[Bug 1726804] Re: rules for images on attach-device not containing lock permission
ChristianEhrhardt
1726804 at bugs.launchpad.net
Wed Oct 25 08:25:43 UTC 2017
Verified in Proposed, here the full log:
root at artful-qatests:~# qemu-img create /var/lib/libvirt/A.img 1M
Formatting '/var/lib/libvirt/A.img', fmt=raw size=1048576
root at artful-qatests:~# cat <<EOF > testguest.xml
> <domain type='kvm'>
> <name>testguest</name>
> <uuid>deadbeef-dead-beef-dead-beefdeadbeef</uuid>
> <memory unit='KiB'>1024</memory>
> <vcpu placement='static'>1</vcpu>
> <os>
> <type arch='x86_64' machine='pc-i440fx-zesty'>hvm</type>
> <boot dev='hd'/>
> </os>
> <features>
> <acpi/>
> <apic/>
> <pae/>
> </features>
> <devices>
> <emulator>/usr/bin/kvm-spice</emulator>
> <disk type='file' device='disk'>
> <driver name='qemu'/>
> <source file='/var/lib/libvirt/A.img'/>
> <target dev='vda'/>
> </disk>
> </devices>
> <seclabel type='dynamic' model='apparmor' relabel='yes'/>
> </domain>
> EOF
root at artful-qatests:~# virsh define testguest.xml
Domain testguest defined from testguest.xml
root at artful-qatests:~# virsh start testguest
Domain testguest started
root at artful-qatests:~# qemu-img create /var/lib/libvirt/F.img 1M
Formatting '/var/lib/libvirt/F.img', fmt=raw size=1048576
root at artful-qatests:~# cat <<EOF >diskF.xml
> <disk type='file'>
> <driver name='qemu'/>
> <source file='/var/lib/libvirt/F.img'/>
> <target dev='sdc'/>
> </disk>
> EOF
root at artful-qatests:~# virsh attach-device testguest diskF.xml
error: Failed to attach device from diskF.xml
error: internal error: unable to execute QEMU command 'device_add': Property 'scsi-hd.drive' can't find value 'drive-scsi0-0-2'
root at artful-qatests:~# dmesg | tail -n 4
[152072.603398] audit: type=1400 audit(1508919165.522:639): apparmor="DENIED" operation="file_lock" profile="libvirt-deadbeef-dead-beef-dead-beefdeadbeef" name="/var/lib/libvirt/F.img" pid=17985 comm="qemu-system-x86" requested_mask="k" denied_mask="k" fsuid=64055 ouid=64055
[152072.603400] audit: type=1400 audit(1508919165.523:640): apparmor="DENIED" operation="file_lock" profile="libvirt-deadbeef-dead-beef-dead-beefdeadbeef" name="/var/lib/libvirt/F.img" pid=17985 comm="qemu-system-x86" requested_mask="k" denied_mask="k" fsuid=64055 ouid=64055
[152072.603402] audit: type=1400 audit(1508919165.523:641): apparmor="DENIED" operation="file_lock" profile="libvirt-deadbeef-dead-beef-dead-beefdeadbeef" name="/var/lib/libvirt/F.img" pid=17985 comm="qemu-system-x86" requested_mask="k" denied_mask="k" fsuid=64055 ouid=64055
[152072.739782] audit: type=1400 audit(1508919165.659:642): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-deadbeef-dead-beef-dead-beefdeadbeef" pid=18063 comm="apparmor_parser"
# Now changing to the version in proposed
root at artful-qatests:~# # enable proposed
root at artful-qatests:~# vim /etc/apt/sources.list
root at artful-qatests:~# apt update
Hit:1 http://archive.ubuntu.com/ubuntu artful InRelease
Ign:2 http://ddebs.ubuntu.com artful InRelease
Get:3 http://archive.ubuntu.com/ubuntu artful-updates InRelease [76.7 kB]
Ign:4 http://ddebs.ubuntu.com artful-updates InRelease
Ign:5 http://ddebs.ubuntu.com artful-proposed InRelease
Hit:6 http://ddebs.ubuntu.com artful Release
