[Group.of.nepali.translators] [Bug 1677398] Re: Apparmor prevents using storage pools and hostdev networks
This now has a related upstream issue
https://gitlab.com/libvirt/libvirt/-/issues/135
** Bug watch added: gitlab.com/libvirt/libvirt/-/issues #135
https://gitlab.com/libvirt/libvirt/-/issues/135
** Also affects: libvirt via
https://gitlab.com/libvirt/libvirt/-/issues/135
Importance: Unknown
Status: Unknown
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1677398
Title:
Apparmor prevents using storage pools and hostdev networks
Status in libvirt:
Unknown
Status in libvirt package in Ubuntu:
Triaged
Status in libvirt source package in Xenial:
Won't Fix
Status in libvirt source package in Yakkety:
Won't Fix
Status in libvirt source package in Zesty:
Won't Fix
Bug description:
Apparmor prevents qemu-kvm guests from using ZFS volumes.
[Impact]
* storage pools are not usable.
Examples with zfs and LVM pools
[Test Case 1]
# Prep ZFS
1) Create a zpool
$ for i in $(seq 1 3); do dd if=/dev/zero of=/tmp/fdisk${i} bs=1M
count=1024; done
$ sudo zpool create internal /tmp/fdisk*
2) Create a ZFS storage pool and volume (named like your zpool, "internal"
here)
$ virsh pool-define-as internal zfs
$ virsh pool-start internal
$ virsh vol-create-as internal foo 2G
# prep LVM
4) prepare a (fake) LVM
$ for i in $(seq 1 3); do dd if=/dev/zero of=/tmp/lvdisk${i} bs=1M
count=1024; done
$ sync
$ DISKS=$(for i in $(seq 1 3); do sudo losetup -f --show /tmp/lvdisk${i};
done)
$ sudo pvcreate --verbose $DISKS
$ sudo vgcreate --verbose testvg $DISKS
5) Create LVM Pool and volume
$ virsh pool-define-as testvg logical
$ virsh pool-start testvg
$ virsh vol-create-as testvg guest1 2G
# Prep Guest and use Pools
6) Create a KVM guest e.g. via uvtool
$ uvt-simplestreams-libvirt --verbose sync --source
http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=xenial
$ ssh-keygen
$ uvt-kvm create --password=ubuntu testguest release=xenial arch=amd64
label=daily
7) Edit the guest's XML profile to use the ZFS and LVM volumes (zvol)
8) Start the guest
The guest refuses to start:
# virsh start nms
error: Failed to start domain foo
error: internal error: process exited while connecting to monitor:
2017-03-29T22:07:31.507017Z qemu-system-x86_64: -drive
file=/dev/zvol/internal/foo,format=raw,if=none,id=drive-virtio-disk0,cache=none:
Could not open '/dev/zvol/internal/foo': Permission denied
dmesg reveals the culprit:
apparmor="DENIED" operation="open"
profile="libvirt-988a8c25-5190-4762-8170-55dc75fc66ca" name="/dev/zd224"
pid=23052 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=109
ouid=109
apparmor="DENIED" operation="open"
profile="libvirt-988a8c25-5190-4762-8170-55dc75fc66ca" name="/dev/zd224"
pid=23052 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=109
ouid=109
Checking /etc/apparmor.d/libvirt/libvirt-$UUID.files shows that no
"/dev/zdXX" has been added.
[Additional info]
# lsb_release -rd
Description: Ubuntu 16.04.2 LTS
Release: 16.04
# apt-cache policy libvirt-bin apparmor linux-image-generic
libvirt-bin:
Installed: 1.3.1-1ubuntu10.8
Candidate: 1.3.1-1ubuntu10.8
Version table:
*** 1.3.1-1ubuntu10.8 500
500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64
Packages
100 /var/lib/dpkg/status
1.3.1-1ubuntu10 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
apparmor:
Installed: 2.10.95-0ubuntu2.5
Candidate: 2.10.95-0ubuntu2.5
Version table:
*** 2.10.95-0ubuntu2.5 500
500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64
Packages
100 /var/lib/dpkg/status
2.10.95-0ubuntu2 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
linux-image-generic:
Installed: 4.4.0.70.76
Candidate: 4.4.0.70.76
Version table:
*** 4.4.0.70.76 500
500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64
Packages
500 http://security.ubuntu.com/ubuntu xenial-security/main amd64
Packages
100 /var/lib/dpkg/status
4.4.0.21.22 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: libvirt-bin 1.3.1-1ubuntu10.8
ProcVersionSignature: Ubuntu 4.4.0-70.91-generic 4.4.49
Uname: Linux 4.4.0-70-generic x86_64
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
ApportVersion: 2.20.1-0ubuntu2.5
Architecture: amd64
Date: Wed Mar 29 17:48:06 2017
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.default.libvirt-guests: [modified]
modified.conffile..
