[Bug 1403648] Re: Apparmor denies qemu access to a number of important directories.
** Changed in: libvirt (Ubuntu Trusty) Status: Confirmed = Fix Released ** Changed in: libvirt (Ubuntu Utopic) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in Ubuntu. https://bugs.launchpad.net/bugs/1403648 Title: Apparmor denies qemu access to a number of important directories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1403648] Re: Apparmor denies qemu access to a number of important directories.
** Changed in: libvirt (Ubuntu Trusty) Status: Confirmed = Fix Released ** Changed in: libvirt (Ubuntu Utopic) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1403648 Title: Apparmor denies qemu access to a number of important directories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1403648] Re: Apparmor denies qemu access to a number of important directories.
This bug was fixed in the package libvirt - 1.2.8-0ubuntu21 --- libvirt (1.2.8-0ubuntu21) vivid; urgency=medium * d/apparmor/libvirt-qemu: Update the ceph.conf allow rule (LP: #1403648) -- Serge Hallyn serge.hal...@ubuntu.com Fri, 30 Jan 2015 10:02:20 +0100 ** Changed in: libvirt (Ubuntu) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1403648 Title: Apparmor denies qemu access to a number of important directories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1403648] Re: Apparmor denies qemu access to a number of important directories.
This bug was fixed in the package libvirt - 1.2.8-0ubuntu21 --- libvirt (1.2.8-0ubuntu21) vivid; urgency=medium * d/apparmor/libvirt-qemu: Update the ceph.conf allow rule (LP: #1403648) -- Serge Hallyn serge.hal...@ubuntu.com Fri, 30 Jan 2015 10:02:20 +0100 ** Changed in: libvirt (Ubuntu) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in Ubuntu. https://bugs.launchpad.net/bugs/1403648 Title: Apparmor denies qemu access to a number of important directories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1403648] Re: Apparmor denies qemu access to a number of important directories.
Ideally, this would've been: /var/lib/charm/*/ceph.conf r, service name can be different. For example: [534614.823259] type=1400 audit(1422553522.478:143): apparmor=DENIED operation=open profile=libvirt-a7605ca2-0b10-4afa-b25e-3b6a83ae5552 name=/var/lib/charm/az1-compute/ceph.conf pid=43088 comm=qemu- system-x86 requested_mask=r denied_mask=r fsuid=110 ouid=0 ** Changed in: libvirt (Ubuntu Trusty) Status: Fix Released = Confirmed ** Changed in: libvirt (Ubuntu) Status: Fix Released = Confirmed ** Changed in: libvirt (Ubuntu Utopic) Status: Fix Committed = Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in Ubuntu. https://bugs.launchpad.net/bugs/1403648 Title: Apparmor denies qemu access to a number of important directories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1403648] Re: Apparmor denies qemu access to a number of important directories.
Ideally, this would've been: /var/lib/charm/*/ceph.conf r, service name can be different. For example: [534614.823259] type=1400 audit(1422553522.478:143): apparmor=DENIED operation=open profile=libvirt-a7605ca2-0b10-4afa-b25e-3b6a83ae5552 name=/var/lib/charm/az1-compute/ceph.conf pid=43088 comm=qemu- system-x86 requested_mask=r denied_mask=r fsuid=110 ouid=0 ** Changed in: libvirt (Ubuntu Trusty) Status: Fix Released = Confirmed ** Changed in: libvirt (Ubuntu) Status: Fix Released = Confirmed ** Changed in: libvirt (Ubuntu Utopic) Status: Fix Committed = Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1403648 Title: Apparmor denies qemu access to a number of important directories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1403648] Re: Apparmor denies qemu access to a number of important directories.
This bug was fixed in the package libvirt - 1.2.2-0ubuntu13.1.9 --- libvirt (1.2.2-0ubuntu13.1.9) trusty-proposed; urgency=medium * apparmor libvirt-qemu template: allow reading charm-specific ceph config and allow reading under /tmp and /var/tmp (for SRU only) (LP: #1403648) * numa-cgroups-fix-cpuset-mems-init.patch - cherrypicked, refreshed patch (by Richard Laager) to fix failure to start on numa node 1 (LP: #1404388) * libvirt-qemu: add r to sgabios.bin (LP: #1393548) -- Serge Hallyn serge.hal...@ubuntu.com Tue, 06 Jan 2015 10:39:15 -0600 ** Changed in: libvirt (Ubuntu Trusty) Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in Ubuntu. https://bugs.launchpad.net/bugs/1403648 Title: Apparmor denies qemu access to a number of important directories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1403648] Re: Apparmor denies qemu access to a number of important directories.
