[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2017-01-12 Thread Launchpad Bug Tracker
This bug was fixed in the package libvirt - 1.3.1-1ubuntu10.6

---
libvirt (1.3.1-1ubuntu10.6) xenial; urgency=medium

  * d/apparmor/usr.lib.libvirt.virt-aa-helper: add missing rules for name
resolution to virt-aa-helper Apparmor profile (LP: #1546674).

 -- Christian Ehrhardt   Tue, 22 Nov
2016 09:39:18 +0100

** Changed in: libvirt (Ubuntu Xenial)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-12-12 Thread Simon Déziel
** Tags removed: verification-needed
** Tags added: verification-done

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-12-11 Thread Martin Pitt
Hello Simon, or anyone else affected,

Accepted libvirt into xenial-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/libvirt/1.3.1-1ubuntu10.6 in a few
hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: libvirt (Ubuntu Xenial)
   Status: Triaged => Fix Committed

** Tags added: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-12-01 Thread ChristianEhrhardt
Reworked fix in Zesty and working, refreshed the SRU upload which is
ready and waiting for SRU review now.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-11-30 Thread Launchpad Bug Tracker
This bug was fixed in the package libvirt - 2.1.0-1ubuntu14

---
libvirt (2.1.0-1ubuntu14) zesty; urgency=medium

  * d/p/u/apparmor-fix-name-resolution.patch rework the fix to base
on the apparmor nameservice abstraction to be future proof (LP: #1546674).
  * d/p/ubuntu/apparmor-fix-new-devicetypes.patch add new block device types to
virt-aa-helpers profile (LP: #1641618)
  * d/p/u/apparmor-fix-other-seclabels.patch refresh to the now upstream
accepted solution (LP: #1633207).

 -- Christian Ehrhardt   Thu, 24 Nov
2016 08:06:38 +0100

** Changed in: libvirt (Ubuntu)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-11-29 Thread ChristianEhrhardt
Thanks Simon for the confirmation.

Yet FYI I'll reroll the zesty fix to become equal to the one Pitti suggested 
for the SRU.
I only want to avoid a proliferation of updates and therefore want to group 
that with some other things which are stalled just a bit. Should be ready to go 
in 5-10 days and an SRU to Xenial from there as well.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-11-29 Thread Simon Déziel
Christian, I'm happy to report that this LP is fixed in Zesty.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


Re: [Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-11-24 Thread Simon Déziel
Hello Christian,

On 2016-11-24 03:44 AM, ChristianEhrhardt wrote:
> I've created a ppa with the modified fix as suggested by Martin.

I was not sure that pulling such a big abstraction was needed but in
retrospective, Martin's suggestion makes sense. Why is virt-aa-helper
trying to do name resolution is still unclear to me though.

> They work just as good as the former fix, but staying more future proof by 
> using the abstractions.
> => https://launchpad.net/~paelzer/+archive/ubuntu/libvirt-bug-1546674-1615550
> I know you are usually only on LTS, but do you think you could take a look at 
> that before I upload?

FYI, I manually applied your 2 patches on Xenial and it addresses the 2
bugs.

> P.S. I've used one ppa for this and bug 1641618 trying to save you some
> work on those checks.

I appreciate it, I'll get back to you with Zesty testing as soon as
possible.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-11-24 Thread ChristianEhrhardt
Hi Simon,
I've created a ppa with the modified fix as suggested by Martin.
They work just as good as the former fix, but staying more future proof by 
using the abstractions.
=> https://launchpad.net/~paelzer/+archive/ubuntu/libvirt-bug-1546674-1615550
I know you are usually only on LTS, but do you think you could take a look at 
that before I upload?

P.S. I've used one ppa for this and bug 1641618 trying to save you some
work on those checks.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-11-23 Thread ChristianEhrhardt
Thanks Martin for your extra insight into apparmor, working on a fresh fix for 
Zesty now.
Coming back to an SRU once that is tested and migrated.

I'd drop the Ubuntu Review Team subscription til then.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-11-23 Thread Martin Pitt
Not much that we can do about the conffile prompt indeed. However, I
disagree with the actual patch. This should include
abstractions/nameservice instead, which allows these files plus a lot
more for other name service methods. We really want to avoid having to
SRU a conffile change twice, and this is *definitively* not sufficient
for 16.10 and up (as you e. g. also need to be able to talk to
resolved). Please also fix this in zesty. Thanks!

** Changed in: libvirt (Ubuntu)
   Status: Fix Released => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-11-23 Thread ChristianEhrhardt
Thanks Robie,
it does indeed land in "/etc/apparmor.d/usr.lib.libvirt.virt-aa-helper" so that 
could happen.
I didn't think on that - thanks for catching this!

Yet I think the fix is worth it. And for those few that have the ability
to manually modify this file it should be no huge challenge - as you
outlined the comment and bug# will help.

