This bug was fixed in the package libvirt - 1.3.1-1ubuntu10.6
---
libvirt (1.3.1-1ubuntu10.6) xenial; urgency=medium
* d/apparmor/usr.lib.libvirt.virt-aa-helper: add missing rules for name
resolution to virt-aa-helper Apparmor profile (LP: #1546674).
-- Christian Ehrhardt Tu
** Tags removed: verification-needed
** Tags added: verification-done
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674
Title:
virt-aa-helper Apparmor profile missing rules for name resolution
Hello Simon, or anyone else affected,
Accepted libvirt into xenial-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/libvirt/1.3.1-1ubuntu10.6 in a few
hours, and then in the -proposed repository.
Please help us by testing this new package. See
https:/
Reworked fix in Zesty and working, refreshed the SRU upload which is
ready and waiting for SRU review now.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674
Title:
virt-aa-helper Apparmor profil
This bug was fixed in the package libvirt - 2.1.0-1ubuntu14
---
libvirt (2.1.0-1ubuntu14) zesty; urgency=medium
* d/p/u/apparmor-fix-name-resolution.patch rework the fix to base
on the apparmor nameservice abstraction to be future proof (LP: #1546674).
* d/p/ubuntu/apparmor-fi
Thanks Simon for the confirmation.
Yet FYI I'll reroll the zesty fix to become equal to the one Pitti suggested
for the SRU.
I only want to avoid a proliferation of updates and therefore want to group
that with some other things which are stalled just a bit. Should be ready to go
in 5-10 days a
Christian, I'm happy to report that this LP is fixed in Zesty.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674
Title:
virt-aa-helper Apparmor profile missing rules for name resolution
To mana
Hello Christian,
On 2016-11-24 03:44 AM, ChristianEhrhardt wrote:
> I've created a ppa with the modified fix as suggested by Martin.
I was not sure that pulling such a big abstraction was needed but in
retrospective, Martin's suggestion makes sense. Why is virt-aa-helper
trying to do name resolut
Hi Simon,
I've created a ppa with the modified fix as suggested by Martin.
They work just as good as the former fix, but staying more future proof by
using the abstractions.
=> https://launchpad.net/~paelzer/+archive/ubuntu/libvirt-bug-1546674-1615550
I know you are usually only on LTS, but do you
Thanks Martin for your extra insight into apparmor, working on a fresh fix for
Zesty now.
Coming back to an SRU once that is tested and migrated.
I'd drop the Ubuntu Review Team subscription til then.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscr
Not much that we can do about the conffile prompt indeed. However, I
disagree with the actual patch. This should include
abstractions/nameservice instead, which allows these files plus a lot
more for other name service methods. We really want to avoid having to
SRU a conffile change twice, and this
Thanks Robie,
it does indeed land in "/etc/apparmor.d/usr.lib.libvirt.virt-aa-helper" so that
could happen.
I didn't think on that - thanks for catching this!
Yet I think the fix is worth it. And for those few that have the ability
to manually modify this file it should be no huge challenge - as
I think it's worth nothing that I think landing this SRU (I haven't
verified the destination in the binary package) will cause a conffile
prompt for any user who has modified usr.lib.libvirt.virt-aa-helper
locally.
There is a comment with an explanation and an LP bug reference, which
helps. Users
Hi,
now that things are in the development release I could go on with this.
I simplified the reproduction steps according to comment #22 and wrote
the SRU Template as required.
I prepared the SRU, tested it locally and uploaded for the SRU team to
consider it - it just entered the queue waiting t
** Description changed:
- Reproducing steps:
+ [Impact]
+
+ * Apparmor denies several hostname related accesses by libvirt causing
+severe slowdowns in some cases.
+
+ [Test Case]
+
+ * Note: while there are various ways to trigger it - many have seen the
+ issue, but often it is uncle
This bug was fixed in the package libvirt - 2.1.0-1ubuntu13
---
libvirt (2.1.0-1ubuntu13) zesty; urgency=medium
* drop d/p/ubuntu/fix-ftbfs-for-gnutls-3-5-6.patch as the offending change
in gnutls has been reverted (LP: #1641615)
* Build depend on gnutls >= 3.5.6-4ubuntu2 to b
It's not specific to zvols after all as I just setup a new hypervisor
where I hand out host's partitions to the guests like this:
This is enough to get virt-aa-helper to try reading /etc/nsswitch.conf,
/etc/host.conf and /etc/gai.conf.
--
You received this bug not
** Description changed:
Reproducing steps:
1) Sync Xenial cloud-image
uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily
arch=amd64 label=daily release=xenial
2) Create a test guest with:
uvt-kvm create --memory 2048 --cpu 4 --password=ubuntu xenial-kerne
** Description changed:
+ Reproducing steps:
+
+ 1) Sync Xenial cloud-image
+ uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily
arch=amd64 label=daily release=xenial
+
+ 2) Create a test guest with:
+ uvt-kvm create --memory 2048 --cpu 4 --password=ubuntu xenial-kerne
What worked last week doesn't have to this week - I ran into an FTBFS -
please wait a bit until resolved.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674
Title:
virt-aa-helper Apparmor profile
FYI - Fix pushed to Zesty
@Simon could you give some extra detail on "severe slowdown" as we need
it for the SRU template then. And since we lack a clear "steps to
reproduce" maybe those as well if you happened to find the important bit
to trigger it in the meantime.
--
You received this bug not
** Changed in: libvirt (Ubuntu)
Status: Triaged => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674
Title:
virt-aa-helper Apparmor profile missing rules for name resolution
On 2016-11-03 06:01 AM, ChristianEhrhardt wrote:
> To confirm - does that also confirm that the issues of bug 1615550
> (/proc/$pid/task/*/comm) are gone as intended?