This bug was fixed in the package libvirt - 1.2.2-0ubuntu13.1.9 --- libvirt (1.2.2-0ubuntu13.1.9) trusty-proposed; urgency=medium * apparmor libvirt-qemu template: allow reading charm-specific ceph config and allow reading under /tmp and /var/tmp (for SRU only) (LP: #1403648) * numa-cgroups-fix-cpuset-mems-init.patch - cherrypicked, refreshed patch (by Richard Laager) to fix failure to start on numa node 1 (LP: #1404388) * libvirt-qemu: add r to sgabios.bin (LP: #1393548) -- Serge Hallyn serge.hal...@ubuntu.com Tue, 06 Jan 2015 10:39:15 -0600 ** Changed in: libvirt (Ubuntu Trusty) Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1403648 Title: Apparmor denies qemu access to a number of important directories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1403648] Re: Apparmor denies qemu access to a number of important directories.
** Tags removed: verification-needed ** Tags added: verification-done-trusty verification-needed-utopic ** Tags removed: verification-needed-utopic ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1403648 Title: Apparmor denies qemu access to a number of important directories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1403648] Re: Apparmor denies qemu access to a number of important directories.
** Tags added: verification-done-utopic ** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1403648 Title: Apparmor denies qemu access to a number of important directories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1403648] Re: Apparmor denies qemu access to a number of important directories.
** Changed in: libvirt (Ubuntu Trusty) Assignee: (unassigned) = Dave Chiluk (chiluk) ** Changed in: libvirt (Ubuntu Utopic) Assignee: (unassigned) = Dave Chiluk (chiluk) ** Changed in: libvirt (Ubuntu) Assignee: (unassigned) = Dave Chiluk (chiluk) ** Changed in: ceph (Juju Charms Collection) Status: New = Incomplete ** Changed in: ceph (Juju Charms Collection) Status: Incomplete = Invalid ** No longer affects: ceph (Juju Charms Collection) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1403648 Title: Apparmor denies qemu access to a number of important directories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1403648] Re: Apparmor denies qemu access to a number of important directories.
** Changed in: libvirt (Ubuntu Trusty) Assignee: (unassigned) = Dave Chiluk (chiluk) ** Changed in: libvirt (Ubuntu Utopic) Assignee: (unassigned) = Dave Chiluk (chiluk) ** Changed in: libvirt (Ubuntu) Assignee: (unassigned) = Dave Chiluk (chiluk) ** Changed in: ceph (Juju Charms Collection) Status: New = Incomplete ** Changed in: ceph (Juju Charms Collection) Status: Incomplete = Invalid ** No longer affects: ceph (Juju Charms Collection) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in Ubuntu. https://bugs.launchpad.net/bugs/1403648 Title: Apparmor denies qemu access to a number of important directories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1403648] Re: Apparmor denies qemu access to a number of important directories.