I would expect that the non interactive default would be to keep
whatever modifications they had in place (unless somebody updates with
non default options). In the first case they won't regress (just don't
get the fix) and in the second case (-o Dpkg::Options::="--force-
confnew") they would have chosen so intentionally.

Waiting for an ack from another SRU Team member together with you ...

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-11-23 Thread Robie Basak
I think it's worth nothing that I think landing this SRU (I haven't
verified the destination in the binary package) will cause a conffile
prompt for any user who has modified usr.lib.libvirt.virt-aa-helper
locally.

There is a comment with an explanation and an LP bug reference, which
helps. Users who don't see the prompt won't be regressed whichever way
the default answer falls. So in this case I think it's probably OK, but
I would like an ack on this from another SRU team member please.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-11-22 Thread ChristianEhrhardt
Hi,
now that things are in the development release I could go on with this.

I simplified the reproduction steps according to comment #22 and wrote
the SRU Template as required.

I prepared the SRU, tested it locally and uploaded for the SRU team to
consider it - it just entered the queue waiting to be accepted - so
waiting for the SRU Team to come by the queue next time.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-11-22 Thread ChristianEhrhardt
** Description changed:

- Reproducing steps:
+ [Impact]
+ 
+  * Apparmor denies several hostname related accesses by libvirt causing 
+severe slowdowns in some cases.
+ 
+ [Test Case]
+ 
+ * Note: while there are various ways to trigger it - many have seen the 
+   issue, but often it is unclear when exactly it will trigger or does no 
+   more. So some of the repo-cases have proven to be unreliable - thanks 
+   Simon for this Repro howto listed here. (simplified as it turned out 
+   zvols are not needed according to comment #22)
  
  1) Sync Xenial cloud-image
  uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily 
arch=amd64 label=daily release=xenial
  
  2) Create a test guest with:
  uvt-kvm create --memory 2048 --cpu 4 --password=ubuntu xenial-kernel-test 
release=xenial arch=amd64 label=daily
  
- 3) Create a zvol
- zfs create -V 8G zlxd/xenial-kernel-test
+ 3) strop it and add an extra volume in a way like this snippet
+$ virsh shutdown xenial-kernel-test
+$ virsh edit xenial-kernel-test
+ 
+   
+   
+   
+ 
  
- 4) Copy the qcow2 data to the zvol
- qemu-img convert -O raw \
-   /var/lib/uvtool/libvirt/images/xenial-kernel-test.qcow \
-   /dev/zvol/zlxd/xenial-kernel-test
- 
- 5) Update the guest definition to use the zvol
-   
- 
- 
- 
-   
- 
- 6) boot the guest
+ 4) start the guest
  virsh start xenial-kernel-test
  
- 7) check for apparmor denial messages
+ 6) check for apparmor denial messages
  dmesg | tail | grep apparmor
  
  Without the fix, Apparmor would report denials when accessing
  /etc/nsswitch.conf, /etc/host.conf, /etc/gai.conf,
  /run/resolvconf/resolv.conf and /dev/zdX (where X corresponds to the
  zvol number). Starting the guest should be much slower than usual.
  
- With the fix in place, the only Apparmor denial would be about reading
- the /dev/zdx device (see LP: #1641618). This causes no visible problem
- nor slowdown.
+ With the fix in place no related Apparmor denials show up.
  
+ [Regression Potential]
+ 
+  * The fix is rather small and "only" opens up apparmor confinement a bit. 
+That makes us assume that the potential for regression should be 
+minimal.
+ 
+ ###
  
  Original description:
  
  With libvirt-bin 1.3.1, starting a QEMU guest results in those AA
  denials:
  
  Feb 17 12:06:23 simon-laptop kernel: [15734.513696] audit: type=1400 
audit(1455728783.639:73): apparmor="DENIED" operation="open" 
profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/nsswitch.conf" pid=23156 
comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Feb 17 12:06:23 simon-laptop kernel: [15734.513718] audit: type=1400 
audit(1455728783.639:74): apparmor="DENIED" operation="open" 
profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/host.conf" pid=23156 
comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Feb 17 12:06:23 simon-laptop kernel: [15734.513734] audit: type=1400 
audit(1455728783.639:75): apparmor="DENIED" operation="open" 
profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" 
pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 
ouid=0
  Feb 17 12:06:23 simon-laptop kernel: [15734.513885] audit: type=1400 
audit(1455728783.639:76): apparmor="DENIED" operation="open" 
profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" 
pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 
ouid=0
  
  virt-aa-helper's AA profile hasn't changed recently so it seems like the
  helper is doing more in this release.
  
