This bug was fixed in the package libvirt - 1.2.2-0ubuntu13.1.22
---
libvirt (1.2.2-0ubuntu13.1.22) trusty; urgency=medium
* fix guest channel support (LP: #1393842).
- d/p/virt-aa-helper-add-trusty-guest-agent-rule.patch: add apparmor rule
for channels within guest
** Merge proposal unlinked:
https://code.launchpad.net/~paelzer/ubuntu/+source/libvirt/+git/libvirt/+merge/330359
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1393842
Title:
libvirt does not
# left my old dirs as-is (bad setup intentionally) after upgrade
$ dpkg -l libvirt-bin | tee
ii libvirt-bin 1.2.2-0ubuntu13.1.22
$ virsh start kvmguest-testgachannel
testgachannel.org.qemu.guest_agent.0,server,nowait: Failed to bind socket:
Permission denied
$ ll
** Description changed:
[Impact]
- * If one defines guest channels manually (xml) or via tools like virt-
-manager (there it defaults to add channels for some distros), then
-starting the guest fails.
-There are two reason:
-1. by default the base dir for the channels
Hello Mark, or anyone else affected,
Accepted libvirt into trusty-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/libvirt/1.2.2-0ubuntu13.1.22 in a
few hours, and then in the -proposed repository.
Please help us by testing this new package. See
** Merge proposal linked:
https://code.launchpad.net/~paelzer/ubuntu/+source/libvirt/+git/libvirt/+merge/330359
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1393842
Title:
libvirt does not
MP Review and tests were good, the package is waiting for SRU Team in
trusty-unapproved now.
** Changed in: libvirt (Ubuntu Trusty)
Status: Triaged => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Added SRU Template in anticipation of the MP review
** Description changed:
+ [Impact]
+
+ * If one defines guest channels manually (xml) or via tools like virt-
+manager (there it defaults to add channels for some distros), then
+starting the guest fails.
+There are two reason:
+
** Merge proposal linked:
https://code.launchpad.net/~paelzer/ubuntu/+source/libvirt/+git/libvirt/+merge/330163
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1393842
Title:
libvirt does not
Since it is reproducible and worth to fix I have prepared a MP for an
SRU to be reviewed.
** Changed in: libvirt (Ubuntu Trusty)
Status: Incomplete => Triaged
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Waiting for info by users, setting status incomplete for now.
And as a side note #56 is something else or at least worth a new bug to
analyze separately. @Thomas Mayer - If you are still affected please
open a new bug so we can check out the details of your case.
** Changed in: libvirt (Ubuntu
There actually is the common virt-aa-helper on channels even back then in
Trusty.
This was changed a few times and the special tweak that generates the rule was
dropped later as along the new namespacing there are now valid rules per entry.
Anyway for trusty backporting all those complex
Hi,
thanks for the ping, this brought it to my attention, taking a look now ...
First of all to get Fedora/Virt-manager/... out of scope here a guest without
virt-manager or anything else.
Using uvtool to create a very basic guest based on daily cloud images
$ uvt-simplestreams-libvirt
1.2.2-0ubuntu13.1.21 Having this bug.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1393842
Title:
libvirt does not grant qemu-guest-agent channel perms
To manage notifications about this bug go
I can confirm this bug for up-to-date xenial (16.04). Note that this is
a regression for me, which happened within xenial's updates (it was
working a few weeks ago with xenial).
ehler beim Starten der Domain: Kann keine Daten empfangen: Die
Verbindung wurde vom Kommunikationspartner zurückgesetzt
Still getting this bug in Trusty.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1393842
Title:
libvirt does not grant qemu-guest-agent channel perms
To manage notifications about this bug go to:
Hi,
no, thanks, actually since this fix patches virt-aa-helper itself, just
creating a new vm after the upgrade should have sufficed. No reboot
should have been needed. However trying to start a pre-existing vm that
previously failed would not work, as the policy needs to be re-
generated.
Hi Serge, I rebooted the kvm host after the upgrade and still got the
error. I can provide additional info from my kvm host if you need.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1393842
Title:
Did you reboot the system after the upgrade?
(restarting apparmor should suffice, but since this package fixed it for
me I'd like to make sure about whether the core fix failed for you, or
just the upgrade experience)
--
You received this bug notification because you are a member of Ubuntu
** Tags removed: verification-done
** Tags added: verification-failed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1393842
Title:
libvirt does not grant qemu-guest-agent channel perms
To manage
This bug still affects 14.04. Upgrading libvirt to 1.2.2-0ubuntu13.1.19
does not fix it.
