Error generating apparmor profile when hostname contains spaces

Bug #799997 reported by Qiao Liyong on 2011-06-21
96
This bug affects 20 people
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Medium
Unassigned

Bug Description

1 host OS:
lsb_release -rd
Description: Ubuntu 10.10
Release: 10.10

Linux qiaoliyong-ThinkPad-T410 2.6.35-28-generic-pae #50-Ubuntu SMP Fri Mar 18 20:43:15 UTC 2011 i686 GNU/Linu

2. Version of package:
~$ virsh --version
0.9.0
~$ kvm --version
QEMU PC emulator version 0.12.5 (qemu-kvm-0.12.5), Copyright (c) 2003-2008 Fabrice Bellard

3 when starting a vm , it appears:
internal error cannot generate AppArmor profile 'libvirt-abe9380c-eab7-fe6f-1b49-21a511bdd129'

Qiao Liyong (qiaoly) wrote :

Error starting domain: internal error cannot generate AppArmor profile 'libvirt-abe9380c-eab7-fe6f-1b49-21a511bdd129'

Traceback (most recent call last):
  File "/usr/local/share/virt-manager/virtManager/asyncjob.py", line 45, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/local/share/virt-manager/virtManager/engine.py", line 959, in asyncfunc
    vm.startup()
  File "/usr/local/share/virt-manager/virtManager/domain.py", line 1114, in startup
    self._backend.create()
  File "/usr/lib/python2.6/dist-packages/libvirt.py", line 362, in create
    if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirtError: internal error cannot generate AppArmor profile 'libvirt-abe9380c-eab7-fe6f-1b49-21a511bdd129'

Qiao Liyong (qiaoly) wrote :

when create a vm ,it also appears:
'internal error cannot generate AppArmor profile 'libvirt-aa1e3827-e4d3-044e-21e3-f25660ad1d93''
Traceback (most recent call last):
  File "/usr/local/share/virt-manager/virtManager/asyncjob.py", line 45, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/local/share/virt-manager/virtManager/create.py", line 1643, in do_install
    guest.start_install(False, meter=meter)
  File "/usr/local/lib/python2.6/dist-packages/virtinst/Guest.py", line 1186, in start_install
    start_xml, final_xml, is_initial)
  File "/usr/local/lib/python2.6/dist-packages/virtinst/Guest.py", line 1245, in _create_guest
    dom = self.conn.createLinux(start_xml or final_xml, 0)
  File "/usr/lib/python2.6/dist-packages/libvirt.py", line 1446, in createLinux
    if ret is None:raise libvirtError('virDomainCreateLinux() failed', conn=self)
libvirtError: internal error cannot generate AppArmor profile 'libvirt-aa1e3827-e4d3-044e-21e3-f25660ad1d93'

Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and reporting a bug. Unfortunately, the version of libvirt you are using is not a supported version and therefore I am marking this bug as Invalid. If you can reproduce this in a supported version of libvirt, please feel free to reopen, giving detailed instructions on how to reproduce the bug.

If you are going to go this route, I recommend removing any unofficial PPAs from your apt sources, then performing:
$ sudo apt-get update
$ sudo apt-get remove --purge libvirt0
$ sudo apt-get install libvirt-bin

(the supported version of libvirt on Ubuntu 10.10 is currently 0.8.3-1ubuntu18). Please note that performing the above will remove existing VM definitions as well as any changes to your libvirt configuration in /etc (which was the intent-- to start with a clean slate).

Changed in libvirt (Ubuntu):
status: New → Invalid
Mikkel Høgh (mikl) wrote :

I have the same issue with libvirt 0.9.8-2ubuntu1 on Precise. It is the version that ships with Precise, so no custom versions here.

Changed in libvirt (Ubuntu):
status: Invalid → Confirmed
Mikkel Høgh (mikl) wrote :

error: Failed to start domain pinova.example.com
error: internal error cannot load AppArmor profile 'libvirt-1337abc-54b2-fd6f-19f5-6862588b195d

Serge Hallyn (serge-hallyn) wrote :

@Mikkel,

if you are still having this problem, please run 'apport-collect 799997' to have apport post debug info to this bug.

In the future please file a new bug rather than re-opening an invalid bug as we are more likely to see that.