Hit:7 http://archive.ubuntu.com/ubuntu artful-backports InRelease
Hit:8 http://ddebs.ubuntu.com artful-updates Release
Get:9 http://archive.ubuntu.com/ubuntu artful-proposed InRelease [235 kB]
Hit:10 http://security.ubuntu.com/ubuntu artful-security InRelease
Hit:12 http://ddebs.ubuntu.com artful-proposed Release
Get:14 http://archive.ubuntu.com/ubuntu artful-proposed/main Sources [13.6 kB]
Get:15 http://archive.ubuntu.com/ubuntu artful-proposed/universe Sources [50.6 kB]
Get:17 http://archive.ubuntu.com/ubuntu artful-proposed/multiverse Sources [3832 B]
Get:18 http://archive.ubuntu.com/ubuntu artful-proposed/main amd64 Packages [38.7 kB]
Get:19 http://archive.ubuntu.com/ubuntu artful-proposed/main Translation-en [16.3 kB]
Get:20 http://archive.ubuntu.com/ubuntu artful-proposed/universe amd64 Packages [40.1 kB]
Get:21 http://archive.ubuntu.com/ubuntu artful-proposed/universe Translation-en [25.2 kB]
Get:22 http://archive.ubuntu.com/ubuntu artful-proposed/multiverse amd64 Packages [2896 B]
Get:23 http://archive.ubuntu.com/ubuntu artful-proposed/multiverse Translation-en [1196 B]
Fetched 504 kB in 0s (553 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
23 packages can be upgraded. Run 'apt list --upgradable' to see them.
root at artful-qatests:~# apt install libvirt-daemon-system
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
libvirt-clients libvirt-daemon libvirt0
Suggested packages:
numad radvd auditd systemtap nfs-common zfsutils pm-utils
The following packages will be upgraded:
libvirt-clients libvirt-daemon libvirt-daemon-system libvirt0
4 upgraded, 0 newly installed, 0 to remove and 15 not upgraded.
Need to get 4058 kB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://archive.ubuntu.com/ubuntu artful-proposed/main amd64 libvirt-daemon-system amd64 3.6.0-1ubuntu6 [78.5 kB]
Get:2 http://archive.ubuntu.com/ubuntu artful-proposed/main amd64 libvirt-clients amd64 3.6.0-1ubuntu6 [587 kB]
Get:3 http://archive.ubuntu.com/ubuntu artful-proposed/main amd64 libvirt-daemon amd64 3.6.0-1ubuntu6 [2149 kB]
Get:4 http://archive.ubuntu.com/ubuntu artful-proposed/main amd64 libvirt0 amd64 3.6.0-1ubuntu6 [1243 kB]
Fetched 4058 kB in 2s (1838 kB/s)
Preconfiguring packages ...
(Reading database ... 89501 files and directories currently installed.)
Preparing to unpack .../libvirt-daemon-system_3.6.0-1ubuntu6_amd64.deb ...
Unpacking libvirt-daemon-system (3.6.0-1ubuntu6) over (3.6.0-1ubuntu5) ...
Preparing to unpack .../libvirt-clients_3.6.0-1ubuntu6_amd64.deb ...
Unpacking libvirt-clients (3.6.0-1ubuntu6) over (3.6.0-1ubuntu5) ...
Preparing to unpack .../libvirt-daemon_3.6.0-1ubuntu6_amd64.deb ...
Unpacking libvirt-daemon (3.6.0-1ubuntu6) over (3.6.0-1ubuntu5) ...
Preparing to unpack .../libvirt0_3.6.0-1ubuntu6_amd64.deb ...
Unpacking libvirt0:amd64 (3.6.0-1ubuntu6) over (3.6.0-1ubuntu5) ...
Processing triggers for ureadahead (0.100.0-20) ...
Setting up libvirt0:amd64 (3.6.0-1ubuntu6) ...
Setting up libvirt-daemon (3.6.0-1ubuntu6) ...
Processing triggers for libc-bin (2.26-0ubuntu2) ...
Processing triggers for systemd (234-2ubuntu12) ...
Processing triggers for man-db (2.7.6.1-2) ...
Setting up libvirt-clients (3.6.0-1ubuntu6) ...
Setting up libvirt-daemon-system (3.6.0-1ubuntu6) ...
