing eucalyptus to fail, I was not able to reproduce this.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

0.8.3-1ubuntu10 uploaded to fix this.

Changed in libvirt (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.