Changed in libvirt (Ubuntu):
status: Confirmed → Incomplete
importance: Undecided → High
Ursula Junque (ursinha) wrote :

I'm running Quantal, just removed/purged libvirt0 and installed that again. I'm still not able to run or create any other virtual machines using virt-manager, as this error message appears.

tags: added: apport-collected quantal running-unity

ApportVersion: 2.5.2-0ubuntu4
Architecture: amd64
DistroRelease: Ubuntu 12.10
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111012)
KernLog:

Package: libvirt (not installed)
ProcCmdline: BOOT_IMAGE=/boot/vmlinuz-3.5.0-15-generic root=UUID=f73be8c5-7df6-4ea1-8114-489b7ecd2fc3 ro crashkernel=384M-2G:64M,2G-:128M drm.debug=0xe plymouth:debug
ProcVersionSignature: Ubuntu 3.5.0-15.20-generic 3.5.4
Tags: quantal running-unity
Uname: Linux 3.5.0-15-generic x86_64
UpgradeStatus: Upgraded to quantal on 2012-09-08 (11 days ago)
UserGroups: adm admin cdrom dialout libvirtd lp lpadmin plugdev sambashare

apport information

apport information

Changed in libvirt (Ubuntu):
status: Incomplete → New
Ursula Junque (ursinha) wrote :

Hi Serge, sure:

14:59:48 ursula@marvin: ~ $ dpkg -l | grep libvirt
ii libvirt-bin 0.9.13-0ubuntu10 amd64 programs for the libvirt library
ii libvirt0 0.9.13-0ubuntu10 amd64 library for interfacing with different virtualization systems
ii libvirtodbc0 6.1.6+repack-0ubuntu1 amd64 high-performance database - ODBC libraries
ii python-libvirt 0.9.13-0ubuntu10 amd64 libvirt Python bindings

Let me know if I can provide any other information.

Serge Hallyn (serge-hallyn) wrote :

Thanks, Ursula - that gives me an idea, i will test.

Serge Hallyn (serge-hallyn) wrote :

@Ursula,

hm, unable to reproduce this still.

Can you please show the contents of /etc/apparmor.d/libvirt and the result of

sudo grep -Hi uuid /etc/libvirt/qemu/*.xml

Changed in libvirt (Ubuntu):
status: New → Incomplete
Ursula Junque (ursinha) wrote :

Here it is:

16:12:57 ursula@marvin: ~ $ ls -l /etc/apparmor.d/libvirt
total 4
-rw-r--r-- 1 root root 164 Sep 14 13:24 TEMPLATE

16:13:06 ursula@marvin: ~ $ sudo grep -Hi uuid /etc/libvirt/qemu/*.xml
/etc/libvirt/qemu/windows3.xml: <uuid>e7921c81-2628-ec0b-a425-28f455ec9e77</uuid>

Changed in libvirt (Ubuntu):
status: Incomplete → New
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libvirt (Ubuntu):
status: New → Confirmed

Quoting Ursula Junque (<email address hidden>):
> Here it is:
>
> 16:12:57 ursula@marvin: ~ $ ls -l /etc/apparmor.d/libvirt
> total 4
> -rw-r--r-- 1 root root 164 Sep 14 13:24 TEMPLATE
>
> 16:13:06 ursula@marvin: ~ $ sudo grep -Hi uuid /etc/libvirt/qemu/*.xml
> /etc/libvirt/qemu/windows3.xml: <uuid>e7921c81-2628-ec0b-a425-28f455ec9e77</uuid>

So that vm won't start because it doesn't have an apparmor profile. I'm
not convinced that the purge of libvirt0 deleted the profile, because I
can't get purge to do that.

Can you now try and create a new (ubuntu server, or whatever) VM with
virt-manager, and show (a) the exact error output and (b) the output
of the same questions as above while the error message is up?

thanks!

Hi Serge,

I tried to create a new Windows VM yesterday and today, and the error is the same, BUT when trying to create an Ubuntu VM, it worked!