$ dpkg -l | grep libvirt
ii libvirt-bin 1.2.2-0ubuntu13.1.19
amd64programs for the libvirt library
ii libvirt0
Hi All, I am using ubuntu 14.04.4 LTS
VERSION="14.04.4 LTS, Trusty Tahr"
root1@root1-HP-Compaq-8100-Elite-CMT-PC:/var/lib/libvirt/qemu$ dpkg -l | grep
libvirt
ii libvirt-bin 1.2.2-0ubuntu13.1.17
amd64programs for
** Tags removed: verification-needed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1393842
Title:
libvirt does not grant qemu-guest-agent channel perms
To manage notifications about this bug go
Hello Mark, or anyone else affected,
Accepted libvirt into trusty-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/libvirt/1.2.2-0ubuntu13.1.19 in a
few hours, and then in the -proposed repository.
Please help us by testing this new package. See
Hi,
this should be fixed in libvirt 1.3.1-1ubuntu8. I'm not sure why it
didn't get auto-closed.
Please report if this is stlil broken for you.
** Changed in: libvirt (Ubuntu)
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs,
Hi,
this should be fixed in libvirt 1.3.1-1ubuntu8. I'm not sure why it
didn't get auto-closed.
Please report if this is stlil broken for you.
** Changed in: libvirt (Ubuntu)
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Ubuntu
In comparison, when attempting to lunch a VitualBox VM, it fails with a
slightly better error message at least directing one to investigate what
else would be using a hypervisor. But it also suggests some rather
drastic steps to do with recompiling the kernel to remove KVM kernel
extension - wow:
I've been struggling with this for nearly 2 hours before I realized that
I was running a virtualbox vm in headless mode. Was trying to create a
qemu-kvm vm and it kept failing with symptoms similar to those reported
here.
What would be good is getting qemu-kvm to at least check if another
** Changed in: libvirt (Ubuntu)
Status: Fix Released => Triaged
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1393842
Title:
libvirt does not grant qemu-guest-agent channel perms
To manage
** Changed in: libvirt (Ubuntu)
Status: Fix Released => Triaged
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in Ubuntu.
https://bugs.launchpad.net/bugs/1393842
Title:
libvirt does not grant qemu-guest-agent channel
Quoting Jamie Strandboge (ja...@ubuntu.com):
> I understand why you are doing this, but this means that a malicious
> guest is now able to create, for example, a block device with only DAC
> protecting the host. Since qemu on Ubuntu runs as non-root, this isn't
> completely horrible, but since
I understand why you are doing this, but this means that a malicious
guest is now able to create, for example, a block device with only DAC
protecting the host. Since qemu on Ubuntu runs as non-root, this isn't
completely horrible, but since apparmor doesn't have fine-grained
mediation of mknod,
This bug was fixed in the package libvirt - 1.3.1-1ubuntu6
---
libvirt (1.3.1-1ubuntu6) xenial; urgency=medium
* d/apparmor/libvirt-qemu: generalize the qemu-block-extra libs line.
(LP: #1554761)
* d/p/ubuntu/virt-aa-helper-add-mknod-for-guest-agent.patch: add mknod
This bug was fixed in the package libvirt - 1.3.1-1ubuntu6
---
libvirt (1.3.1-1ubuntu6) xenial; urgency=medium
* d/apparmor/libvirt-qemu: generalize the qemu-block-extra libs line.
(LP: #1554761)
* d/p/ubuntu/virt-aa-helper-add-mknod-for-guest-agent.patch: add mknod
I'm trying:
Index: libvirt/src/security/virt-aa-helper.c
===
--- libvirt.orig/src/security/virt-aa-helper.c
+++ libvirt/src/security/virt-aa-helper.c
@@ -939,6 +939,14 @@ add_file_path(virDomainDiskDefPtr disk,
}
static int
I'm not keen on allowing mknod in the general case. It makes a lot of
sense to me add it (with comment ideally) via virt-aa-helper.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1393842
Title:
Adding 'capability mknod' to /etc/apparmor.d/abstractions/libvirt-qemu
solves it for me.
I'm not sure we want to add that to all VMs. Do we need to add it to
the policy during virt-aa-helper?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
Confirmed this has regressed in xenial
** Changed in: libvirt (Ubuntu)
Status: Fix Released => Triaged
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in Ubuntu.
https://bugs.launchpad.net/bugs/1393842
Title:
libvirt
Confirmed this has regressed in xenial
** Changed in: libvirt (Ubuntu)
Status: Fix Released => Triaged
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1393842
Title:
libvirt does not grant
~$ cat
/etc/apparmor.d/libvirt/libvirt-aa613ca3-5fff-467e-be3b-7752dc07e856.files
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
"/var/log/libvirt/**/monitoring.log" w,
"/var/lib/libvirt/qemu/domain-monitoring/monitor.sock" rw,
"/var/run/libvirt/**/monitoring.pid" rwk,
Looking at the source, virt-aa-helper should still be doing the right
thing to add an exception for that channel.