** Description changed: + [Impact] + * Log files become overloaded with apparmor denials when + + [Test Case] + * Launch a qemu instance using libvirt. + * See logged apparmor error in /var/log/syslog + + [Regression Potential] + * Current defaults are to deny access to these files, but users may have modified apparmor to permit access to silence these warnings. Since we don't want to break these users, and permitting access to /tmp and /var/tmp is not considered to be a great increase in security risk we will proceed with permissive for the SRU, and restrictive policies going forward for development. + + __ Apparmor denise libvirt access to a number of important directories. - syslog.4:Dec 12 17:18:08 nuc2 kernel: [54334.001494] type=1400 audit(1418404688.659:48): apparmor=DENIED operation=open profile=libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660 name=/var/lib/charm/ceph/ceph.conf pid=23594 comm=qemu-system-x86 requested_mask=r denied_mask=r fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.537222] type=1400 audit(1418404689.195:49): apparmor=DENIED operation=open profile=libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660 name=/var/lib/charm/ceph/ceph.conf pid=23594 comm=qemu-system-x86 requested_mask=r denied_mask=r fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.745412] type=1400 audit(1418404689.403:50): apparmor=DENIED operation=open profile=libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660 name=/var/lib/charm/ceph/ceph.conf pid=23594 comm=qemu-system-x86 requested_mask=r denied_mask=r fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.808978] type=1400 audit(1418404689.467:51): apparmor=DENIED operation=open profile=libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660 name=/var/lib/charm/ceph/ceph.conf pid=23594 comm=qemu-system-x86 requested_mask=r denied_mask=r fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.858862] type=1400 audit(1418404689.515:52): apparmor=DENIED operation=open profile=libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660 name=/var/lib/charm/ceph/ceph.conf pid=23594 comm=qemu-system-x86 requested_mask=r denied_mask=r fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.909608] type=1400 audit(1418404689.567:53): apparmor=DENIED operation=open profile=libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660 name=/var/lib/charm/ceph/ceph.conf pid=23594 comm=qemu-system-x86 requested_mask=r denied_mask=r fsuid=108 ouid=0 syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.976979] type=1400 audit(1418404689.635:54): apparmor=DENIED operation=open profile=libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660 name=/var/lib/charm/ceph/ceph.conf pid=23594 comm=qemu-system-x86 requested_mask=r denied_mask=r fsuid=108 ouid=0 syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.978163] type=1400 audit(1418408725.790:56): apparmor=DENIED operation=open profile=libvirt-c2f29087-8453-4441-a27d-71fcd7a5 name=/var/lib/charm/ceph/ceph.conf pid=19293 comm=qemu-system-x86 requested_mask=r denied_mask=r fsuid=108 ouid=0 syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.979670] type=1400 audit(1418408725.790:57): apparmor=DENIED operation=open profile=libvirt-c2f29087-8453-4441-a27d-71fcd7a5 name=/tmp/ pid=19293 comm=qemu-system-x86 requested_mask=r denied_mask=r fsuid=108 ouid=0 syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.979680] type=1400 audit(1418408725.790:58): apparmor=DENIED operation=open profile=libvirt-c2f29087-8453-4441-a27d-71fcd7a5 name=/var/tmp/ pid=19293 comm=qemu-system-x86 requested_mask=r denied_mask=r fsuid=108 ouid=0 In this case the machine was installed using juju and maas. Specific charms in play on this machine are ceph, and nova-compute. I'm not sure if the juju charms need to be updated or if the libvirt template needs to be updated or something else altogether. It's important to not that without ceph apparmor still denies access to /tmp and /var/tmp ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: libvirt-bin 1.2.2-0ubuntu13.1.7 ProcVersionSignature: User Name 3.13.0-35.62-generic 3.13.11.6 Uname: Linux 3.13.0-35-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.6 Architecture: amd64 Date: Wed Dec 17 21:15:20 2014 KernLog: - + ProcEnviron: - TERM=xterm - PATH=(custom, no user) - XDG_RUNTIME_DIR=set - LANG=en_US.UTF-8 - SHELL=/bin/bash + TERM=xterm + PATH=(custom, no user) + XDG_RUNTIME_DIR=set + LANG=en_US.UTF-8 + SHELL=/bin/bash SourcePackage: libvirt UpgradeStatus: No upgrade log present (probably fresh install) modified.conffile..etc.default.libvirt.bin: [modified] modified.conffile..etc.libvirt.libvirtd.conf: [modified] modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf'] mtime.conffile..etc.default.libvirt.bin: 2014-12-12T02:21:56.792085 mtime.conffile..etc.libvirt.libvirtd.conf:
[Bug 1403648] Re: Apparmor denies qemu access to a number of important directories.
Hello Dave, or anyone else affected, Accepted libvirt into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/libvirt/1.2.2-0ubuntu13.1.9 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: libvirt (Ubuntu Trusty) Status: New = Fix Committed ** Tags added: verification-needed ** Changed in: libvirt (Ubuntu Utopic) Status: New = Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1403648 Title: Apparmor denies qemu access to a number of important directories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1403648] Re: Apparmor denies qemu access to a number of important directories.
@Dave, could you please update the description with a concise test case for the SRU process? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1403648 Title: Apparmor denies qemu access to a number of important directories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1403648] Re: Apparmor denies qemu access to a number of important directories.