Unable to complete install: 'internal error cannot load AppArmor profile 'libvirt-23860d44-d9ef-3528-7f65-609bbb727707''

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 96, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/create.py", line 1943, in do_install
    guest.start_install(False, meter=meter)
  File "/usr/lib/python2.7/dist-packages/virtinst/Guest.py", line 1246, in start_install
    noboot)
  File "/usr/lib/python2.7/dist-packages/virtinst/Guest.py", line 1314, in _create_guest
    dom = self.conn.createLinux(start_xml or final_xml, 0)
  File "/usr/lib/python2.7/dist-packages/libvirt.py", line 2501, in createLinux
    if ret is None:raise libvirtError('virDomainCreateLinux() failed', conn=self)
libvirtError: internal error cannot load AppArmor profile 'libvirt-23860d44-d9ef-3528-7f65-609bbb727707'

What's the issue then? Should the package, when purged, have deleted that file?

Serge Hallyn (serge-hallyn) wrote :

Ursula,

After trying to create the new windows vm, can you please show the contents of /etc/apparmor.d/libvirt and the result of

    sudo grep -Hi uuid /etc/libvirt/qemu/*.xml

Serge Hallyn (serge-hallyn) wrote :

The package should not have deleted that file, and neither precise nor quantal have libvirt-bin.postrm doing that, which is why I worry something else may be going on.

Serge Hallyn (serge-hallyn) wrote :

(marking incomplete awaiting answer to comment #19)

Changed in libvirt (Ubuntu):
status: Confirmed → Incomplete
Ursula Junque (ursinha) wrote :

Hi Serge, sorry about the delay. I managed to create another windows virtual machine successfully, after removing the old disk image and creating another one (the removal was accidental, oops :/). So this is what's left:

19:01:47 ursula@marvin: ~ $ ls -l /etc/apparmor.d/libvirt
total 12
-rw-r--r-- 1 root root 265 Sep 21 14:40 libvirt-a990b482-c084-e8fd-03e6-9a004815cbcd
-rw-r--r-- 1 root root 572 Sep 21 14:40 libvirt-a990b482-c084-e8fd-03e6-9a004815cbcd.files
-rw-r--r-- 1 root root 164 Sep 14 13:24 TEMPLATE

18:59:50 ursula@marvin: ~ $ sudo grep -Hi uuid /etc/libvirt/qemu/*.xml
/etc/libvirt/qemu/windows3.xml: <uuid>e7921c81-2628-ec0b-a425-28f455ec9e77</uuid>
/etc/libvirt/qemu/windows-vista.xml: <uuid>5c22fbaf-c160-2146-bd54-9f01967aca28</uuid>

Please, let me know if I can do anything else to help.

Changed in libvirt (Ubuntu):
status: Incomplete → Confirmed

Quoting Ursula Junque (<email address hidden>):
> Hi Serge, sorry about the delay. I managed to create another windows
> virtual machine successfully, after removing the old disk image and

By this do you mean that the windows VM actually runs fine? Or does
it fail to start the same way as the other?

> creating another one (the removal was accidental, oops :/). So this is
> what's left:
>
> 19:01:47 ursula@marvin: ~ $ ls -l /etc/apparmor.d/libvirt
> total 12
> -rw-r--r-- 1 root root 265 Sep 21 14:40 libvirt-a990b482-c084-e8fd-03e6-9a004815cbcd
> -rw-r--r-- 1 root root 572 Sep 21 14:40 libvirt-a990b482-c084-e8fd-03e6-9a004815cbcd.files

Odd, this uuid doesn't match the uuids in the .xml files.

> -rw-r--r-- 1 root root 164 Sep 14 13:24 TEMPLATE
>
>
> 18:59:50 ursula@marvin: ~ $ sudo grep -Hi uuid /etc/libvirt/qemu/*.xml
> /etc/libvirt/qemu/windows3.xml: <uuid>e7921c81-2628-ec0b-a425-28f455ec9e77</uuid>
> /etc/libvirt/qemu/windows-vista.xml: <uuid>5c22fbaf-c160-2146-bd54-9f01967aca28</uuid>
>
> Please, let me know if I can do anything else to help.

Are the virt-manager client and the libvirt server running the same
release?

> By this do you mean that the windows VM actually runs fine? Or does
> it fail to start the same way as the other?

Yes, sorry, I mean it now runs fine, I got no more of that error after deleting the image and creating it again.

> Are the virt-manager client and the libvirt server running the same
> release?