For a VM which has that channel, could you post the
/etc/apparmor.d/libvirt/libvirt-.files
replacing with the vm's uuid, of course.
--
You received this bug notification because
> Could you check syslog for a related DENIED message in syslog and
post it here?
[ 3398.651077] audit: type=1400 audit(1455858424.227:1496): apparmor="STATUS"
operation="profile_replace" profile="unconfined"
name="libvirt-aa613ca3-5fff-467e-be3b-7752dc07e856" pid=4326
comm="apparmor_parser"
Thanks - two most likely explanations are that there was a regression
in the apparmor policy, or the filename has changed Could you check
syslog for a related DENIED message in syslog and post it here?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
This issue starting to happen for me after upgrade from Wily to Xenial.
Bunch of VMs have org.qemu.guest_agent.0 channel unable to start after
upgrade with same error in syslog. On other hand, VMs without
org.qemu.guest_agent.0 channel working. As workaround, removing
org.qemu.guest_agent.0
@rahul
ping?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1393842
Title:
libvirt does not grant qemu-guest-agent channel perms
To manage notifications about this bug go to:
Hi,
Using a centos 7 dvd iso and the 'rhel 7 or above' choice when creating
a VM in virt-manager,
using the stock trusty image i was able to reproduce this.
Using 1.2.2-0ubuntu13.1.15 from trusty-proposed i was not.
So this *does* solve the issue for me.
--
You received this bug notification
@rahul,
can you show the error message yo ugot when you tried with the upgraded
libvirt?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1393842
Title:
libvirt does not grant qemu-guest-agent
I am facing the same issue, tried upgrading to 1.2.2-0ubuntu13.1.15. The
issue still persists :(
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1393842
Title:
libvirt does not grant qemu-guest-agent
Just to be sure - does the same thing happen in wily? That is, is the
upstream fix insufficient, or was the SRU missing a piece?
** Changed in: libvirt (Ubuntu Trusty)
Status: Fix Committed => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which
I don't have a KVM-capable machine with Wily ready at hand, sorry. I'll
try to get one ASAP.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1393842
Title:
libvirt does not grant qemu-guest-agent
bummer workaround:
for xml in /etc/libvirt/qemu/*.xml; do VM=$(basename $xml|cut -d. -f1);
rm /var/lib/libvirt/qemu/channel/target/${VM}.org.qemu.guest_agent.0;
virsh dumpxml $VM | /usr/lib/libvirt/virt-aa-helper -c -u libvirt-`virsh
domuuid $VM`; virsh start $VM; done
--
You received this bug
Confirmed. Update in proposed works as mpanella says
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1393842
Title:
libvirt does not grant qemu-guest-agent channel perms
To manage notifications
Hi Serge,
at first glance the libvirt version in -proposed works when the profile
is generated, but virt-aa-helper chokes on profile updates (e.g. media
change via virt-manager):
virt-aa-helper: error:
/var/lib/libvirt/qemu/channel/target/guineapig.org.qemu.guest_agent.0
virt-aa-helper: error:
Fix is simple enough, I've added it to my list of things to SRU to
trusty. I'm hoping to get to it this week.
** Also affects: libvirt (Ubuntu Trusty)
Importance: Undecided
Status: New
** Changed in: libvirt (Ubuntu Trusty)
Importance: Undecided = High
--
You received this bug
Hi Serge,
Can you post here the fix ?
So I do the fix on my server until it comes out the package.
Tks.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1393842
Title:
libvirt does not grant
Hi again Serge, i see the source. Sorry, i think is some configuration
file, but is in c source file, need to compile. Ignore my request .
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1393842
Fix is simple enough, I've added it to my list of things to SRU to
trusty. I'm hoping to get to it this week.
** Also affects: libvirt (Ubuntu Trusty)
Importance: Undecided
Status: New
** Changed in: libvirt (Ubuntu Trusty)
Importance: Undecided = High
--
You received this bug
I'll push the package for sru today, and post the debdiff here so you
can build your own.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1393842
Title:
libvirt does not grant qemu-guest-agent
** Attachment added: Fix which I will push to trusty-proposed
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1393842/+attachment/4453452/+files/debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Description changed:
+ ===
+ 1. Impact: cannot create a default RHEL7 vm in virt-manager
+ 2. fix: allow use of qemu-guest-agent channel
+ 3. Regression potential: there should be none. We are only adding an
+apparmor permission for unix sockets which
Tks Serge ! i got the diff, rebuild the package and Ok, it's work.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1393842
Title:
libvirt does not grant qemu-guest-agent channel perms
To manage
Hello Mark, or anyone else affected,
Accepted libvirt into trusty-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/libvirt/1.2.2-0ubuntu13.1.15 in a
few hours, and then in the -proposed repository.