** Also affects: libvirt (Ubuntu Utopic) Importance: Undecided Status: New ** Also affects: libvirt (Ubuntu Trusty) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in Ubuntu. https://bugs.launchpad.net/bugs/1403648 Title: Apparmor denies qemu access to a number of important directories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1403648] Re: Apparmor denies qemu access to a number of important directories.
** Also affects: libvirt (Ubuntu Utopic) Importance: Undecided Status: New ** Also affects: libvirt (Ubuntu Trusty) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1403648 Title: Apparmor denies qemu access to a number of important directories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1403648] Re: Apparmor denies qemu access to a number of important directories.
** Changed in: libvirt (Ubuntu Trusty) Importance: Undecided = High ** Changed in: libvirt (Ubuntu Utopic) Importance: Undecided = High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1403648 Title: Apparmor denies qemu access to a number of important directories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1403648] Re: Apparmor denies qemu access to a number of important directories.
This bug was fixed in the package libvirt - 1.2.8-0ubuntu19 --- libvirt (1.2.8-0ubuntu19) vivid; urgency=medium * apparmor libvirt-qemu template: allow reading charm-specific ceph config and silence denials for /tmp/**. (LP: #1403648) -- Serge Hallyn serge.hal...@ubuntu.com Tue, 06 Jan 2015 10:27:33 -0600 ** Changed in: libvirt (Ubuntu) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in Ubuntu. https://bugs.launchpad.net/bugs/1403648 Title: Apparmor denies qemu access to a number of important directories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1403648] Re: Apparmor denies qemu access to a number of important directories.
This bug was fixed in the package libvirt - 1.2.8-0ubuntu19 --- libvirt (1.2.8-0ubuntu19) vivid; urgency=medium * apparmor libvirt-qemu template: allow reading charm-specific ceph config and silence denials for /tmp/**. (LP: #1403648) -- Serge Hallyn serge.hal...@ubuntu.com Tue, 06 Jan 2015 10:27:33 -0600 ** Changed in: libvirt (Ubuntu) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1403648 Title: Apparmor denies qemu access to a number of important directories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1403648] Re: Apparmor denies qemu access to a number of important directories.
We should implement (2) right after the holiday break (in case there are actually breakages). ** Changed in: libvirt (Ubuntu) Importance: Undecided = High ** Changed in: libvirt (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1403648 Title: Apparmor denies qemu access to a number of important directories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1403648] Re: Apparmor denies qemu access to a number of important directories.
xml for the created vm. This applies to all vm's created via openstack through libvirt. ** Attachment added: xml https://bugs.launchpad.net/charms/+source/ceph/+bug/1403648/+attachment/4283134/+files/xml -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1403648 Title: Apparmor denies qemu access to a number of important directories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1403648] Re: Apparmor denies qemu access to a number of important directories.
Is there any way to get rid of the messages? Perhaps we should patch qemu to not attempt to access /tmp or /var/tmp? Basically these messages are now filling up logs on openstack compute nodes. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1403648 Title: Apparmor denies qemu access to a number of important directories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1403648] Re: Apparmor denies qemu access to a number of important directories.
** Tags added: cts -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1403648 Title: Apparmor denies qemu access to a number of important directories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1403648] Re: Apparmor denies qemu access to a number of important directories.
qemu doesn't normally need /tmp and /var/tmp. Something is making it use it (ie, VMs launched under local libvirt (ie, not OpenStack) don't have this problem). One could add an explicit deny rule to /etc/apparmor.d/abstractions/libvirt-qemu to deny /tmp and /var/tmp, but I think it would be better to understand the problem (and that might break testing environment that legitimately put the disk in /tmp). The attached xml isn't what I was looking for. When an affected VM is running, can you do: $ virsh dumpxml domain where 'domain' can be found from 'virsh list'. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1403648 Title: Apparmor denies qemu access to a number of important directories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1403648] Re: Apparmor denies qemu access to a number of important directories.
Somehow the earlier xml upload was corrupted trying again. ** Attachment added: xml https://bugs.launchpad.net/charms/+source/ceph/+bug/1403648/+attachment/4283152/+files/xml ** Attachment removed: xml https://bugs.launchpad.net/charms/+source/ceph/+bug/1403648/+attachment/4283134/+files/xml -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1403648 Title: Apparmor denies qemu access to a number of important directories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1403648] Re: Apparmor denies qemu access to a number of important directories.