I'm not sure if I got the question, I can say I installed the packages from Ubuntu repository and just upgraded the machine to quantal.

This is happening to me on precise. I try to create a virtual machine in virt-manager, customize the configuration, click Begin Installation, then the error pops up:

Unable to complete install: 'internal error cannot load AppArmor profile 'libvirt-f0986b73-5557-62bb-1f46-261d044dec4e''

where that uuid is not in /etc/apparmor.d/libvirt/. I tried creating the libvirt-*{,.files} in that directory, but the vm creation appears to generate a new uuid each time.

Unable to complete install: 'internal error cannot load AppArmor profile 'libvirt-f0986b73-5557-62bb-1f46-261d044dec4e''

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 45, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/create.py", line 1909, in do_install
    guest.start_install(False, meter=meter)
  File "/usr/lib/python2.7/dist-packages/virtinst/Guest.py", line 1236, in start_install
    noboot)
  File "/usr/lib/python2.7/dist-packages/virtinst/Guest.py", line 1304, in _create_guest
    dom = self.conn.createLinux(start_xml or final_xml, 0)
  File "/usr/lib/python2.7/dist-packages/libvirt.py", line 2166, in createLinux
    if ret is None:raise libvirtError('virDomainCreateLinux() failed', conn=self)
libvirtError: internal error cannot load AppArmor profile 'libvirt-f0986b73-5557-62bb-1f46-261d044dec4e'

I had to run "adduser libvirt-qemu libvirtd" to get past this.

Serge Hallyn (serge-hallyn) wrote :

@Ryan,

thanks for the info. The adduser libvirt-qemu libvirtd should however be spurious. libvirt-qemu is never plced in group libvirtd, /etc/apparmor.d/libvirt is owned by root:root, and libvirt-qemu is only used to run the actual kvm command, not to set up the domains.

Has anyone had this happen without using virt-manager?

Michael Cook (michaelcook-mjc) wrote :

FWIW I ran into this error when I changed a KVM guest name from "kvm-4.0" to "kvm-4.0 (new)" in the xml file and performed a virsh define. The naming convention is enforced in Virt Manager (no brackets or special symbols). There seems to be no checking on virsh define from the cmd line. There seems to be some dependency (at least with apparmour) on name format.

I returned the name of the machine back to the original "kvm-4.0" and it runs fine. I then tried another name "kvm-4.0 test". This failed. I think tried "kvm-4.0.1" this worked. I dont have time to try out more variations on machine name but it may help this investigation. (I did not look for or change apparmour profiles, I did try removing and re-adding disk images but this made no difference. I also created a new machine via the Virt Manager UI and this made no difference.).

xuanmingyi (xuanmingyi) wrote :

I also met the error.

I think it may the program have no access to create a file in /etc/apparmor.d/libvirt
I try to `aa-complain libvirtd` ,but it didn't work.

I think if you install a lxc ,then install the libvirt.You may met the error again.

Help!

Dale Amon (amon) wrote :

I have the same issue. I brought up a machine with a de novo install of Quantal server amd64.

I transferred a VM from the old server that is out of service by moving the disk containing. Made the one edit
change to the xml of the VM so that path to its main disk was correct in the new environment.

virsh define xml/hostname.xml

and I got the same problems as discussed. I thought perhaps apparmor did not like my /lib4/vmpool1, which is where
the images reside, so I added to /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper

  /lib4/vmpool1/ r,
  /lib4/vmpool1/** r,

but that did nothing either. Something is very wrong. This should have just *worked*, first try, no fiddling.

Dale Amon (amon) wrote :

Note: This is time critical. If I cannot find a solution within the next couple days, I will have to either rip apparmor out by the roots or switch to Debian... a week from now I will be 8000 miles from this machine, so by definition it will be operating properly before then...

Jamie Strandboge (jdstrand) wrote :

Due to the way libvirt handles logging, this error message could be many things and is unfortunately quite generic. For people having this problem, can you post your domain xml for the affected VM and any apparmor denials from /var/log/kern.log?

As a workaround, people don't need to 'rip out apparmor', they can simply disable the apparmor profile for libvirtd (note that apparmor is protecting a lot of different things on a typical system, so it is best to disable just the profile that is having the problem). Eg:
$ sudo aa-disable /etc/apparmor.d/usr.sbin.libvirtd

Then stop and start libvirtd.

