Ubuntu
opennebula package

Bug #322779
Comment #12

Comment 12 for bug 322779

Revision history for this message

Ruben S, Montero (rubensm-dacya) wrote on 2010-03-26: Re: [Bug 322779] Re: Cold migration fails

#12

Hi Florian

To address the Apparmor issue in Ubuntu 9.10, just add the
$ONE_LOCATION/var directory to
/etc/apparmor.d/abstractions/libvirt-qemu

For example if ONE_LOCATION = /srv/cloud/one then your libvirt-qemu
apparmor file should be:

...
#include <abstractions/private-files-strict>
owner @{HOME}/ r,
owner @{HOME}/** rw,
/srv/cloud/one/var/** rw,

The you have to restart the daemon. This should be done in all the
worker nodes of the cluster

Cheers

PS: You are right the text of the issues is totally misleading

On Fri, Mar 26, 2010 at 8:56 PM, Florian Kruse
<email address hidden> wrote:
> Hi,
>
> On 26.03.2010, at 10:56, Ruben S, Montero wrote:
>> Well actually is the opposite: the patch defaults the driver to use
>> qemu:///system. It also does a touch to the checkpoint file before
>> saving the image so it belongs to oneadmin and not to root.
>
> Okay, I just assumed the possibility to change the driver was a
> suggestion to use qemu:///session (in the bug description it is
> mentioned as well).
>
> I just missed the touch command. It works like a charm.
>
>> You can check the commit
>>
>> http://dev.opennebula.org/projects/opennebula/repository/revisions/f8252cfe8bc49bc0ecec376476b711e5d2f1c5dd
>
> Unfortunately the changeset cannot be easily integrated into OpenNebula
> 1.2 since one_vmm_kvm.rb seems to be completely rewritten in OpenNebula
> 1.4. However, I made a small, quick and very dirty workaround for the
> current OpenNebula implementation of Karmic. Below you can see the patch
> that needs to be applied to /usr/lib/one/mads/one_vmm_kvm.rb.
>
> Yet there is still another problem. AppArmor prevents libvirt to write
> checkpoints outside of oneadmin's home. Is there an open bug ticket for
> that or should I file a new one? There was a similar bug report in an
> earlier Ubuntu release but the fix only gave libvirt the ability to
> write inside the user's home and not in /var/lib/one/...
>
> $ diff -u /usr/lib/one/mads/one_vmm_kvm.ubuntu-orig.rb /usr/lib/one/mads/one_vmm_kvm.rb
> --- /usr/lib/one/mads/one_vmm_kvm.ubuntu-orig.rb 2010-03-26 19:30:51.434615520 +0100
> +++ /usr/lib/one/mads/one_vmm_kvm.rb 2010-03-26 19:58:07.475803935 +0100
> @@ -112,6 +112,7 @@
> end
>
> def action_save(args)
> + touch_checkpoint_file(args[2], args[4])
> std_action("SAVE", "save #{args[3]} #{args[4]}", args)
> end
>
> @@ -179,6 +180,18 @@
> res[0].close
> res
> end
> +
> + def touch_checkpoint_file(host, file)
> + res=Open3.popen3(
> + "ssh -n #{host} touch #{file} ;"+
> + " echo ExitCode: $? 1>&2")
> + res[0].close
> +
> + stdout=res[1].read
> + stderr=res[2].read
> +
> + write_response("TOUCH", stdout, stderr, file)
> + end
>
> def write_response(action, stdout, stderr, args)
> exit_code=get_exit_code(stderr)
>
> --
> Cold migration fails
> https://bugs.launchpad.net/bugs/322779
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in “opennebula” package in Ubuntu: New
>
> Bug description:
> Binary package hint: opennebula
>
> Cold migration fails because we're connecting to qemu:///system, so the saved state is owned by root, so we can't copy it to the remote host. We can't switch to qemu:///session, because adding VM's to a bridged network is a privileged operation.
>
> To unsubscribe from this bug, go to:
> https://bugs.launchpad.net/ubuntu/+source/opennebula/+bug/322779/+subscribe
>

--
Dr. Ruben Santiago Montero
Associate Professor (Profesor Titular), Complutense University of Madrid

URL: http://dsa-research.org/doku.php?id=people:ruben
Weblog: http://blog.dsa-research.org/?author=7

Hi Florian

To address the Apparmor issue in Ubuntu 9.10, just add the
$ONE_LOCATION/var directory to
/etc/apparmor.d/abstractions/libvirt-qemu

For example if ONE_LOCATION = /srv/cloud/one then your libvirt-qemu
apparmor file should be:

...
#include <abstractions/private-files-strict>
owner @{HOME}/ r,
owner @{HOME}/** rw,
/srv/cloud/one/var/** rw,

The you have to restart the daemon. This should be done in all the
worker nodes of the cluster

Cheers

PS: You are right the text of the issues is totally misleading

On Fri, Mar 26, 2010 at 8:56 PM, Florian Kruse
<florian.kruse@tu-dortmund.de> wrote:
> Hi,
>
> On 26.03.2010, at 10:56, Ruben S, Montero wrote:
>> Well actually is the opposite: the patch defaults the driver to use
>> qemu:///system. It also does a touch to the checkpoint file before
>> saving the image so it belongs to oneadmin and not to root.
>
> Okay, I just assumed the possibility to change the driver was a
> suggestion to use qemu:///session (in the bug description it is
> mentioned as well).
>
> I just missed the touch command. It works like a charm.
>
>> You can check the commit
>>
>> http://dev.opennebula.org/projects/opennebula/repository/revisions/f8252cfe8bc49bc0ecec376476b711e5d2f1c5dd
>
> Unfortunately the changeset cannot be easily integrated into OpenNebula
> 1.2 since one_vmm_kvm.rb seems to be completely rewritten in OpenNebula
> 1.4. However, I made a small, quick and very dirty workaround for the
> current OpenNebula implementation of Karmic. Below you can see the patch
> that needs to be applied to /usr/lib/one/mads/one_vmm_kvm.rb.
>
> Yet there is still another problem. AppArmor prevents libvirt to write
> checkpoints outside of oneadmin's home. Is there an open bug ticket for
> that or should I file a new one? There was a similar bug report in an
> earlier Ubuntu release but the fix only gave libvirt the ability to
> write inside the user's home and not in /var/lib/one/...
>
> $ diff -u /usr/lib/one/mads/one_vmm_kvm.ubuntu-orig.rb /usr/lib/one/mads/one_vmm_kvm.rb
> --- /usr/lib/one/mads/one_vmm_kvm.ubuntu-orig.rb        2010-03-26 19:30:51.434615520 +0100
> +++ /usr/lib/one/mads/one_vmm_kvm.rb    2010-03-26 19:58:07.475803935 +0100
> @@ -112,6 +112,7 @@
>     end
>
>     def action_save(args)
> +        touch_checkpoint_file(args[2], args[4])
>         std_action("SAVE", "save #{args[3]} #{args[4]}", args)
>     end
>
> @@ -179,6 +180,18 @@
>         res[0].close
>         res
>     end
> +
> +    def touch_checkpoint_file(host, file)
> +        res=Open3.popen3(
> +            "ssh -n #{host} touch #{file} ;"+
> +            " echo ExitCode: $? 1>&2")
> +        res[0].close
> +
> +        stdout=res[1].read
> +        stderr=res[2].read
> +
> +        write_response("TOUCH", stdout, stderr, file)
> +    end
>
>     def write_response(action, stdout, stderr, args)
>         exit_code=get_exit_code(stderr)
>
> --
> Cold migration fails
> https://bugs.launchpad.net/bugs/322779
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in “opennebula” package in Ubuntu: New
>
> Bug description:
> Binary package hint: opennebula
>
> Cold migration fails because we're connecting to qemu:///system, so the saved state is owned by root, so we can't copy it to the remote host. We can't switch to qemu:///session, because adding VM's to a bridged network is a privileged operation.
>
> To unsubscribe from this bug, go to:
> https://bugs.launchpad.net/ubuntu/+source/opennebula/+bug/322779/+subscribe
>

-- 
Dr. Ruben Santiago Montero
Associate Professor (Profesor Titular), Complutense University of Madrid

URL: http://dsa-research.org/doku.php?id=people:ruben
Weblog: http://blog.dsa-research.org/?author=7

Ubuntuopennebula package

Comment 12 for bug 322779

Ubuntu
opennebula package