Launchpad fail... One more time. ** Attachment added: xml.txt https://bugs.launchpad.net/charms/+source/ceph/+bug/1403648/+attachment/4283154/+files/xml.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1403648 Title: Apparmor denies qemu access to a number of important directories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1403648] Re: Apparmor denies qemu access to a number of important directories.
Launchpad fail... One more time. ** Attachment added: xml.txt https://bugs.launchpad.net/charms/+source/ceph/+bug/1403648/+attachment/4283155/+files/xml.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1403648 Title: Apparmor denies qemu access to a number of important directories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1403648] Re: Apparmor denies qemu access to a number of important directories.
This is in the domain xml: auth username='nova-compute' secret type='ceph' uuid='514c9fca-8cbe-11e2-9c52-3bc8c7819472'/ /auth there is nothing else in it regarding ceph. I looked at https://libvirt.org/storage.html and don't see where you would tell qemu to look at /var/lib/charm/ceph/ceph.conf. The way forward: 1. adjust the charm to not have qemu need to access ceph.conf 2. add the following to /etc/apparmor.d/abstractions/libvirt-qemu (assuming there is nothing sensitive in there): /var/lib/charm/ceph/ceph.conf r, 3. if /var/lib/charm/ceph/ceph.conf is set via some libvirt directive, adjust virt-aa-helper and/or libvirt to add this setting to the VM-specific .files file in /etc/apparmor.d/libvirt I'm not well-versed with ceph and how OpenStack is using it to make a recommendation on which is best (but am happy to discuss the correct path forward if someone can discuss how /var/lib/charm/ceph/ceph.conf is being set). ** Changed in: libvirt (Ubuntu) Status: Incomplete = New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1403648 Title: Apparmor denies qemu access to a number of important directories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1403648] Re: Apparmor denies qemu access to a number of important directories.
Dave and I spoke on irc. Here is a summary: * qemu uses librbd which under the hood looks at ceph.conf, etc * /etc/ceph/ceph.conf - /etc/alternatives/ceph.conf - /var/lib/charm/ceph/ceph.conf * we already allow access to /etc/ceph/ceph.conf in /etc/apparmor.d/abstraction/libvirt-qemu * /var/lib/charm/ceph/ceph.conf does not contain anything particularly sensitive * /var/lib/charm/ceph/ceph.conf does tell qemu (via librbd) where to find the keyring and other options Therefore, adding this to /etc/apparmor.d/abstraction/libvirt-qemu is ok: /var/lib/charm/ceph/ceph.conf r, but note that /var/lib/charm/ceph/ceph.conf seems rather charm-specific. If we add more of these, we'll want to consider a way to clean this up (eg, via a glob). If qemu then goes to look at the keyring files, then libvirt/aa-virt- helper needs to be updated to add the VM-specific keyring files to the VM-specific .files file in /etc/apparmor.d/libvirt such that only VMs specifiying ceph have access to the keyring files, and the VMs should be limited to accessing only the keyring file it should have access to. Based on Dave's feedback, the VM doesn't seem to need access to the keyring files and the readonly access to /var/lib/charm/ceph/ceph.conf is sufficient. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1403648 Title: Apparmor denies qemu access to a number of important directories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1403648] Re: Apparmor denies qemu access to a number of important directories.
As for the /tmp and /var/tmp denials, Dave mentioned that adding the following
rules silenced the denials:
/tmp/ r,
/var/tmp/ r,
I'm not a fan of those rules in general, because it gives the VMs read
access to the directory and they can see what is in there. However I
also don't want to break existing setups by adding an explicit deny rule
that would block all access to /tmp and /var/tmp if the user updated
policy for that or is putting disks in /tmp for testing environments.
As such I suggest the following:
1. for stable releases, add the following to
/etc/apparmor.d/abstractions/libvirt-qemu:
/tmp/ r,
/var/tmp/ r,
2. for vivid, add the following to /etc/apparmor.d/abstractions/libvirt-qemu:
deny /tmp/{,**} r,
deny /var/tmp/{,**} r,
'1' is suitable for SRU since it only allows access where it wasn't
allowed before. If we get bug reports in 15.04+ for '2', the proper
solution is to have libvirt setup a vm-specific tmp dir, and have aa-
virt-helper add this directory to the .files file for that VM.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1403648
Title:
Apparmor denies qemu access to a number of important directories.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