Yes, LP: #1615550 is fixed as well.
> The Ubuntu delta seems pretty big already. I feel that most of it should
>> be sent upstream
On Thu, Oct 27, 2016 at 5:44 PM, Simon Déziel <1546...@bugs.launchpad.net>
wrote:
>
> 2.1.0-1ubuntu10~ppa3 works well, the only denial is the one for /dev/zd0
> [*]. I appreciate the quick turnaround, thanks.
I can only return the thanks for a quick turnover.
Thanks for verifying the ppa.
To con
On 2016-10-27 02:31 AM, ChristianEhrhardt wrote:
> I updated the ppa and it should now also got rid of these apparmor messages
> while keeping your hosts fix in place.
> Please if possible retest with that one.
2.1.0-1ubuntu10~ppa3 works well, the only denial is the one for /dev/zd0
[*]. I appreci
>
> So while the /dev/zd0 denial was expected, the /proc/$pid/task/$pid/comm
> ones were not.
Oh those where expected by me, I just would have hoped they are gone now -
see bug 1615550
But I see you found it already.
> To address those, I applied the patch attached.
Yeah I didn't realize in m
The attachment "aa-libvirt-qemu.patch" seems to be a patch. If it
isn't, please remove the "patch" flag from the attachment, remove the
"patch" tag, and if you are a member of the ~ubuntu-reviewers,
unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by
~brian-
On 2016-10-24 11:08 AM, ChristianEhrhardt wrote:
> Hi,
> unfortunately after a reboot of my host my local reproducibility is gone :-/
>
> I don't know if you could, but would like to ask if one of you think you can
> verify that in Yakkety or Zesty.
> The way the apparmor rules get created change
On 2016-10-24 11:08 AM, ChristianEhrhardt wrote:
> Hi,
> unfortunately after a reboot of my host my local reproducibility is gone :-/
Strange, mine is reproducible 100% of the time, I'd like a self-fixing
bug too!
> I don't know if you could, but would like to ask if one of you think you can
> v
Hi,
unfortunately after a reboot of my host my local reproducibility is gone :-/
I don't know if you could, but would like to ask if one of you think you can
verify that in Yakkety or Zesty.
The way the apparmor rules get created changed in >=Yakkety and since we have
to start with the devel rel
Thanks Simon,
I found another one to trigger which is when failing to start a guest.
I can't reproduce with a working guest, but still it is a way to trigger -
although it doesn't seem reliably.
Still I have a system to verify on for myself reporting e.g.
[85681.586318] audit: type=1400 audit(14
On 2016-10-18 12:32 PM, Simon Deziel wrote:
> Thanks Christian, I'll give uvtool a try.
>
> On 2016-10-18 11:56 AM, ChristianEhrhardt wrote:
>> Thanks Matt for your reply.
>> AFAIK that is what smb already tried in comment #4.
>
> My hosts were fresh installs but the guests xml were carried from
Thanks Christian, I'll give uvtool a try.
On 2016-10-18 11:56 AM, ChristianEhrhardt wrote:
> Thanks Matt for your reply.
> AFAIK that is what smb already tried in comment #4.
My hosts were fresh installs but the guests xml were carried from an
older version.
> Never the less I checked the upgrad
Thanks Matt for your reply.
AFAIK that is what smb already tried in comment #4.
Never the less I checked the upgrade path once more.
With a modified conffile (just an empty line, but to not get the new one as in
the bug report here)
And with an old guest created on Xenial.
It was not triggering t
At least in my instance, and based on at least one other reporter's
description, the issue manifests on upgrade of the host to Xenial with
existing guests. If you create new guests in Xenial or newer they may very
well be configured correctly (I really don't know). My interpretation was
that virt
Hi,
I was looking into reproducing this to be able to fix&verify then afterwards.
I don't see the messages either with my setup, but I 100% trust Simon to have a
correct report.
It all is for name resolution and the profile change is only for read - so it
will be safe.
We just need to able to re
My 3 updated Xenial machines are still affected by this. Since comment
#3, I also added /etc/gai.conf so the new diff looks like this:
$ diff -Naur /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper{.orig,}
--- /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper.orig 2016-08-14
10:32:27.051646248 -0400
++
On a updated Xenial as well after a release upgrade to Yakkety, I was
not able to see those messages for a VM created with uvtool. Serge, are
you still able to confirm? Maybe this was settled somehow indirectly via
abstractions/nameservice somehow. Though I failed to find when and how.
--
You rec
** Also affects: libvirt (Ubuntu Xenial)
Importance: Undecided
Status: New
** Changed in: libvirt (Ubuntu Xenial)
Importance: Undecided => Medium
** Changed in: libvirt (Ubuntu Xenial)
Status: New => Triaged
--
You received this bug notification because you are a member of U
** Tags added: bitesize server-next
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674
Title:
virt-aa-helper Apparmor profile missing rules for name resolution
To manage notifications about this
It seems that those Apparmor denials are responsible for severe slowdown
of guests boot when the host boots up.
This simple fix makes the guests boot swiftly:
# diff -Naur /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper.orig
/etc/apparmor.d/usr.lib.libvirt.virt-aa-helper
--- /etc/apparmor.d/usr.l
** Changed in: libvirt (Ubuntu)
Status: Confirmed => Triaged
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674
Title:
virt-aa-helper Apparmor profile missing rules for name resolution
To
** Changed in: libvirt (Ubuntu)
Importance: Undecided => High
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546674
Title:
virt-aa-helper Apparmor profile missing rules for name resolution
To ma
43 matches
Mail list logo