Dale Amon (amon) wrote :
Download full text (3.3 KiB)

# virsh dumpxml myhost..org
<domain type='qemu'>
  <name>myhost.org</name>
  <uuid>6445bf42-7513-985a-7920-9e89a4c42ffe</uuid>
  <memory unit='KiB'>524288</memory>
  <currentMemory unit='KiB'>524288</currentMemory>
  <vcpu placement='static'>1</vcpu>
  <os>
    <type arch='i686' machine='pc-1.0'>hvm</type>
    <boot dev='hd'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <pae/>
  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/bin/qemu-system-x86_64</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='raw'/>
      <source file='/lib4/vmpool1/myhost.org-sda.raw'/>
      <target dev='hda' bus='ide'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>
    <controller type='ide' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
    </controller>
    <controller type='usb' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
    </controller>
    <interface type='bridge'>
      <mac address='52:54:00:84:3c:4f'/>
      <source bridge='br0'/>
      <model type='virtio'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
    <serial type='pty'>
      <target port='0'/>
    </serial>
    <console type='pty'>
      <target type='serial' port='0'/>
    </console>
    <input type='mouse' bus='ps2'/>
    <graphics type='vnc' port='-1' autoport='yes'/>
    <video>
      <model type='cirrus' vram='9216' heads='1'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>
    <memballoon model='virtio'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
    </memballoon>
  </devices>
</domain>

# grep virt /var/log/kern.log
Dec 29 13:29:28 library kernel: [ 0.000000] Booting paravirtualized kernel on bare hardware
Dec 29 13:29:28 library kernel: [ 8.053331] type=1400 audit(1356787768.805:11): apparmor="STATUS" operation="profile_load" name="/usr/sbin/libvirtd" pid=1428 comm="apparmor_parser"
Dec 29 13:29:28 library kernel: [ 8.060934] type=1400 audit(1356787768.813:12): apparmor="STATUS" operation="profile_load" name="/usr/lib/libvirt/virt-aa-helper" pid=1427 comm="apparmor_parser"
Dec 29 13:31:43 library kernel: [ 0.000000] Booting paravirtualized kernel on bare hardware
Dec 29 13:31:43 library kernel: [ 10.447494] type=1400 audit(1356787903.202:8): apparmor="STATUS" operation="profile_load" name="/usr/lib/libvirt/virt-aa-helper" pid=1266 comm="apparmor_parser"
Dec 29 13:35:02 library kernel: [ 0.000000] Booting paravirtualized kernel on bare hardware
Dec 29 13:35:02 library kernel: [ 7.631940] type=1400 audit(1356788102.439:8): apparmor="STATUS" operation="profile_load" name="/usr/lib/libvirt/virt-aa-helper" pid=1266 comm="apparmor_parser"
Dec 29 13:35:02 library kernel: [ 7.632210] type=1400 audit(1356788102.439:9): apparmor="STATUS" operation="profile_load" name="/usr/sbin/libvirtd" pid=1267 comm="apparmor_parser"

# virsh start mourne.islandone.org
e...

Read more...

Jamie Strandboge (jdstrand) wrote :

A typical (though unfortunately undocumented (we should really add this to the wiki somewhere)) is to do something like (see /usr/lib/libvirt/virt-aa-helper -h more more info (-u/--uuid is of form 'libvirt-<domuuid>'):

If profile does not exist:
export VM=foo ; virsh dumpxml $VM | sudo /usr/lib/libvirt/virt-aa-helper -c -u libvirt-`virsh domuuid $VM`

If profile already does exist:
export VM=foo ; virsh dumpxml $VM | sudo /usr/lib/libvirt/virt-aa-helper -r -u libvirt-`virsh domuuid $VM`

So, I saved your xml to /tmp/xml, then did:
cat /tmp/xml | sudo /usr/lib/libvirt/virt-aa-helper -c -u libvirt-6445bf42-7513-985a-7920-9e89a4c42ffe
virt-aa-helper: warning: path does not exist, skipping file type checks
virt-aa-helper: error: /lib4/vmpool1/myhost.org-sda.raw
virt-aa-helper: error: skipped restricted file
virt-aa-helper: error: invalid VM definition