  Additional information:
  
  $ lsb_release -rd
  Description:  Ubuntu Xenial Xerus (development branch)
  Release:  16.04
  
  $ apt-cache policy apparmor libvirt-bin
  apparmor:
    Installed: 2.10-3ubuntu1
    Candidate: 2.10-3ubuntu1
    Version table:
   *** 2.10-3ubuntu1 500
  500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
  100 /var/lib/dpkg/status
  libvirt-bin:
    Installed: 1.3.1-1ubuntu1
    Candidate: 1.3.1-1ubuntu1
    Version table:
   *** 1.3.1-1ubuntu1 500
  500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
  100 /var/lib/dpkg/status
  
  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: libvirt-bin 1.3.1-1ubuntu1
  ProcVersionSignature: Ubuntu 4.4.0-5.20-generic 4.4.1
  Uname: Linux 4.4.0-5-generic x86_64
  NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
  ApportVersion: 2.20-0ubuntu3
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Wed Feb 17 13:08:04 2016
  KernLog:
  
  SourcePackage: libvirt
  UpgradeStatus: No upgrade log present (probably fresh install)
  modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] 
Permission denied: '/etc/libvirt/qemu.conf']
  modified.conffile..etc.libvirt.qemu.networks.default.xml: [deleted]

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu

[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-11-21 Thread Launchpad Bug Tracker
This bug was fixed in the package libvirt - 2.1.0-1ubuntu13

---
libvirt (2.1.0-1ubuntu13) zesty; urgency=medium

  * drop d/p/ubuntu/fix-ftbfs-for-gnutls-3-5-6.patch as the offending change
in gnutls has been reverted (LP: #1641615)
  * Build depend on gnutls >= 3.5.6-4ubuntu2 to build after the gnutls fix
migrated

 -- Christian Ehrhardt   Thu, 17 Nov
2016 08:43:10 +0100

** Changed in: libvirt (Ubuntu)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-11-14 Thread Simon Déziel
It's not specific to zvols after all as I just setup a new hypervisor
where I hand out host's partitions to the guests like this:


  
  
  


This is enough to get virt-aa-helper to try reading /etc/nsswitch.conf,
/etc/host.conf and /etc/gai.conf.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-11-14 Thread Simon Déziel
** Description changed:

  Reproducing steps:
  
  1) Sync Xenial cloud-image
  uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily 
arch=amd64 label=daily release=xenial
  
  2) Create a test guest with:
  uvt-kvm create --memory 2048 --cpu 4 --password=ubuntu xenial-kernel-test 
release=xenial arch=amd64 label=daily
  
  3) Create a zvol
  zfs create -V 8G zlxd/xenial-kernel-test
  
  4) Copy the qcow2 data to the zvol
  qemu-img convert -O raw \
    /var/lib/uvtool/libvirt/images/xenial-kernel-test.qcow \
    /dev/zvol/zlxd/xenial-kernel-test
  
  5) Update the guest definition to use the zvol
    
  
  
  
    
  
  6) boot the guest
  virsh start xenial-kernel-test
  
  7) check for apparmor denial messages
  dmesg | tail | grep apparmor
  
  Without the fix, Apparmor would report denials when accessing
  /etc/nsswitch.conf, /etc/host.conf, /etc/gai.conf,
  /run/resolvconf/resolv.conf and /dev/zdX (where X corresponds to the
  zvol number). Starting the guest should be much slower than usual.
  
  With the fix in place, the only Apparmor denial would be about reading
- the /dev/zdx device. This causes no visible problem nor slowdown.
+ the /dev/zdx device (see LP: #1641618). This causes no visible problem
+ nor slowdown.
+ 
  
  Original description:
  
  With libvirt-bin 1.3.1, starting a QEMU guest results in those AA
  denials:
  
  Feb 17 12:06:23 simon-laptop kernel: [15734.513696] audit: type=1400 
audit(1455728783.639:73): apparmor="DENIED" operation="open" 
profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/nsswitch.conf" pid=23156 
comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Feb 17 12:06:23 simon-laptop kernel: [15734.513718] audit: type=1400 
audit(1455728783.639:74): apparmor="DENIED" operation="open" 
profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/host.conf" pid=23156 
comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Feb 17 12:06:23 simon-laptop kernel: [15734.513734] audit: type=1400 
audit(1455728783.639:75): apparmor="DENIED" operation="open" 
profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" 
pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 
ouid=0
  Feb 17 12:06:23 simon-laptop kernel: [15734.513885] audit: type=1400 
audit(1455728783.639:76): apparmor="DENIED" operation="open" 
profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" 
pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 
ouid=0
  
  virt-aa-helper's AA profile hasn't changed recently so it seems like the
  helper is doing more in this release.
  