[Group.of.nepali.translators] [Bug 1677398] Re: Apparmor prevents using storage pools and hostdev networks
Hi Nicolas,
yeah that isn't easy to fix and at least I didn't find the time to develop
something completely new to cover this yet.
I challenge the statement "Even the default storage pool
/var/lib/libvirt/images is not working", it does and it does well.
And for things that are under the control of Ubuntu in the Archive even a few
alternative paths work (openstack, uvtool, ...).
The issue you report is -not- using the default paths, the Deny lists
"/mnt/images/ubuntu-admin-qcow2" which clearly is not in one of the
common paths.
In general for using uncommon paths [1] the solution is that an admin
has to declare those paths as allowed in a local apparmor include. So if
terraform would usually /a/b/c it should also either recommend the admin
to do so or even consider adding it to the files itself.
[1]: https://wiki.ubuntu.com/LibvirtApparmor#Using_uncommon_paths
** Changed in: libvirt (Ubuntu Xenial)
Status: Confirmed => Won't Fix
** Changed in: libvirt (Ubuntu Zesty)
Status: Confirmed => Won't Fix
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1677398
Title:
Apparmor prevents using storage pools and hostdev networks
Status in libvirt package in Ubuntu:
Triaged
Status in libvirt source package in Xenial:
Won't Fix
Status in libvirt source package in Yakkety:
Won't Fix
Status in libvirt source package in Zesty:
Won't Fix
Bug description:
Apparmor prevents qemu-kvm guests from using ZFS volumes.
[Impact]
* storage pools are not usable.
Examples with zfs and LVM pools
[Test Case 1]
# Prep ZFS
1) Create a zpool
$ for i in $(seq 1 3); do dd if=/dev/zero of=/tmp/fdisk${i} bs=1M
count=1024; done
$ sudo zpool create internal /tmp/fdisk*
2) Create a ZFS storage pool and volume (named like your zpool, "internal"
here)
$ virsh pool-define-as internal zfs
$ virsh pool-start internal
$ virsh vol-create-as internal foo 2G
# prep LVM
4) prepare a (fake) LVM
$ for i in $(seq 1 3); do dd if=/dev/zero of=/tmp/lvdisk${i} bs=1M
count=1024; done
$ sync
$ DISKS=$(for i in $(seq 1 3); do sudo losetup -f show /tmp/lvdisk${i};
done)
$ sudo pvcreate --verbose $DISKS
$ sudo vgcreate --verbose testvg $DISKS
5) Create LVM Pool and volume
$ virsh pool-define-as testvg logical
$ virsh pool-start testvg
$ virsh vol-create-as testvg guest1 2G
# Prep Guest and use Pools
6) Create a KVM guest e.g. via uvtool
$ uvt-simplestreams-libvirt --verbose sync --source
http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=xenial
$ ssh-keygen
$ uvt-kvm create --password=ubuntu testguest release=xenial arch=amd64
label=daily
7) Edit the guest's XML profile to use the ZFS and LVM volumes (zvol)
8) Start the guest
The guest refuses to start:
# virsh start nms
error: Failed to start domain foo
error: internal error: process exited while connecting to monitor:
2017-03-29T22:07:31.507017Z qemu-system-x86_64: -drive
file=/dev/zvol/internal/foo,format=raw,if=none,id=drive-virtio-disk0,cache=none:
Could not open '/dev/zvol/internal/foo': Permission denied
dmesg reveals the culprit:
apparmor="DENIED" operation="open"
profile="libvirt-988a8c25-5190-4762-8170-55dc75fc66ca" name="/dev/zd224"
pid=23052 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=109
ouid=109
apparmor="DENIED" operation="open"
profile="libvirt-988a8c25-5190-4762-8170-55dc75fc66ca" name="/dev/zd224"
pid=23052 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=109
ouid=109
Checking /etc/apparmor.d/libvirt/libvirt-$UUID.files shows that no
"/dev/zdXX" has been added.
[Additional info]
# lsb_release -rd
Description: Ubuntu 16.04.2 LTS
Release: 16.04
# apt-cache policy libvirt-bin apparmor linux-image-generic
libvirt-bin:
Installed: 1.3.1-1ubuntu10.8
Candidate: 1.3.1-1ubuntu10.8
Version table:
*** 1.3.1-1ubuntu10.8 500
500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64
Packages
100 /var/lib/dpkg/status
1.3.1-1ubuntu10 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
apparmor:
Installed: 2.10.95-0ubuntu2.5
Candidate: 2.10.95-0ubuntu2.5
Version table:
*** 2.10.95-0ubuntu2.5 500
500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64
Packages
100 /var/lib/dpkg/status
2.10.95-0ubuntu2 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
linux-image-generic:
Installed: 4.4.0.70.76
Candidate: 4.4.0.70.76
Version table:
*** 4.4.0.70.76 500
500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64
Packages
500 http://security.ubuntu.com/ubunt