What is happening is that virt-aa-helper does some safety checks and notices that the disk (a writable file) is in the non-standard directory that starts with /lib, so it skips the file. Because this file is the disk, it fails with 'invalid VM definition'. The bad news is that the restricted file checks are hardcoded in the source code for virt-aa-helper. The good news is that if you move it somewhere else (eg, /srv/vmpool1/myhost.org-sda.raw) it should work fine and you will be able to retain the guest isolation security that the apparmor driver provides (virt-aa-helper is a bit noisy since I don't have the disk present, but not that is not an error condition). Eg, making the change to the xml:
$ cat /tmp/xml | sudo /usr/lib/libvirt/virt-aa-helper -c -u libvirt-6445bf42-7513-985a-7920-9e89a4c42ffe
virt-aa-helper: warning: path does not exist, skipping file type checks
2012-12-29 19:30:27.679+0000: 10245: info : libvirt version: 0.9.13
2012-12-29 19:30:27.679+0000: 10245: warning : virDomainDiskDefForeachPath:14691 : Ignoring open failure on /srv/vmpool1/myhost.org-sda.raw: No such file or directory
$ sudo aa-status | grep libvirt-6445bf42-7513-985a-7920-9e89a4c42ffe
   libvirt-6445bf42-7513-985a-7920-9e89a4c42ffe

Dale Amon (amon) wrote :

Oh my. I would call that a bug. True, I can do a workaround to cover my immediate emergency, I will probably have to change my disk structure since the root disk is intentionally pretty small... but what if I were running hundreds or thousands of VM's? And even worse, on another system (which is fortunately Debian), different groups of users have their own private disks with multiple VM's on each,

I really think this needs to be fixed.

Dale Amon (amon) wrote :

I would worry that my small complaints are the least of your worries. If someone with a very large farm of VM's happens to update to this version... you could be hearing from someone with thousands of screaming customers. It would not be surprising to me if someone with large systems had their own internal standards for where their VM pools go. It is not necessarily the case that everyone is going to choose /srv.

Dale Amon (amon) wrote :

Okay, I used the suggested hack and changed my mount point from lib4 to srv. I have my VM up so I am sorted. But I only have a handful. I would hate to be in shoes of the person responsible for this change if someone is so foolish as to upgrade a critical system without lab testing the upgrade first. So if I were you, I would worry about that guy...

Jamie Strandboge (jdstrand) wrote :

virt-aa-helper has done this for as long as I can remember. /lib4 is not an FHS compliant location to store volatile data like VMs, which is what virt-aa-helper is trying to enforce (ie, if someone is trying to also restrict libvirtd itself, then virt-aa-helper has to be careful to not allow someone with libvirtd qemu:///system access to various files which could be used to escalate privileges.

Jürgen (j-w-ott) wrote :

I have removed spaces from hostname that did the trick with 13.04

Serge Hallyn (serge-hallyn) wrote :

has anyone reproduced the original bug (/etc/apparmor.d/libvirt/libvirt-$uuid.files missing) lately?

Changed in libvirt (Ubuntu):
status: Confirmed → Incomplete
David McNeill (davemc) wrote :

Yep, I've struck the original bug.

Create a basic qemu VM, which runs fine....

qemu-img create -f qcow2 /VMs/p2.img 4G

Feed it some CD ROM to install

qemu -cdrom /VMs/Downloads/some.iso -m 512 -boot d /VMs/p2.img

Then start it normally without a cd

qemu -m 512 -boot d /VMs/p2.img

Put the args above in a file and create a domain xml file from arguments....

virsh domxml-from-native qemu-argv p2.args > p2.xml
  (d-f-n creates valid xml, but are all the parameters correct?)

Suck the xml in

virsh define p2.xml

Start the vm

Get the original error above.

virsh # version
Compiled against library: libvirt 1.0.2
Using library: libvirt 1.0.2
Using API: QEMU 1.0.2
Running hypervisor: QEMU 1.4.0

I see three things happening when I reproduce this.

First, to do this with domxml-from-native you need to give a more
complete command. (Whether or not this is a bug in virsh depends on
whether qemu is still *supposed* to support giving the drive disk as
a standalone argument.)