Installing new version of config file /etc/apparmor.d/abstractions/libvirt-qemu ...
virtlockd.service is a disabled or a static unit, not starting it.
Setting up libvirt-daemon dnsmasq configuration.
root at artful-qatests:~# virsh attach-device testguest diskF.xml
Device attached successfully
root at artful-qatests:~# virsh detach-device testguest diskF.xml
Device detached successfully
root at artful-qatests:~# virsh attach-device testguest diskF.xml
Device attached successfully
root at artful-qatests:~# virsh detach-device testguest diskF.xml
Device detached successfully
root at artful-qatests:~# # working fine, even repeated - verified
** Tags removed: verification-needed verification-needed-artful
** Tags added: verification-done verification-done-artful
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1726804
Title:
rules for images on attach-device not containing lock permission
Status in Ubuntu Cloud Archive:
New
Status in libvirt package in Ubuntu:
Fix Committed
Status in libvirt source package in Artful:
Fix Committed
Bug description:
[Impact]
* Qemu 2.10 started to lock image files to ensure no data corruption
occurs. Unfurtunately that isn't covered by the apparmor rules we had
for images so far - it need to add "k" permission.
* This was spotted and done in Artful, but the tests for the hot-add of
disks were hidden behind some other known not-too-bad issues. So by
fixing those tests I realized that hot-add of disks is currently broken
in Artful.
[Test Case]
# Get a very minimal Testguest that keeps running to attach something
$ qemu-img create /tmp/A.img 1M
cat <<EOF > testguest.xml
<domain type='kvm'>
<name>testguest</name>
<uuid>deadbeef-dead-beef-dead-beefdeadbeef</uuid>
<memory unit='KiB'>1024</memory>
<vcpu placement='static'>1</vcpu>
<os>
<type arch='x86_64' machine='pc-i440fx-zesty'>hvm</type>
<boot dev='hd'/>
</os>
<features>
<acpi/>
<apic/>
<pae/>
</features>
<devices>
<emulator>/usr/bin/kvm-spice</emulator>
<disk type='file' device='disk'>
<driver name='qemu'/>
<source file='/tmp/A.img'/>
<target dev='vda'/>
</disk>
</devices>
<seclabel type='dynamic' model='apparmor' relabel='yes'/>
</domain>
EOF
$ virsh define testguest.xml
$ virsh start testguest
# Prepare Disk
$ qemu-img create /tmp/F.img 1M
$ cat <<EOF >diskF.xml
<disk type='file'>
<driver name='qemu'/>
<source file='/tmp/F.img'/>
<target dev='sdc'/>
</disk>
EOF
# Then attach:
$ virsh attach-device testguest diskF.xml
* This should work, but fails without the fix as:
error: internal error: unable to execute QEMU command 'device_add':
Property 'scsi-hd.drive' can't find value 'drive-scsi0-0-0-1'
With a related apparmor denial:
apparmor="DENIED" operation="file_lock" profile="libvirt-7d781722-69b7-8801-fe96-caf37b7a8969" name="/tmp/tmpKzZQR0/device_disk.img" pid=17582 comm="qemu" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
* With the fix the file is rwk and works to be attached
[Regression Potential]
* This is only adding apparmor lock permissions to files added after
start. Thereby the only thing that comes to mind is if now things are
locked that were not before, and thereby cause issues. But OTOH no one
but qemu should lock the image files in use - and if someone else does
he now correctly sees qemu holding the lock. Seems safe to me.
[Other Info]
* This is an release/upgrade-regression which should be fixed
asap. I already wrote and submitted a fix to upstream, but given that
this can break a lot of use cases we ahve to fix fast and reroll in
case upstream decides to modify.
---
On something like:
$ virsh attach-device <guest> <xml>
The rule rendered is:
"/tmp/B.img" rw,
This is missing the k flag needed on qemu >=2.10.
This applies to block and file definitions:
<disk type='block'>
<driver name='qemu'/>
<source dev='/tmp/B.img'/>
<target dev='sdb'/>
</disk>
<disk type='file'>
<driver name='qemu'/>
<source file='/tmp/F.img'/>
<target dev='sdc'/>
</disk>
Both are rendered correctly as:
"/tmp/F.img" rwk,
If being part of the domain xml instead of being a hot-add.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1726804/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list