** Description changed: + [Impact] + + * Please do note that this SRU statement is about the libvirt portion + of it, this is a fix of essentially an API break from Xenial to + Yakkety. This is independent to any decision to the Openstack context + discussion about the change to drop specifying a path at all. + + * Before 9c17d665fdc5f (v1.3.2 which means 1.3.1 in Xenial for us) it + was possible to have the following interface configuration: + <interface type='ethernet'/> + <script path=''/> + </interface> + This resulted in -netdev tap,script=,.. Fortunately, qemu helped + us to get away with this as it just ignored the empty script + path. However, after the commit mentioned above it's libvirtd + who is executing the script. Unfortunately without special + case-ing empty script path. + + * The fix adds the special casing that qemu had into libvirts handling + of the interface definition. + + [Test Case] + + * That is tricky as the way openstack is using to shove that in + seems to not care on xml validation as much as e.g. virsh. + If normally adding a device like + <interface type='ethernet'/> + <script path=''/> + <model type='virtio'/> + </interface> + At least in xenial AND yakkety blocked by the XML validation. + But if trying to work around like: + <script path='""'/> + Which gave "-netdev tap,script="",id=hostnet1" on yakkety then + the fix does not apply as this is '""' and not ''. + So to add the above you have to edit it in via --skip-validate like + $ virsh edit --skip-validate zesty-on-x-test + This on onlder libvrit gave: -netdev tap,script=,id=hostnet1 + Which qemu understood as nop. But newer libvirt refuses. + + + * Error: + error: Failed to start domain <name> + error: Cannot find '' in path: No such file or directory + + * Expected: + Starting the domain as-is without calling a script, + but also without complaining about being empty. + + [Regression Potential] + + * Regression should be low because of: + * The fix is upstream for a while now without follow on fix + * We are essentially going back to how it was + * There is no case like "I had '' set in my setup but now it is + a no-op which makes me fail" because if one had '' it failed until + now. + * Fix is in zesty for a few days without new fallout being reported + * also it passed several levels of testing (on the case and general + regression testing) + * Due to extra xml checks a device like path='' is not even definable. + So only those who run --skip-validate or similar are affected in + the first place. + + [Other Info] + + * n/a + + + ---- + + I have VMs failing to start with 2017-02-17 15:38:44.458 264015 ERROR nova.compute.manager [instance: 0c97ab16-2d30-43fa-b0e4-a064a842b5ed] libvirtError: internal error: process exited while connecting to monitor: 2017-02-17T15:38:43.907222Z qemu-system-x86_64: -netdev tap,ifname=tapf34ef99e-18,id=hostnet0,vhost=on,vhostfd=28: network script /etc/qemu-ifup failed with status 256 Log excerpt: http://cdn.pasteraw.com/b3tw4cjefomfi3e9k09hvodrfun85z Seems to be that /etc/qemu-ifup is being blocked by apparmor: type=AVC msg=audit(1487347189.015:28536): apparmor="DENIED" operation="exec" profile="libvirt-4a03fea7-e966-48e4-80ac-aa138db67243" name="/etc/qemu-ifup" pid=285438 comm="qemu-system-x86" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 type=PATH msg=audit(1487347189.015:28536): item=0 name="/etc/qemu-ifup" inode=66403 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL root@ubuntu-trusty-5773:/etc/apparmor.d/abstractions# cat /etc/apparmor.d/libvirt/libvirt-4a03fea7-e966-48e4-80ac-aa138db67243 # # This profile is for the domain whose UUID matches this file. # #include <tunables/global> profile libvirt-4a03fea7-e966-48e4-80ac-aa138db67243 { - #include <abstractions/libvirt-qemu> - #include <libvirt/libvirt-4a03fea7-e966-48e4-80ac-aa138db67243.files> + #include <abstractions/libvirt-qemu> + #include <libvirt/libvirt-4a03fea7-e966-48e4-80ac-aa138db67243.files> } root@ubuntu-trusty-5773:/etc/apparmor.d/abstractions# cat /etc/apparmor.d/libvirt/libvirt-4a03fea7-e966-48e4-80ac-aa138db67243.files # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT. - "/var/log/libvirt/**/instance-00000008.log" w, - "/var/lib/libvirt/qemu/domain-instance-00000008/monitor.sock" rw, - "/var/run/libvirt/**/instance-00000008.pid" rwk, - "/run/libvirt/**/instance-00000008.pid" rwk, - "/var/run/libvirt/**/*.tunnelmigrate.dest.instance-00000008" rw, - "/run/libvirt/**/*.tunnelmigrate.dest.instance-00000008" rw, - "/var/lib/nova/instances/4a03fea7-e966-48e4-80ac-aa138db67243/console.log" rw, - "/var/lib/nova/instances/4a03fea7-e966-48e4-80ac-aa138db67243/console.log" rw, - # for qemu guest agent channel - owner "/var/lib/libvirt/qemu/channel/target/domain-instance-00000008/**" rw, - /dev/vhost-net rw, + "/var/log/libvirt/**/instance-00000008.log" w, + "/var/lib/libvirt/qemu/domain-instance-00000008/monitor.sock" rw, + "/var/run/libvirt/**/instance-00000008.pid" rwk, + "/run/libvirt/**/instance-00000008.pid" rwk, + "/var/run/libvirt/**/*.tunnelmigrate.dest.instance-00000008" rw, + "/run/libvirt/**/*.tunnelmigrate.dest.instance-00000008" rw, + "/var/lib/nova/instances/4a03fea7-e966-48e4-80ac-aa138db67243/console.log" rw, + "/var/lib/nova/instances/4a03fea7-e966-48e4-80ac-aa138db67243/console.log" rw, + # for qemu guest agent channel + owner "/var/lib/libvirt/qemu/channel/target/domain-instance-00000008/**" rw, + /dev/vhost-net rw, root@ubuntu-trusty-5773:/etc/apparmor.d/abstractions# dpkg -S libvirt-qemu libvirt-bin: /etc/apparmor.d/abstractions/libvirt-qemu root@ubuntu-trusty-5773:/etc/apparmor.d/abstractions# dpkg -l libvirt-bin Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-=========================================-=========================-=========================-======================================================================================= ii libvirt-bin 1.3.1-1ubuntu10.6~cloud0 amd64 programs for the libvirt library - Seeing identical behavior on Xenial ubuntu@ubuntu-xenial-5165:~$ dpkg -l libvirt-bin Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-=========================================-=========================-=========================-======================================================================================= ii libvirt-bin 1.3.1-1ubuntu10.8 amd64 programs for the libvirt library
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665698 Title: /etc/qemu-ifup not allowed by apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1665698/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