Second, your command did not provide full pathnames for kvm or for
drives. virsh domxml-to-native doesn't expand those for you.

Third, even when fixing those up in the xml file, then doing
   virsh define z.xml
   virsh dumpxml unnamed > z2.xml
   /usr/lib/libvirt/virt-aa-helper -c < z2.xml

I get

virt-aa-helper: error: invalid UUID

(This also happens if I add '-u <uuid-from-xml>' to the command)

 status: confirmed

Changed in libvirt (Ubuntu):
status: Incomplete → Confirmed
Vincent Gerris (vgerris) wrote :

That is on Ubuntu 14.04 with recent updates by the way:
virsh --version
1.2.2
3.13.0-37-generic #64-Ubuntu SMP Mon Sep 22 21:28:38 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

summary: - error happen when using virsh to start a vm " internal error cannot
- generate AppArmor profile"
+ Error generating apparmor profile when hostname contains spaces
Changed in libvirt (Ubuntu):
importance: High → Medium
Serge Hallyn (serge-hallyn) wrote :

I've seen other problems with spaces in vm names.

We could convert spaces to '-' in apparmor profiles, but I'm tempted to say let's just refuse to allow spaces in vm names.

What do people think?

Serge Hallyn (serge-hallyn) wrote :

Note that for lxd we've specifically disallowed anything that can cause problems with some dns servers (no '.', no ' '. no leading '-')

Serge Hallyn (serge-hallyn) wrote :

@jdstrand

virt-aa-helper.c explicitly refuses to allow a space in the vm name
(in valid_name()). Is there any way that would be relaxed, or is that
deemed to dangerous/exploitable?

If it can't be relaxed, then we should bail earlier / with a clearer
message in libvirt.

Jamie Strandboge (jdstrand) wrote :

The reason why it didn't allow it is because libvirt didn't handle spaces in the names well at the time. If libvirt handles it ok, then it would be ok to allow it in virt-aa-helper.c since libvirt quotes all its file rule paths in the .files (except I just noticed /dev/vhost-net-- it should probably be fixed to do that). You would definitely want to thoroughly test this because, as mentioned, libvirt itself had issues with this in the past.

Well, while that may long-term be a good thing to look into, since
effectively noone could have been using vms with spaces in the names
successfully until now anyway, perhaps patching our libvirt to bail
out earlier on spaces in vm names would be the better+safer approach.

Still occurs on Ubuntu 14.04 using libvirt 1.2.2 .

Here are my reproduction steps.

Try with " " in <name>:

    $ tar -xvf my-vm.tar.gz
    my-vm/
    my-vm/my-vm-data.qcow2.md5
    my-vm/my-vm.xml

    $ cd my-vm/

    # <name> has space
    $ grep -Fe '<name>' -- my-vm.xml
      <name>My VM</name>

    $ sudo virsh define my-vm.xml
    Domain My VM defined from my-vm.xml

    # BUG: fails to start
    $ sudo virsh start "My VM"
    error: Failed to start domain My VM
    error: internal error: cannot load AppArmor profile 'libvirt-1a2ef3c1-a758-40f6-a238-c84ef3e8c9d6'

Remove bad KVM:

    $ sudo virsh undefine "My VM"
    Domain My VM has been undefined

Try again without " ", use "-":

    $ vim my-vm.xml

    # <name> without spaces
    $ grep -Fe '<name>' -- my-vm.xml
      <name>My-VM</name>

    $ sudo virsh define my-vm.xml
    Domain My-VM defined from my-vm.xml

    # starts
    $ sudo virsh start "My-VM"

Using software versions

    $ sudo dpkg -l | grep libvirt
    ii libvirt-bin 1.2.2-0ubuntu13.1.16 amd64 programs for the libvirt library
    ii libvirt0 1.2.2-0ubuntu13.1.16 amd64 library for interfacing with different virtualization systems
    ii python-libvirt 1.2.2-0ubuntu2 amd64 libvirt Python bindings

    $ sudo uname -a
    Linux localhost 3.13.0-77-generic #121-Ubuntu SMP Wed Jan 20 10:50:42 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

    $ lsb_release -a
    Description: Ubuntu 14.04.3 LTS

Serge Hallyn (serge-hallyn) wrote :

@jdstrand

indeed dropping space from the list in valid_name seems to fix it and work. i can virsh define/start/console/destroy with no problems. Do you have any suggestions for additional testing?