  Additional information:
  
  $ lsb_release -rd
  Description:  Ubuntu Xenial Xerus (development branch)
  Release:  16.04
  
  $ apt-cache policy apparmor libvirt-bin
  apparmor:
    Installed: 2.10-3ubuntu1
    Candidate: 2.10-3ubuntu1
    Version table:
   *** 2.10-3ubuntu1 500
  500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
  100 /var/lib/dpkg/status
  libvirt-bin:
    Installed: 1.3.1-1ubuntu1
    Candidate: 1.3.1-1ubuntu1
    Version table:
   *** 1.3.1-1ubuntu1 500
  500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
  100 /var/lib/dpkg/status
  
  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: libvirt-bin 1.3.1-1ubuntu1
  ProcVersionSignature: Ubuntu 4.4.0-5.20-generic 4.4.1
  Uname: Linux 4.4.0-5-generic x86_64
  NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
  ApportVersion: 2.20-0ubuntu3
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Wed Feb 17 13:08:04 2016
  KernLog:
  
  SourcePackage: libvirt
  UpgradeStatus: No upgrade log present (probably fresh install)
  modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] 
Permission denied: '/etc/libvirt/qemu.conf']
  modified.conffile..etc.libvirt.qemu.networks.default.xml: [deleted]

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-11-14 Thread Simon Déziel
** Description changed:

+ Reproducing steps:
+ 
+ 1) Sync Xenial cloud-image
+ uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily 
arch=amd64 label=daily release=xenial
+ 
+ 2) Create a test guest with:
+ uvt-kvm create --memory 2048 --cpu 4 --password=ubuntu xenial-kernel-test 
release=xenial arch=amd64 label=daily
+ 
+ 3) Create a zvol
+ zfs create -V 8G zlxd/xenial-kernel-test
+ 
+ 4) Copy the qcow2 data to the zvol
+ qemu-img convert -O raw \
+   /var/lib/uvtool/libvirt/images/xenial-kernel-test.qcow \
+   /dev/zvol/zlxd/xenial-kernel-test
+ 
+ 5) Update the guest definition to use the zvol
+   
+ 
+ 
+ 
+   
+ 
+ 6) boot the guest
+ virsh start xenial-kernel-test
+ 
+ 7) check for apparmor denial messages
+ dmesg | tail | grep apparmor
+ 
+ 
+ Without the fix, Apparmor would report denials when accessing 
/etc/nsswitch.conf, /etc/host.conf, /etc/gai.conf, /run/resolvconf/resolv.conf 
and /dev/zvolX (where X corresponds to the zvol number). Starting the guest 
should be much slower than usual.
+ 
+ With the fix in place, the only Apparmor denial would be about reading
+ the /dev/zvolx device. This causes no visible problem nor slowdown.
+ 
+ 
+ Original description:
+ 
  With libvirt-bin 1.3.1, starting a QEMU guest results in those AA
  denials:
  
  Feb 17 12:06:23 simon-laptop kernel: [15734.513696] audit: type=1400 
audit(1455728783.639:73): apparmor="DENIED" operation="open" 
profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/nsswitch.conf" pid=23156 
comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Feb 17 12:06:23 simon-laptop kernel: [15734.513718] audit: type=1400 
audit(1455728783.639:74): apparmor="DENIED" operation="open" 
profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/host.conf" pid=23156 
comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Feb 17 12:06:23 simon-laptop kernel: [15734.513734] audit: type=1400 
audit(1455728783.639:75): apparmor="DENIED" operation="open" 
profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" 
pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 
ouid=0
  Feb 17 12:06:23 simon-laptop kernel: [15734.513885] audit: type=1400 
audit(1455728783.639:76): apparmor="DENIED" operation="open" 
profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" 
pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 
ouid=0
  
- 
- virt-aa-helper's AA profile hasn't changed recently so it seems like the 
helper is doing more in this release.
+ virt-aa-helper's AA profile hasn't changed recently so it seems like the
+ helper is doing more in this release.
  
  Additional information:
  
  $ lsb_release -rd
  Description:  Ubuntu Xenial Xerus (development branch)
  Release:  16.04
  
  $ apt-cache policy apparmor libvirt-bin
  apparmor:
-   Installed: 2.10-3ubuntu1
-   Candidate: 2.10-3ubuntu1
-   Version table:
-  *** 2.10-3ubuntu1 500
- 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
- 100 /var/lib/dpkg/status
+   Installed: 2.10-3ubuntu1
+   Candidate: 2.10-3ubuntu1
+   Version table:
+  *** 2.10-3ubuntu1 500
+ 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
+ 100 /var/lib/dpkg/status
  libvirt-bin:
-   Installed: 1.3.1-1ubuntu1
-   Candidate: 1.3.1-1ubuntu1
-   Version table:
-  *** 1.3.1-1ubuntu1 500
- 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
- 100 /var/lib/dpkg/status
+   Installed: 1.3.1-1ubuntu1
+   Candidate: 1.3.1-1ubuntu1
+   Version table:
+  *** 1.3.1-1ubuntu1 500
+ 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
+ 100 /var/lib/dpkg/status
  
  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: libvirt-bin 1.3.1-1ubuntu1
  ProcVersionSignature: Ubuntu 4.4.0-5.20-generic 4.4.1
  Uname: Linux 4.4.0-5-generic x86_64
  NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
  ApportVersion: 2.20-0ubuntu3
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Wed Feb 17 13:08:04 2016
  KernLog:
-  
+ 
  SourcePackage: libvirt
  UpgradeStatus: No upgrade log present (probably fresh install)
  modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] 
Permission denied: '/etc/libvirt/qemu.conf']
  modified.conffile..etc.libvirt.qemu.networks.default.xml: [deleted]

