[Bug 1665698] Re: /etc/qemu-ifup not allowed by apparmor

ChristianEhrhardt 1665698 at bugs.launchpad.net
Mon Feb 20 11:00:03 UTC 2017 

I was testing various type=ethernet XML configurations.

Cases:
defaultpath => <script path='/etc/qemu-ifup'/>
emptyattrib => <script path=''/>
noattrib => no script tag at all

The target statement which the error of the known bug refers to is optional, so add another set of cases with
the same three again without a <target ...> attribute called "notgt-*".

                         Pre-Fix            Post-Fix
default              bug 1620407             working
empty                bug 1620407             working
no                   bug 1620407  still bug 1620407*
notgt-default            working             working
notgt-empty     can't be defined    can't be defined
notgt-no                 working             working

*We fixed bug 1620407 with a mimimal fix intentionally, to the "no" case
is "ok" to still fail.

Now the Openstack case should (IMHO) be one of the "empty" cases before the fix to openstack that was referred.
That is the path='', since notgt-empty can't be defined (xml validation) it has to be the normal "empty" case.
After the fix it should be one of the 'no' cases.

But all cases either stayed as-is or were fixed, so I don't know.
Also I had no apparmor DENIES along any of that - even when using explicitly in the *default cases.

I really need the XML that is generated to understand what might be going on.
Also please help to answer the questions I listed in commend #10

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1665698

Title:
  /etc/qemu-ifup not allowed by apparmor

Status in Ubuntu Cloud Archive:
  Incomplete
Status in libvirt package in Ubuntu:
  Incomplete

Bug description:
  I have VMs failing to start with 2017-02-17 15:38:44.458 264015 ERROR
  nova.compute.manager [instance: 0c97ab16-2d30-43fa-b0e4-a064a842b5ed]
  libvirtError: internal error: process exited while connecting to
  monitor: 2017-02-17T15:38:43.907222Z qemu-system-x86_64: -netdev
  tap,ifname=tapf34ef99e-18,id=hostnet0,vhost=on,vhostfd=28: network
  script /etc/qemu-ifup failed with status 256

  Log excerpt:
  http://cdn.pasteraw.com/b3tw4cjefomfi3e9k09hvodrfun85z

  Seems to be that /etc/qemu-ifup is being blocked by apparmor:
  type=AVC msg=audit(1487347189.015:28536): apparmor="DENIED" operation="exec" profile="libvirt-4a03fea7-e966-48e4-80ac-aa138db67243" name="/etc/qemu-ifup" pid=285438 comm="qemu-system-x86" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
  type=PATH msg=audit(1487347189.015:28536): item=0 name="/etc/qemu-ifup" inode=66403 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL

  root at ubuntu-trusty-5773:/etc/apparmor.d/abstractions# cat /etc/apparmor.d/libvirt/libvirt-4a03fea7-e966-48e4-80ac-aa138db67243
  #
  # This profile is for the domain whose UUID matches this file.
  #

  #include <tunables/global>

  profile libvirt-4a03fea7-e966-48e4-80ac-aa138db67243 {
    #include <abstractions/libvirt-qemu>
    #include <libvirt/libvirt-4a03fea7-e966-48e4-80ac-aa138db67243.files>

  }
  root at ubuntu-trusty-5773:/etc/apparmor.d/abstractions# cat /etc/apparmor.d/libvirt/libvirt-4a03fea7-e966-48e4-80ac-aa138db67243.files
  # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
    "/var/log/libvirt/**/instance-00000008.log" w,
    "/var/lib/libvirt/qemu/domain-instance-00000008/monitor.sock" rw,
    "/var/run/libvirt/**/instance-00000008.pid" rwk,
    "/run/libvirt/**/instance-00000008.pid" rwk,
    "/var/run/libvirt/**/*.tunnelmigrate.dest.instance-00000008" rw,
    "/run/libvirt/**/*.tunnelmigrate.dest.instance-00000008" rw,
    "/var/lib/nova/instances/4a03fea7-e966-48e4-80ac-aa138db67243/console.log" rw,
    "/var/lib/nova/instances/4a03fea7-e966-48e4-80ac-aa138db67243/console.log" rw,
    # for qemu guest agent channel
    owner "/var/lib/libvirt/qemu/channel/target/domain-instance-00000008/**" rw,
    /dev/vhost-net rw,

  root at ubuntu-trusty-5773:/etc/apparmor.d/abstractions# dpkg -S libvirt-qemu
  libvirt-bin: /etc/apparmor.d/abstractions/libvirt-qemu

  root at ubuntu-trusty-5773:/etc/apparmor.d/abstractions# dpkg -l libvirt-bin
  Desired=Unknown/Install/Remove/Purge/Hold
  | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
  |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
  ||/ Name                                      Version                   Architecture              Description
  +++-=========================================-=========================-=========================-=======================================================================================
  ii  libvirt-bin                               1.3.1-1ubuntu10.6~cloud0  amd64                     programs for the libvirt library

  
  Seeing identical behavior on Xenial
  ubuntu at ubuntu-xenial-5165:~$ dpkg -l libvirt-bin
  Desired=Unknown/Install/Remove/Purge/Hold
  | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
  |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
  ||/ Name                                      Version                   Architecture              Description
  +++-=========================================-=========================-=========================-=======================================================================================
  ii  libvirt-bin                               1.3.1-1ubuntu10.8         amd64                     programs for the libvirt library

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1665698/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list