This will have to wait until 16.10 opens so there's no real hurry...

tags: added: server-next
tags: added: virt-aa-helper
tags: removed: server-next

Did some experiments and dropping the space from the bad chars makes it work for me as well.
Added a change for that and also enqueued the addition of quotes to the static rules.

I still expect issues with spaces down the road in some parts of libvirt, but if spaces are going to be forbidden it is not virt-aa-helper to do so - instead it would be a per HVM type check and/or the xml schema.
I will submit all that upstream together with some other virt-aa-helper changes I work on in a few days.

Related changes upstream now, will be picked no next merge.
Likely consider picking in advance as soon as BB opens up.

Actually this one has to wait for BB, not SRU worthy (especially after all the time hard to argument), but hey it will be resolved on the next merge for sure being upstream now.

tags: added: libvirt-18.04
Launchpad Janitor (janitor) wrote :
Download full text (13.5 KiB)

This bug was fixed in the package libvirt - 4.0.0-1ubuntu1

---------------
libvirt (4.0.0-1ubuntu1) bionic; urgency=medium

  * Merged with Debian unstable (4.0)
    This closes several bugs:
    - Error generating apparmor profile when hostname contains spaces
      (LP: #799997)
    - qemu 2.10 locks files, libvirt shared now sets share-rw=on (LP: #1716028)
    - libvirt usb passthrough throws apparmor denials related to
      /run/udev/data/+usb (LP: #1727311)
    - AppArmor denies access to /sys/block/*/queue/max_segments (LP: #1729626)
    - iohelper improvements to let bypass-cache work without opening up the
      apparmor isolation (LP: #1719579)
    - nodeinfo on s390x to contain more CPU info (LP: #1733688)
    - Upgrade libvirt >= 4.0 (LP: #1745934)
  * Remaining changes:
    - Disable libssh2 support (universe dependency)
    - Disable firewalld support (universe dependency)
    - Disable selinux
    - Set qemu-group to kvm (for compat with older ubuntu)
    - Additional apport package-hook
    - Modifications to adapt for our delayed switch away from libvirt-bin (can
      be dropped >18.04).
      + d/p/ubuntu/libvirtd-service-add-bin-alias.patch: systemd: define alias
        to old service name so that old references work
      + d/p/ubuntu/libvirtd-init-add-bin-alias.patch: sysv init: define alias
        to old service name so that old references work
      + d/control: transitional package with the old name and maintainer
        scripts to handle the transition
    - Backwards compatible handling of group rename (can be dropped >18.04).
    - config details and autostart of default bridged network. Creating that is
      now the default in general, yet our solution provides the following on
      top as of today:
      + autostart the default network by default
      + do not autostart if subnet is already taken (e.g. in guests).
    - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is
      the group based access to libvirt functions as it was used in Ubuntu
      for quite long.
      + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests
        due to the group access change.
    - ubuntu/parallel-shutdown.patch: set parallel shutdown by default.
    - d/p/ubuntu/enable-kvm-spice.patch: compat with older Ubuntu qemu/kvm
      which provided a separate kvm-spice.
    - d/p/ubuntu/ubuntu-libxl-qemu-path.patch: this change was split. The
      section that adapts the path of the emulator to the Debian/Ubuntu
      packaging is kept.
    - d/p/ubuntu/ubuntu-libxl-Fix-up-VRAM-to-minimum-requirements.patch: auto
      set VRAM to minimum requirements
    - d/p/ubuntu/xen-default-uri.patch: set default URI on xen hosts
    - Add libxl log directory
    - libvirt-uri.sh: Automatically switch default libvirt URI for users on
      Xen dom0 via user profile (was missing on changelogs before)
    - d/p/ubuntu/apibuild-skip-libvirt-common.h: drop libvirt-common.h from
      included_files to avoid build failures due to duplicate definitions.
    - Update README.Debian with Ubuntu changes
    - Convert libvirt0, libnss_libvirt and libvirt-dev to multi-arch.
    - Enable some additional features on ppc...

Changed in libvirt (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers