[Bug 431090] [NEW] libvirt apparmor profile is preventing libvirt from running eucalyptus VMs

Daniel Nurmi dnurmi at gmail.com
Thu Sep 17 01:10:28 BST 2009 

Public bug reported:

On the eucalyptus NC, when we try to start a VM, the process is unable
to do so with the following error being thrown by libvirt (reported in
nc.log):

[Wed Sep 16 16:52:19 2009][002628][EUCAERROR ] libvirt: monitor socket
did not show up.: Connection refused (code=38)

I believe that the problem involves apparmor not allowing the VM
(through libvirt) to create the console.log file that we specify in the
libvirt XML VM description file.  Here is the message from dmesg after a
failed VM start:

[ 5345.573395] type=1503 audit(1253145109.565:14): operation="mknod" pid=15351 \
parent=1 profile="libvirt-9f141023-980c-0577-d143-72fcd2d8b7f1" requested_mask=\
"w::" denied_mask="w::" fsuid=0 ouid=0 name="/var/lib/eucalyptus/instances/admi\
n/i-4CFC08E8/console.log"

and the output in /var/log/libvirt/qemu/i-4CFC08E8.log

LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin /usr/bin/kvm -S -M pc-0.11 -m 128 -smp 1 -name i-4CFC08E8 -uuid 9f141023-980c-0577-d143-72fcd2d8b7f1 -nographic -monitor unix:/var/run/libvirt/qemu/i-4CFC08E8.monitor,server,nowait -boot c -kernel /var/lib/eucalyptus/instances/admin/i-4CFC08E8/kernel -initrd /var/lib/eucalyptus/instances/admin/i-4CFC08E8/ramdisk -append root=/dev/sda1 console=ttyS0 -drive file=/var/lib/eucalyptus/instances/admin/i-4CFC08E8/disk,if=scsi,index=0,boot=on -net nic,macaddr=d0:0d:4c:fc:08:e8,vlan=0,model=e1000,name=e1000.0 -net tap,fd=17,vlan=0,name=tap.0 -serial file:/var/lib/eucalyptus/instances/admin/i-4CFC08E8/console.log -parallel none -usb 
qemu: could not open serial device 'file:/var/lib/eucalyptus/instances/admin/i-4CFC08E8/console.log'

I also note that the directory/serial file is not being listed in the
dynamically created libvirt apparmor profile:

root at explorer:/etc/apparmor.d/libvirt# cat libvirt-9f141023-980c-0577-d143-72fcd2d8b7f1.files 
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
  /var/lib/eucalyptus/instances/admin/i-4CFC08E8/disk rw,
  /var/log/libvirt/**/i-4CFC08E8.log w,
  /var/run/libvirt/**/i-4CFC08E8.monitor rw,
  /var/run/libvirt/**/i-4CFC08E8.pid rwk,

I've confirmed that, when apparmor is stopped, libvirtd and eucalyptus-
nc restarted, then eucalyptus-nc can start the VM.

** Affects: eucalyptus (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: eucalyptus

-- 
libvirt apparmor profile is preventing libvirt from running eucalyptus VMs
https://bugs.launchpad.net/bugs/431090
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to eucalyptus in ubuntu.

More information about the Ubuntu-server-bugs mailing list