Apparmor prevents KVM tunnelled migration
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Lucid |
Won't Fix
|
Undecided
|
Unassigned | ||
Maverick |
Won't Fix
|
Undecided
|
Unassigned | ||
Natty |
Won't Fix
|
Undecided
|
Unassigned | ||
Oneiric |
Invalid
|
Undecided
|
Unassigned |
Bug Description
=======
SRU Justification:
1. Impact: tunnelled migration fails
2. Development fix: adjust the apparmor security driver in libvirt to allow guests the access to the tunneled migration info
3. Stable fix: same as development fix
4. Test case:
1. install libvirt-bin on two machines (sourcehost and targethost) sharing (nfs - use -o nfsvers=3 on oneiric) read-write storage
2. set up a kvm guest on the shared storage, start it on sourcehost
3. create rsa key on sourcehost, and put it into root's authorized_keys on targethost.
4. stop and start libvirt-bin on both hosts
5. as root, ssh from sourcehost to targethost, then log out (to answer the known-host question which otherwise makes libvirt fail to connect)
6. virsh migrate --live --p2p --tunnelled guestvm qemu+ssh:
7. regression potential: if the policy change was bad, it could cause libvirt guests to receive too much privilege.
=======
While attempting a live migration the destination host (node1) logs this :
Oct 5 17:13:56 node1 kernel: [ 1418.872987] type=1503 audit(131784923
run/libvirt/
The source system was running this command :
root@node2:~# virsh migrate --live --p2p --tunnelled guest1 qemu+ssh:
Both systems are running the same distro and package versions :
# lsb_release -rd
Description: Ubuntu 10.04.3 LTS
Release: 10.04
# apt-cache policy libvirt-bin
libvirt-bin:
Installed: 0.7.5-5ubuntu27.16
Candidate: 0.7.5-5ubuntu27.16
Version table:
*** 0.7.5-5ubuntu27.16 0
500 http://
500 http://
100 /var/lib/
0.
500 http://
Related branches
summary: |
- KVM migration fails when tunnelled + Apparmor prevents KVM tunnelled migration |
description: | updated |
description: | updated |
Changed in libvirt (Ubuntu Maverick): | |
status: | New → Won't Fix |
Changed in libvirt (Ubuntu Natty): | |
status: | New → Won't Fix |
description: | updated |
Adding the following to /etc/apparmor. d/abstractions/ libvirt- qemu :
/{,var/ }run/libvirt/ qemu/* rw,
After fixing the Apparmor profile, the migration still fails but not due to Apparmor getting in the way. Instead it blocks on another bug (that deserves a separated bug in LP) :
Oct 6 17:30:13 node2 libvirtd: 17:30:13.139: error : qemuMonitorText GetMigrationSta tus:982 : internal error cannot parse migration data transferred statistic 1052 kbytes# 015#012remainin g ram: 539972 kbytes#015#012total ram: 541024 kbytes#015#012
Note that using a regular migration (no "--p2p --tunnelled" flags) works.