** Description changed:

  Reproducing steps:
  
  1) Sync Xenial cloud-image
  uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily 
arch=amd64 label=daily release=xenial
  
  2) Create a test guest with:
  uvt-kvm create --memory 2048 --cpu 4 --password=ubuntu xenial-kernel-test 
release=xenial arch=amd64 label=daily
  
  3) Create a zvol
  zfs create -V 8G zlxd/xenial-kernel-test
  
  4) Copy the qcow2 data to the zvol
  qemu-img convert -O raw \
-   /var/lib/uvtool/libvirt/images/xenial-kernel-test.qcow \
-   /dev/zvol/zlxd/xenial-kernel-test
+   /var/lib/uvtoo

[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-11-14 Thread ChristianEhrhardt
What worked last week doesn't have to this week - I ran into an FTBFS -
please wait a bit until resolved.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-11-14 Thread ChristianEhrhardt
FYI - Fix pushed to Zesty

@Simon could you give some extra detail on "severe slowdown" as we need
it for the SRU template then. And since we lack a clear "steps to
reproduce" maybe those as well if you happened to find the important bit
to trigger it in the meantime.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-11-14 Thread ChristianEhrhardt
** Changed in: libvirt (Ubuntu)
   Status: Triaged => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


Re: [Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-11-03 Thread Simon Déziel
On 2016-11-03 06:01 AM, ChristianEhrhardt wrote:
> To confirm - does that also confirm that the issues of bug 1615550
> (/proc/$pid/task/*/comm) are gone as intended?

Yes, LP: #1615550 is fixed as well.

> The Ubuntu delta seems pretty big already. I feel that most of it should
>> be sent upstream. I'll give it a try.
>>
> 
> Yes, thank you a lot for up-streaming.
> In the meantime I marked you as Author on the two patches and Changelog to
> properly credit all your work on that.

I appreciate it, thanks.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


Re: [Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-11-03 Thread ChristianEhrhardt
On Thu, Oct 27, 2016 at 5:44 PM, Simon Déziel <1546...@bugs.launchpad.net>
wrote:

>
> 2.1.0-1ubuntu10~ppa3 works well, the only denial is the one for /dev/zd0
> [*]. I appreciate the quick turnaround, thanks.


I can only return the thanks for a quick turnover.
Thanks for verifying the ppa.
To confirm - does that also confirm that the issues of bug 1615550
(/proc/$pid/task/*/comm) are gone as intended?


The Ubuntu delta seems pretty big already. I feel that most of it should
> be sent upstream. I'll give it a try.
>

Yes, thank you a lot for up-streaming.
In the meantime I marked you as Author on the two patches and Changelog to
properly credit all your work on that.


> In the meantime, I'll be available for SRU testing.
>

I'm waiting for a confirmation on a third apparmor related bug to make an
upload and SRUs from there.
I will notify you here once there is a Zesty or SRU version available for
verification.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-10-27 Thread Simon Déziel
On 2016-10-27 02:31 AM, ChristianEhrhardt wrote:
> I updated the ppa and it should now also got rid of these apparmor messages
> while keeping your hosts fix in place.
> Please if possible retest with that one.

2.1.0-1ubuntu10~ppa3 works well, the only denial is the one for /dev/zd0
[*]. I appreciate the quick turnaround, thanks.

> I also think once we have confirmed that these both fixes help I'm gonna
> submit them upstream.
> They don't have to stay a Ubuntu delta forever.
> Since you did most IMHO please let me know if you want to do that.

The Ubuntu delta seems pretty big already. I feel that most of it should
be sent upstream. I'll give it a try.

In the meantime, I'll be available for SRU testing.


*: zvols make good storage backends and virt-aa-helper be aware of them.
I'll open a wishlist bug for this.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


Re: [Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-10-26 Thread ChristianEhrhardt
>
> So while the /dev/zd0 denial was expected, the /proc/$pid/task/$pid/comm
> ones were not.


Oh those where expected by me, I just would have hoped they are gone now -
see bug 1615550
But I see you found it already.


> To address those, I applied the patch attached.


Yeah I didn't realize in my quick patch that it doesn't only read but
actually rewrite the comm for the debug threads feature.
I also like your owner and pid check - which makes it more secure but still
allowing the needed access.
I think I need an apparmor training :-);
Thanks for your help!

I updated the ppa and it should now also got rid of these apparmor messages
while keeping your hosts fix in place.
Please if possible retest with that one.

I also think once we have confirmed that these both fixes help I'm gonna
submit them upstream.
They don't have to stay a Ubuntu delta forever.
Since you did most IMHO please let me know if you want to do that.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-10-26 Thread Ubuntu Foundations Team Bug Bot
The attachment "aa-libvirt-qemu.patch" seems to be a patch.  If it
isn't, please remove the "patch" flag from the attachment, remove the
"patch" tag, and if you are a member of the ~ubuntu-reviewers,
unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by
~brian-murray, for any issues please contact him.]