Please help us by testing this new package. See
The Ubuntu 14.04.3 LTS has this issue too.
Fresh install, today. All updates applied (upgrade and dist-upgrade).
When the update package will be released ?
The lastest version is:
root@ubuntu-kvm:~# dpkg -l | grep libvirt;
ii libvirt-bin 1.2.2-0ubuntu13.1.14
Yes, I forgot to have postinst create that.
** Changed in: libvirt (Ubuntu)
Status: Fix Released = Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1393842
Title:
libvirt does not
Do a mkdir -p /var/lib/libvirt/qemu/channel/target/ - that should fix
it. It should have been created on install, but wasn't, and I guess the
package update doesn't create the directory. You might also make sure
that owner and group are set correctly, here they are libvirt-qemu and
kvm,
This bug was fixed in the package libvirt - 1.2.12-0ubuntu11
---
libvirt (1.2.12-0ubuntu11) vivid; urgency=medium
* create /var/lib/libvirt/qemu/channel/target (LP: #1393842)
- libvirt-bin.dirs: add /var/lib/libvirt/qemu/channel/target
- libvirt-bin.postinst: chown target
Sandly, it seems this is not fixed yet. I have libvirt-1.2.12 and
checked my system (vivid) is up to date. I still get the error reported
above.
Unable to complete install: 'internal error: process exited while connecting to
monitor: 2015-04-09T09:29:32.183316Z qemu-system-x86_64: -chardev
Yes, I forgot to have postinst create that.
** Changed in: libvirt (Ubuntu)
Status: Fix Released = Confirmed
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in Ubuntu.
https://bugs.launchpad.net/bugs/1393842
Title:
This bug was fixed in the package libvirt - 1.2.12-0ubuntu11
---
libvirt (1.2.12-0ubuntu11) vivid; urgency=medium
* create /var/lib/libvirt/qemu/channel/target (LP: #1393842)
- libvirt-bin.dirs: add /var/lib/libvirt/qemu/channel/target
- libvirt-bin.postinst: chown target
This bug was fixed in the package libvirt - 1.2.12-0ubuntu9
---
libvirt (1.2.12-0ubuntu9) vivid; urgency=medium
* 9037-virt-aa-helper-add-unix-channels-esp-for-qemu-guest-.patch: Allow
libvirt domains to start when using qemu guest agent. (LP: #1393842)
-- Serge Hallyn
This bug was fixed in the package libvirt - 1.2.12-0ubuntu9
---
libvirt (1.2.12-0ubuntu9) vivid; urgency=medium
* 9037-virt-aa-helper-add-unix-channels-esp-for-qemu-guest-.patch: Allow
libvirt domains to start when using qemu guest agent. (LP: #1393842)
-- Serge Hallyn
Raising priority bc it prevents stocfedora vms from being created using
virt-manager
** Changed in: libvirt (Ubuntu)
Importance: Medium = High
** Changed in: libvirt (Ubuntu)
Status: Triaged = In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs,
While adding this to /etc/apparmor.d/abstractions/libvirt-qemu certainly is a
viable workaround:
/var/lib/libvirt/qemu/channel/target/* rw,
it is not the proper fix because it breaks guest isolation (guests can
access other guests target files). Seems like virt-aa-helper should be
adjusted to
Same issue here. syslog shows that app-armor is refusing the creation of
the socket:
Dec 29 10:07:09: kernel: [ 1957.839479] audit: type=1400
audit(1419876429.922:90): apparmor=DENIED operation=mknod profi
le=libvirt-85c4cb3e-a2a1-42ba-af30-5d2d8f989780
Thanks - so it looks like virt-aa-helper should be updated to recognize
the channels and add a whitelist entry for them.
Do you have xml for a VM with such a channel handy?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Actually this bug doesn't appear to be related to apparmoer permissions.
The channel is simply not created - /var/lib/libvirt/qemu/channel does
not exist, even if qemu-guest-agent package is installed.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
Taking the steps Mark Grocock posted did not resolve this issue for me.
I have no idea where else it may go wrong. The issue remains the same:
Unable to complete install: 'internal error: process exited while connecting to
monitor: 2014-12-11T15:32:03.946345Z qemu-system-x86_64: -chardev
77 matches
Mail list logo
