[Bug 1665698] Re: /etc/qemu-ifup not allowed by apparmor
ChristianEhrhardt
1665698 at bugs.launchpad.net
Fri Mar 17 08:42:55 UTC 2017
Ok, that confirms my theory of new Openstack vs (too) old libvirt.
But IIRC UCA Newton should be Newton form openstack and virtualization bits from Yakkety Ubuntu release.
That would be libvirt 2.1.0-1ubuntu9.1
$ lxc launch ubuntu-daily:xenial xenial-uca-newton
$ lxc exec xenial-uca-newton -- add-apt-repository cloud-archive:newton
$ lxc exec xenial-uca-newton -- apt update
$ lxc exec xenial-uca-newton -- apt-cache policy libvirt-bin
libvirt-bin:
1.3.1-1ubuntu10.8 500
500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
Ok so Newton UCA really has not Yakketies libvirt.
But you are running Ocata level code, so their the UCA version would run into the same not having a newer libvirt.
$ lxc launch ubuntu-daily:xenial xenial-uca-ocata
$ lxc exec xenial-uca-ocata -- add-apt-repository cloud-archive:ocata
$ lxc exec xenial-uca-ocata -- apt update
$ lxc exec xenial-uca-ocata -- apt-cache policy libvirt-bin
libvirt-bin:
Installed: (none)
Candidate: 2.5.0-3ubuntu3~cloud0
Version table:
2.5.0-3ubuntu3~cloud0 500
500 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata/main amd64
Here we go.
Please don't ask me why the libvirt 2.1 is not in the Newton UCA, that is up to the Cloud Archives Teams reasons and decisions. But they are subscribed and can answer that.
That explains why we are not seeing the issue when using Newton (not having the Openstack change) nor with Ocata (has Openstack but also a newer libvirt) - both cases match.
A cross version usage is not supported by UCA as far as I know.
So if you are running "ocata-level" upstream you should switch to UCA-
Ocata and things hopefully should just work.
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1665698
Title:
/etc/qemu-ifup not allowed by apparmor
Status in Ubuntu Cloud Archive:
Incomplete
Status in libvirt package in Ubuntu:
Incomplete
Bug description:
I have VMs failing to start with 2017-02-17 15:38:44.458 264015 ERROR
nova.compute.manager [instance: 0c97ab16-2d30-43fa-b0e4-a064a842b5ed]
libvirtError: internal error: process exited while connecting to
monitor: 2017-02-17T15:38:43.907222Z qemu-system-x86_64: -netdev
tap,ifname=tapf34ef99e-18,id=hostnet0,vhost=on,vhostfd=28: network
script /etc/qemu-ifup failed with status 256
Log excerpt:
http://cdn.pasteraw.com/b3tw4cjefomfi3e9k09hvodrfun85z
Seems to be that /etc/qemu-ifup is being blocked by apparmor:
type=AVC msg=audit(1487347189.015:28536): apparmor="DENIED" operation="exec" profile="libvirt-4a03fea7-e966-48e4-80ac-aa138db67243" name="/etc/qemu-ifup" pid=285438 comm="qemu-system-x86" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
type=PATH msg=audit(1487347189.015:28536): item=0 name="/etc/qemu-ifup" inode=66403 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
root at ubuntu-trusty-5773:/etc/apparmor.d/abstractions# cat /etc/apparmor.d/libvirt/libvirt-4a03fea7-e966-48e4-80ac-aa138db67243
#
# This profile is for the domain whose UUID matches this file.
#
#include <tunables/global>
profile libvirt-4a03fea7-e966-48e4-80ac-aa138db67243 {
#include <abstractions/libvirt-qemu>
#include <libvirt/libvirt-4a03fea7-e966-48e4-80ac-aa138db67243.files>
}
root at ubuntu-trusty-5773:/etc/apparmor.d/abstractions# cat /etc/apparmor.d/libvirt/libvirt-4a03fea7-e966-48e4-80ac-aa138db67243.files
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
"/var/log/libvirt/**/instance-00000008.log" w,
"/var/lib/libvirt/qemu/domain-instance-00000008/monitor.sock" rw,
"/var/run/libvirt/**/instance-00000008.pid" rwk,
"/run/libvirt/**/instance-00000008.pid" rwk,
"/var/run/libvirt/**/*.tunnelmigrate.dest.instance-00000008" rw,
"/run/libvirt/**/*.tunnelmigrate.dest.instance-00000008" rw,
"/var/lib/nova/instances/4a03fea7-e966-48e4-80ac-aa138db67243/console.log" rw,
"/var/lib/nova/instances/4a03fea7-e966-48e4-80ac-aa138db67243/console.log" rw,
# for qemu guest agent channel
owner "/var/lib/libvirt/qemu/channel/target/domain-instance-00000008/**" rw,
/dev/vhost-net rw,
root at ubuntu-trusty-5773:/etc/apparmor.d/abstractions# dpkg -S libvirt-qemu
libvirt-bin: /etc/apparmor.d/abstractions/libvirt-qemu
root at ubuntu-trusty-5773:/etc/apparmor.d/abstractions# dpkg -l libvirt-bin
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=========================================-=========================-=========================-=======================================================================================
ii libvirt-bin 1.3.1-1ubuntu10.6~cloud0 amd64 programs for the libvirt library
Seeing identical behavior on Xenial
ubuntu at ubuntu-xenial-5165:~$ dpkg -l libvirt-bin
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=========================================-=========================-=========================-=======================================================================================
ii libvirt-bin 1.3.1-1ubuntu10.8 amd64 programs for the libvirt library
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1665698/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list