** Tags added: patch

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


Re: [Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-10-26 Thread Simon Déziel
On 2016-10-24 11:08 AM, ChristianEhrhardt wrote:
> Hi,
> unfortunately after a reboot of my host my local reproducibility is gone :-/
> 
> I don't know if you could, but would like to ask if one of you think you can 
> verify that in Yakkety or Zesty.
> The way the apparmor rules get created changed in >=Yakkety and since we have 
> to start with the devel releases that is the place to go for the first 
> verification.
> Still Y&Z are widely the same, so I build for both in a ppa.
> 
> I build the suggested fix (along another one) in 
> https://launchpad.net/~paelzer/+archive/ubuntu/libvirt-bug-1546674-1615550/+packages.
> It would be great of one of you could test it there.

Thanks for providing this testing PPA. I was able to test the Yakkety
version of your package. With it, I get the following Apparmor messages
(also attached here):

apparmor="DENIED" operation="open"
profile="/usr/lib/libvirt/virt-aa-helper" name="/dev/zd0" pid=3357
comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="DENIED" operation="open" profile="libvirt-UUID"
name="/proc/3374/task/3391/comm" pid=3374 comm="qemu-system-x86"
requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111
...
apparmor="DENIED" operation="open" profile="libvirt-UUID"
name="/proc/3374/task/3414/comm" pid=3413 comm="qemu-system-x86"
requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111

So while the /dev/zd0 denial was expected, the /proc/$pid/task/$pid/comm
ones were not. To address those, I applied the patch attached.


** Patch added: "aa-libvirt-qemu.patch"
   
https://bugs.launchpad.net/bugs/1546674/+attachment/4767869/+files/aa-libvirt-qemu.patch

** Attachment added: "apparmor-syslog.log"
   
https://bugs.launchpad.net/bugs/1546674/+attachment/4767870/+files/apparmor-syslog.log

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


Re: [Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-10-24 Thread Simon Déziel
On 2016-10-24 11:08 AM, ChristianEhrhardt wrote:
> Hi,
> unfortunately after a reboot of my host my local reproducibility is gone :-/

Strange, mine is reproducible 100% of the time, I'd like a self-fixing
bug too!

> I don't know if you could, but would like to ask if one of you think you can 
> verify that in Yakkety or Zesty.
> The way the apparmor rules get created changed in >=Yakkety and since we have 
> to start with the devel releases that is the place to go for the first 
> verification.
> Still Y&Z are widely the same, so I build for both in a ppa.
> 
> I build the suggested fix (along another one) in 
> https://launchpad.net/~paelzer/+archive/ubuntu/libvirt-bug-1546674-1615550/+packages.
> It would be great of one of you could test it there.
> 
> If none can please let me know so I know I have to try to recreate again
> somehow.

In 2 to 3 weeks I should be able to try to reproduce on Y or Z so if you
can reproduce before that, please be my guest! Thank again Christian.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-10-24 Thread ChristianEhrhardt
Hi,
unfortunately after a reboot of my host my local reproducibility is gone :-/

I don't know if you could, but would like to ask if one of you think you can 
verify that in Yakkety or Zesty.
The way the apparmor rules get created changed in >=Yakkety and since we have 
to start with the devel releases that is the place to go for the first 
verification.
Still Y&Z are widely the same, so I build for both in a ppa.

I build the suggested fix (along another one) in 
https://launchpad.net/~paelzer/+archive/ubuntu/libvirt-bug-1546674-1615550/+packages.
It would be great of one of you could test it there.

If none can please let me know so I know I have to try to recreate again
somehow.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-10-19 Thread ChristianEhrhardt
Thanks Simon,
I found another one to trigger which is when failing to start a guest.
I can't reproduce with a working guest, but still it is a way to trigger - 
although it doesn't seem  reliably.

Still I have a system to verify on for myself reporting e.g.
[85681.586318] audit: type=1400 audit(1476865131.741:189): apparmor="DENIED" 
operation="open" profile="/usr/lib/libvirt/virt-aa-helper" 
name="/etc/nsswitch.conf" pid=8448 comm="virt-aa-helper" requested_mask="r" 
denied_mask="r" fsuid=0 ouid=0
[85681.586329] audit: type=1400 audit(1476865131.741:190): apparmor="DENIED" 
operation="open" profile="/usr/lib/libvirt/virt-aa-helper" 
name="/etc/host.conf" pid=8448 comm="virt-aa-helper" requested_mask="r" 
denied_mask="r" fsuid=0 ouid=0

I much more like your approach.

