[Bug 1665698] Re: /etc/qemu-ifup not allowed by apparmor

ChristianEhrhardt 1665698 at bugs.launchpad.net
Mon Feb 20 14:51:58 UTC 2017 

I tried to puzzle together the timeline on this.
Thanks rbasask for discussing with me to refocus on this issue.

Timeline:
#1 libvirt passed script to qemu, qemu executed
   1.3.1 as in Xenial or UCA-Mitaka still do that
   But Openstack passed script='' and qemu silently ignored it

#2 libvirt changed, now libvirt executes
   http://libvirt.org/git/?p=libvirt.git;a=commit;h=9c17d665fdc5f
   That is in Yakkety and later.
   This had an unintentional API change, that empty scripts behave differently.

#3 Openstack adapted to that API change
   https://review.openstack.org/#/c/425637/
   Not sure - is that in Ocata only - commit in 2017?
   Now new Openstack (#3) + New Libvirt (#2) work
   But if you happen to have an old libvirt like in #1 you now have different behavior.

#4 Upstream libvirt realizes the API break and fixes it
   http://libvirt.org/git/?p=libvirt.git;a=commit;h=1d9ab0f04af310e52f80b4281751655bb3bb7601
   But backporting that would not help, this is meant for libvirt later or equal to #2

#5 IMHO openstack should either
   - detect libvirt version and do differently depending on that (keep script='' for old ones)
   - or instead of not passing script at all pass /bin/true which will work on libvirt as old as #1

I expect you have an openstack of #4 and a libvirt of #1 which due to that cause this.
I still don't see the apparmor issue on my end, but that might be an additional issue.
Even in the /bin/true case we might hit an apparmor on /bin/true.


Please everybody still try to hep sorting out questions in comment #16.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1665698

Title:
  /etc/qemu-ifup not allowed by apparmor

Status in Ubuntu Cloud Archive:
  Incomplete
Status in libvirt package in Ubuntu:
  Incomplete

Bug description:
  I have VMs failing to start with 2017-02-17 15:38:44.458 264015 ERROR
  nova.compute.manager [instance: 0c97ab16-2d30-43fa-b0e4-a064a842b5ed]
  libvirtError: internal error: process exited while connecting to
  monitor: 2017-02-17T15:38:43.907222Z qemu-system-x86_64: -netdev
  tap,ifname=tapf34ef99e-18,id=hostnet0,vhost=on,vhostfd=28: network
  script /etc/qemu-ifup failed with status 256

  Log excerpt:
  http://cdn.pasteraw.com/b3tw4cjefomfi3e9k09hvodrfun85z

  Seems to be that /etc/qemu-ifup is being blocked by apparmor:
  type=AVC msg=audit(1487347189.015:28536): apparmor="DENIED" operation="exec" profile="libvirt-4a03fea7-e966-48e4-80ac-aa138db67243" name="/etc/qemu-ifup" pid=285438 comm="qemu-system-x86" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
  type=PATH msg=audit(1487347189.015:28536): item=0 name="/etc/qemu-ifup" inode=66403 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL

  root at ubuntu-trusty-5773:/etc/apparmor.d/abstractions# cat /etc/apparmor.d/libvirt/libvirt-4a03fea7-e966-48e4-80ac-aa138db67243
  #
  # This profile is for the domain whose UUID matches this file.
  #

  #include <tunables/global>

  profile libvirt-4a03fea7-e966-48e4-80ac-aa138db67243 {
    #include <abstractions/libvirt-qemu>
    #include <libvirt/libvirt-4a03fea7-e966-48e4-80ac-aa138db67243.files>

  }
  root at ubuntu-trusty-5773:/etc/apparmor.d/abstractions# cat /etc/apparmor.d/libvirt/libvirt-4a03fea7-e966-48e4-80ac-aa138db67243.files
  # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
    "/var/log/libvirt/**/instance-00000008.log" w,
    "/var/lib/libvirt/qemu/domain-instance-00000008/monitor.sock" rw,
    "/var/run/libvirt/**/instance-00000008.pid" rwk,
    "/run/libvirt/**/instance-00000008.pid" rwk,
    "/var/run/libvirt/**/*.tunnelmigrate.dest.instance-00000008" rw,
    "/run/libvirt/**/*.tunnelmigrate.dest.instance-00000008" rw,
    "/var/lib/nova/instances/4a03fea7-e966-48e4-80ac-aa138db67243/console.log" rw,
    "/var/lib/nova/instances/4a03fea7-e966-48e4-80ac-aa138db67243/console.log" rw,
    # for qemu guest agent channel
    owner "/var/lib/libvirt/qemu/channel/target/domain-instance-00000008/**" rw,
    /dev/vhost-net rw,

  root at ubuntu-trusty-5773:/etc/apparmor.d/abstractions# dpkg -S libvirt-qemu
  libvirt-bin: /etc/apparmor.d/abstractions/libvirt-qemu

  root at ubuntu-trusty-5773:/etc/apparmor.d/abstractions# dpkg -l libvirt-bin
  Desired=Unknown/Install/Remove/Purge/Hold
  | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
  |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
  ||/ Name                                      Version                   Architecture              Description
  +++-=========================================-=========================-=========================-=======================================================================================
  ii  libvirt-bin                               1.3.1-1ubuntu10.6~cloud0  amd64                     programs for the libvirt library

  
  Seeing identical behavior on Xenial
  ubuntu at ubuntu-xenial-5165:~$ dpkg -l libvirt-bin
  Desired=Unknown/Install/Remove/Purge/Hold
  | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
  |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
  ||/ Name                                      Version                   Architecture              Description
  +++-=========================================-=========================-=========================-=======================================================================================
  ii  libvirt-bin                               1.3.1-1ubuntu10.8         amd64                     programs for the libvirt library

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1665698/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list