| 2018-08-23 12:19:30 |
Thadeu Lima de Souza Cascardo |
bug |
|
|
added bug |
| 2018-08-23 12:19:36 |
Thadeu Lima de Souza Cascardo |
linux (Ubuntu): assignee |
|
Thadeu Lima de Souza Cascardo (cascardo) |
|
| 2018-08-23 12:19:39 |
Thadeu Lima de Souza Cascardo |
linux (Ubuntu): importance |
Undecided |
High |
|
| 2018-08-23 12:19:43 |
Thadeu Lima de Souza Cascardo |
linux (Ubuntu): status |
New |
Confirmed |
|
| 2018-08-23 12:19:48 |
Thadeu Lima de Souza Cascardo |
linux (Ubuntu): status |
Confirmed |
In Progress |
|
| 2018-08-23 17:46:14 |
Thadeu Lima de Souza Cascardo |
bug task added |
|
libvirt (Ubuntu) |
|
| 2018-08-23 17:47:49 |
Thadeu Lima de Souza Cascardo |
nominated for series |
|
Ubuntu Cosmic |
|
| 2018-08-23 17:47:49 |
Thadeu Lima de Souza Cascardo |
bug task added |
|
libvirt (Ubuntu Cosmic) |
|
| 2018-08-23 17:47:49 |
Thadeu Lima de Souza Cascardo |
bug task added |
|
linux (Ubuntu Cosmic) |
|
| 2018-08-23 17:52:53 |
Thadeu Lima de Souza Cascardo |
libvirt (Ubuntu Cosmic): importance |
Undecided |
Critical |
|
| 2018-08-24 06:14:53 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Bionic |
|
| 2018-08-24 06:14:53 |
Christian Ehrhardt |
bug task added |
|
libvirt (Ubuntu Bionic) |
|
| 2018-08-24 06:14:53 |
Christian Ehrhardt |
bug task added |
|
linux (Ubuntu Bionic) |
|
| 2018-08-24 06:15:01 |
Christian Ehrhardt |
libvirt (Ubuntu Bionic): status |
New |
Confirmed |
|
| 2018-08-24 06:15:04 |
Christian Ehrhardt |
libvirt (Ubuntu Cosmic): status |
New |
In Progress |
|
| 2018-08-24 06:35:08 |
Christian Ehrhardt |
bug |
|
|
added subscriber Christian Ehrhardt |
| 2018-08-27 13:20:34 |
Christian Ehrhardt |
description |
$ virsh start cosmic-i386
error: Failed to start domain cosmic-i386
error: internal error: child reported: Kernel does not provide mount namespace: Permission denied
Happens with 4.18 only, 4.17 is fine.
27013 openat(AT_FDCWD, "/proc/27012/ns/mnt", O_RDONLY) = -1 EACCES (Permission denied)
Opening a self or parent mount namespace works fine as tested with cat /proc/self/ns/mnt and cat /proc/self/$$/mnt. Still investigating. |
[Impact]
* Libvirt will no more be able to start guests with newer kernels
(>=4.18)
* We brought a fix upstream that we want to backport to potentially
affected releases (B+C)
[Test Case]
Note: This can but does not have to be tested in nested virtualization (Since we need to change the kernel it is probably the preferred way to do it in nested, so this is what I describe)
1. Get a KVM guest with the Release to test (Cosmic as an example) and give it a size to be able to host a nested guest
$ sudo apt install uvtool-libvirt
$ uvt-simplestreams-libvirt --verbose sync --source http://cloud-images.ubuntu.com/daily arch=amd64 release=cosmic label=daily
$ uvt-kvm create --cpu 8 --memory 4096 --password ubuntu c-nested-kvm-4.18 arch=amd64 release=cosmic label=daily
$ uvt-kvm ssh c-nested-kvm-4.18
2. In the guest set up another guest
$ uvt-kvm ssh c-nested-kvm-4.18
$ uvt-simplestreams-libvirt --verbose sync --source http://cloud-images.ubuntu.com/daily arch=amd64 release=cosmic label=daily
$ uvt-kvm create --password ubuntu c-nested-guest arch=amd64 release=cosmic label=daily
$ sudo apt install uvtool-libvirt
3. The above will work, now get a kernel >=4.18 e.g. the mainline kernels at
https://wiki.ubuntu.com/Kernel/MainlineBuilds
$ wget (link of the day)
$ sudo dpkg -i *.deb
4. reboot into the 4.18 kernel
$ sudo reboot
5. Start the guest again
$ virsh start c-nested-guest
Without fix this will fail like:
error: Failed to start domain c-nested-guest
error: internal error: child reported: Kernel does not provide mount namespace: Permission denied
And an associated Dmesg/Apparmor entry:
[ 519.529760] audit: type=1400 audit(1535364820.976:27): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd" pid=1692 comm="libvirtd" requested_mask="read" denied_mask="read" peer="libvirt-4ae5dbbe-641c-4934-ae7c-956bcc8b9e2f"
6. In the guest update from PPA/Proposed that you want to test to bring in the libvirt package with the updated rules (Example with the PPA).
$ sudo add-apt-repository ppa:ci-train-ppa-service/3381
$ sudo apt upgrade
7. Start the guest again and it will now work
$ virsh start c-nested-guest
[Regression Potential]
* The change is "only" opening up the apparmor profile for libvirt a
little bit for the access now being reported as read in addition.
That should in itself be rather regression free, but in addition it has
an ack of Jamie Strandboge to be sure from Securities POV (you can
follow the upstreaming thread at to check:
https://www.redhat.com/archives/libvir-list/2018-August/msg01597.html
[Other Info]
* This is no issue "yet" but would be one when the Cosmic Kernel becomes available as HWE kernel. We'd want to have the apparmor profile in libvirt ready at the time so that we never have users see this error in the Field on a Released Ubuntu version.
---
$ virsh start cosmic-i386
error: Failed to start domain cosmic-i386
error: internal error: child reported: Kernel does not provide mount namespace: Permission denied
Happens with 4.18 only, 4.17 is fine.
27013 openat(AT_FDCWD, "/proc/27012/ns/mnt", O_RDONLY) = -1 EACCES (Permission denied)
Opening a self or parent mount namespace works fine as tested with cat /proc/self/ns/mnt and cat /proc/self/$$/mnt. Still investigating. |
|
| 2018-09-04 18:57:37 |
Launchpad Janitor |
libvirt (Ubuntu Cosmic): status |
In Progress |
Fix Released |
|
| 2018-09-06 15:57:19 |
Andy Whitcroft |
libvirt (Ubuntu Bionic): status |
Confirmed |
Fix Committed |
|
| 2018-09-06 15:57:22 |
Andy Whitcroft |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2018-09-06 15:57:24 |
Andy Whitcroft |
bug |
|
|
added subscriber SRU Verification |
| 2018-09-06 15:57:29 |
Andy Whitcroft |
tags |
|
verification-needed verification-needed-bionic |
|
| 2018-09-10 10:15:41 |
Christian Ehrhardt |
tags |
verification-needed verification-needed-bionic |
verification-done verification-done-bionic |
|
| 2018-09-12 11:03:00 |
Launchpad Janitor |
linux (Ubuntu Bionic): status |
New |
Confirmed |
|
| 2018-09-12 11:28:14 |
Patrik Lundquist |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908341 |
|
| 2018-09-12 11:28:14 |
Patrik Lundquist |
bug task added |
|
libvirt (Debian) |
|
| 2018-09-13 08:00:27 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2018-09-13 08:10:33 |
Launchpad Janitor |
libvirt (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
| 2018-09-14 02:12:54 |
Bug Watch Updater |
libvirt (Debian): status |
Unknown |
Fix Released |
|
| 2019-07-24 20:23:29 |
Brad Figg |
tags |
verification-done verification-done-bionic |
cscc verification-done verification-done-bionic |
|