I'll prep something to test early next week (on a business trip the next
days)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


Re: [Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-10-18 Thread Simon Déziel
On 2016-10-18 12:32 PM, Simon Deziel wrote:
> Thanks Christian, I'll give uvtool a try.
> 
> On 2016-10-18 11:56 AM, ChristianEhrhardt wrote:
>> Thanks Matt for your reply.
>> AFAIK that is what smb already tried in comment #4.
> 
> My hosts were fresh installs but the guests xml were carried from an
> older version.
> 
>> Never the less I checked the upgrade path once more.
>> With a modified conffile (just an empty line, but to not get the new one as 
>> in the bug report here)
>> And with an old guest created on Xenial.
>> It was not triggering the apparmor denies.
>>
>> https://launchpadlibrarian.net/288736150/apt.xml also didn't hold a lot
>> of differences to my guests that would help me to trigger the issue.
>>
>> That said - I still look out to understand what bit of config triggers that 
>> accesses - as a valid repro is usually recommended for the SRU.
>> In the worst case, we have luck to have you and Simon being able to verify - 
>> but I usually at least try to be able to reproduce.
> 
> I also have a colleague that is affected by the same issue.
> 
> FYI, I also get denials related to the zvol:
> 
> [Tue Oct 18 12:25:29 2016] audit: type=1400 audit(1476807929.293:265):
> apparmor="DENIED" operation="open"
> profile="/usr/lib/libvirt/virt-aa-helper" name="/dev/zd128" pid=5432
> comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> [Tue Oct 18 12:25:29 2016] audit: type=1400 audit(1476807929.293:266):
> apparmor="DENIED" operation="open"
> profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/nsswitch.conf"
> pid=5432 comm="virt-aa-helper" requested_mask="r" denied_mask="r"
> fsuid=0 ouid=0
> [Tue Oct 18 12:25:29 2016] audit: type=1400 audit(1476807929.293:267):
> apparmor="DENIED" operation="open"
> profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/host.conf" pid=5432
> comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> 
> The zvol read access seems to be entirely optional but maybe it's what's
> causing the NSS stuff? Anyway, I'll try to convert the uvtool qcow2 to a
> zvol to make sure. I'll report with my findings.

So the zvol seems to be the smoking gun. Here is what I did after
creating the xenial-kernel-test guest using Christian's instruction for
uvtool:

# Create a zvol
zfs create -V 8G zlxd/xenial-kernel-test
# Copy the qcow2 data to the zvol
qemu-img convert -O raw \
  /var/lib/uvtool/libvirt/images/xenial-kernel-test.qcow \
  /dev/zvol/zlxd/xenial-kernel-test
# Update the guest definition to use the zvol
  



  
# boot the guest
virsh start xenial-kernel-test
# check for apparmor denial messages
dmesg | tail | grep apparmor


Regards,
Simon

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


Re: [Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-10-18 Thread Simon Déziel
Thanks Christian, I'll give uvtool a try.

On 2016-10-18 11:56 AM, ChristianEhrhardt wrote:
> Thanks Matt for your reply.
> AFAIK that is what smb already tried in comment #4.

My hosts were fresh installs but the guests xml were carried from an
older version.

> Never the less I checked the upgrade path once more.
> With a modified conffile (just an empty line, but to not get the new one as 
> in the bug report here)
> And with an old guest created on Xenial.
> It was not triggering the apparmor denies.
> 
> https://launchpadlibrarian.net/288736150/apt.xml also didn't hold a lot
> of differences to my guests that would help me to trigger the issue.
> 
> That said - I still look out to understand what bit of config triggers that 
> accesses - as a valid repro is usually recommended for the SRU.
> In the worst case, we have luck to have you and Simon being able to verify - 
> but I usually at least try to be able to reproduce.

I also have a colleague that is affected by the same issue.

FYI, I also get denials related to the zvol:

[Tue Oct 18 12:25:29 2016] audit: type=1400 audit(1476807929.293:265):
apparmor="DENIED" operation="open"
profile="/usr/lib/libvirt/virt-aa-helper" name="/dev/zd128" pid=5432
comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[Tue Oct 18 12:25:29 2016] audit: type=1400 audit(1476807929.293:266):
apparmor="DENIED" operation="open"
profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/nsswitch.conf"
pid=5432 comm="virt-aa-helper" requested_mask="r" denied_mask="r"
fsuid=0 ouid=0
[Tue Oct 18 12:25:29 2016] audit: type=1400 audit(1476807929.293:267):
apparmor="DENIED" operation="open"
profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/host.conf" pid=5432
comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

The zvol read access seems to be entirely optional but maybe it's what's
causing the NSS stuff? Anyway, I'll try to convert the uvtool qcow2 to a
zvol to make sure. I'll report with my findings.

Regards,
Simon

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-10-18 Thread ChristianEhrhardt
Thanks Matt for your reply.
AFAIK that is what smb already tried in comment #4.

Never the less I checked the upgrade path once more.
With a modified conffile (just an empty line, but to not get the new one as in 
the bug report here)
And with an old guest created on Xenial.
It was not triggering the apparmor denies.

https://launchpadlibrarian.net/288736150/apt.xml also didn't hold a lot
of differences to my guests that would help me to trigger the issue.

That said - I still look out to understand what bit of config triggers that 
accesses - as a valid repro is usually recommended for the SRU.
In the worst case, we have luck to have you and Simon being able to verify - 
but I usually at least try to be able to reproduce.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


Re: [Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-10-18 Thread Matt LaPlante
At least in my instance, and based on at least one other reporter's
description, the issue manifests on upgrade of the host to Xenial with
existing guests.  If you create new guests in Xenial or newer they may very
well be configured correctly (I really don't know).  My interpretation was
that virt-aa-helper added some functionality in Xenial+ which requires this
access, but configs from older versions have not granted it.  Or at least
maybe that would make repro easier?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-10-18 Thread ChristianEhrhardt
Hi,
I was looking into reproducing this to be able to fix&verify then afterwards.
I don't see the messages either with my setup, but I 100% trust Simon to have a 
correct report.

It all is for name resolution and the profile change is only for read - so it 
will be safe.
We just need to able to reproduce.

So I just assume we have to find the bit of config triggering the issue
(we will need repro steps for SRU anyway after all).

I'd have expected this to be due to libnss-libvirt 
(https://libvirt.org/nss.html) as it got added in yakkety. It would be the code 
that matches the denies.
But the reports are on Xenial so that can't be it.

I usually create my most basic test guests with:
uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily 
arch=amd64 label=daily release=xenial
uvt-kvm create --memory 2048 --cpu 4 --password=ubuntu xenial-kernel-test 
release=xenial arch=amd64 label=daily

And as smb reports that doesn't trigger the issue.
@Simon could you create a guest with uvt as I shown above and check if that 
guest is free of the issue for you was well?
If yes - we have to compare the guest xml vs your usually used one.
If now - we have to check your local libvirt setup for what triggers this, so 
you might report any diff in libvirt.conf or (less likely) 
/etc/libvirt/qemu.conf that might be related then

** Changed in: libvirt (Ubuntu Xenial)
 Assignee: (unassigned) => ChristianEhrhardt (paelzer)

** Changed in: libvirt (Ubuntu)
 Assignee: (unassigned) => ChristianEhrhardt (paelzer)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-10-07 Thread Simon Déziel
My 3 updated Xenial machines are still affected by this. Since comment
#3, I also added /etc/gai.conf so the new diff looks like this:

$ diff -Naur /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper{.orig,}
--- /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper.orig 2016-08-14 
10:32:27.051646248 -0400
+++ /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper  2016-08-17 
17:06:33.329358438 -0400
@@ -66,4 +66,10 @@
   /**.vmdk r,
   /**.[iI][sS][oO] r,
   /**/disk{,.*} r,
+
+  # XXX: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674
+  /etc/gai.conf  r,
+  /etc/hosts r,
+  /etc/host.conf r,
+  /etc/nsswitch.conf r,
 }

I'm attaching a guest definition that triggers the bug hoping to help
you reproduce it. If I can be of more help, please let me know.

** Attachment added: "Guest definition that triggers the bug"
   
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+attachment/4756708/+files/apt.xml

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-10-07 Thread Stefan Bader
On a updated Xenial as well after a release upgrade to Yakkety, I was
not able to see those messages for a VM created with uvtool. Serge, are
you still able to confirm? Maybe this was settled somehow indirectly via
abstractions/nameservice somehow. Though I failed to find when and how.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-10-07 Thread Stefan Bader
** Also affects: libvirt (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Changed in: libvirt (Ubuntu Xenial)
   Importance: Undecided => Medium

** Changed in: libvirt (Ubuntu Xenial)
   Status: New => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-08-15 Thread Robie Basak
** Tags added: bitesize server-next

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-08-14 Thread Simon Déziel
It seems that those Apparmor denials are responsible for severe slowdown
of guests boot when the host boots up.

This simple fix makes the guests boot swiftly:

# diff -Naur /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper.orig 
/etc/apparmor.d/usr.lib.libvirt.virt-aa-helper
--- /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper.orig 2016-08-14 
10:32:27.051646248 -0400
+++ /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper  2016-08-14 
10:32:20.019646323 -0400
@@ -66,4 +66,9 @@
   /**.vmdk r,
   /**.[iI][sS][oO] r,
   /**/disk{,.*} r,
+
+  # XXX: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674
+  /etc/hosts r,
+  /etc/host.conf r,
+  /etc/nsswitch.conf r,
 }

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-02-25 Thread Serge Hallyn
** Changed in: libvirt (Ubuntu)
   Status: Confirmed => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1546674] Re: virt-aa-helper Apparmor profile missing rules for name resolution

2016-02-21 Thread Alberto Salvia Novella
** Changed in: libvirt (Ubuntu)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674

Title:
  virt-aa-helper Apparmor profile missing rules for name resolution

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs