[Bug 1365261] [NEW] Apparmor denies qemu access to /tmp directory

Takenori MATSUMOTO 1365261 at bugs.launchpad.net
Thu Sep 4 04:24:34 UTC 2014 

Public bug reported:

I find the following messages in syslog.

Sep  1 07:12:38 cn1 kernel: [510962.435074] type=1400 audit(1409523158.899:794): apparmor="DENIED" operation="open" profile="libvirt-62ecd5a8-9b3b-4320-92f0-e54ef8cdf851" name="/tmp/" pid=11254 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=109 ouid=0
Sep  1 07:12:38 cn1 kernel: [510962.435085] type=1400 audit(1409523158.899:795): apparmor="DENIED" operation="open" profile="libvirt-62ecd5a8-9b3b-4320-92f0-e54ef8cdf851" name="/var/tmp/" pid=11254 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=109 ouid=0

Is this OK to just ignore this messages? Or if this is bug, is there
solution or workaround?


Seeing nova-compute.log, at the time, nova-compute just tried to create an instance.

2014-09-01 07:12:38.096 3245 INFO nova.virt.libvirt.driver [req-fd1d0575-0c7a-4977-a9bd-605824da7612 c771d7600a4445d98ef365311dab7b51 f468ee3dda1142c587cf44d31031eca9] [instance: 62ecd5a8-9b3b-4320-92f0-e54ef8cdf851] Creating image
2014-09-01 07:12:38.212 3245 INFO nova.virt.libvirt.firewall [req-fd1d0575-0c7a-4977-a9bd-605824da7612 c771d7600a4445d98ef365311dab7b51 f468ee3dda1142c587cf44d31031eca9] [instance: 62ecd5a8-9b3b-4320-92f0-e54ef8cdf851] Called setup_basic_filtering in nwfilter
2014-09-01 07:12:38.212 3245 INFO nova.virt.libvirt.firewall [req-fd1d0575-0c7a-4977-a9bd-605824da7612 c771d7600a4445d98ef365311dab7b51 f468ee3dda1142c587cf44d31031eca9] [instance: 62ecd5a8-9b3b-4320-92f0-e54ef8cdf851] Ensuring static filters
2014-09-01 07:12:39.093 3245 INFO nova.compute.manager [-] Lifecycle event 0 on VM 62ecd5a8-9b3b-4320-92f0-e54ef8cdf851
2014-09-01 07:12:39.163 3245 INFO nova.virt.libvirt.driver [-] [instance: 62ecd5a8-9b3b-4320-92f0-e54ef8cdf851] Instance spawned successfully.
2014-09-01 07:12:39.191 3245 INFO nova.compute.manager [-] [instance: 62ecd5a8-9b3b-4320-92f0-e54ef8cdf851] During sync_power_state the instance has a pending task (spawning). Skip.


A volume was attached to the instance after that, then the instance was destroyed.

2014-09-01 07:14:09.597 3245 AUDIT nova.compute.manager [req-7120818d-
61a7-4f78-8a22-f186034f3da1 c771d7600a4445d98ef365311dab7b51
f468ee3dda1142c587cf44d31031eca9] [instance:
62ecd5a8-9b3b-4320-92f0-e54ef8cdf851] Attaching volume 4531347c-
71fe-4571-985b-a4b9ae3ab70e to /dev/vdb

2014-09-01 07:20:11.584 3245 AUDIT nova.compute.manager [req-da17d4bd-
1d23-4ead-888f-da5e66dde656 c771d7600a4445d98ef365311dab7b51
f468ee3dda1142c587cf44d31031eca9] [instance:
62ecd5a8-9b3b-4320-92f0-e54ef8cdf851] Detach volume 4531347c-71fe-4571
-985b-a4b9ae3ab70e from mountpoint /dev/vdb

2014-09-01 07:21:14.313 3245 INFO nova.compute.manager [-] Lifecycle event 1 on VM 62ecd5a8-9b3b-4320-92f0-e54ef8cdf851
2014-09-01 07:21:14.317 3245 INFO nova.virt.libvirt.driver [-] [instance: 62ecd5a8-9b3b-4320-92f0-e54ef8cdf851] Instance destroyed successfully.

It seems this messages cause no problem. But I don't know whether this DENIED error from apparmor can be ignored.
In another running test, we saw the message with an error of accessing ceph file.

Aug  4 06:36:02 cn1 kernel: [1058887.801002] type=1400 audit(1407101762.890:2098): apparmor="DENIED" operation="open" profile="libvirt-53a1d479-2299-4069-a691-72f3f5ae7a6e" name="/tmp/" pid=8336 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=110 ouid=0
Aug  4 06:36:02 cn1 kernel: [1058887.801012] type=1400 audit(1407101762.890:2099): apparmor="DENIED" operation="open" profile="libvirt-53a1d479-2299-4069-a691-72f3f5ae7a6e" name="/var/tmp/" pid=8336 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=110 ouid=0
Aug  4 06:37:31 cn1 kernel: [1058976.654848] type=1400 audit(1407101851.714:2102): apparmor="DENIED" operation="open" profile="libvirt-53a1d479-2299-4069-a691-72f3f5ae7a6e" name="/etc/ceph/ceph.client.cinder.keyring" pid=8336 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=110 ouid=108

It could be possibility that ceph library linked to qemu-system-x86
tried to access forbidden files.

- Software versions
ii  nova-common                         1:2014.1.2-0ubuntu1.1               all          OpenStack Compute - common files
ii  nova-compute                        1:2014.1.2-0ubuntu1.1               all          OpenStack Compute - compute node base
ii  nova-compute-kvm                    1:2014.1.2-0ubuntu1.1               all          OpenStack Compute - compute node (KVM)
ii  nova-compute-libvirt                1:2014.1.2-0ubuntu1.1               all          OpenStack Compute - compute node libvirt support

ii  qemu-system-x86                     2.0.0+dfsg-2ubuntu1.2               amd64        QEMU full system emulation binaries (x86)
ii  ceph-common                         0.80.1-0ubuntu1.1                   amd64        common utilities to mount and interact with a ceph storage cluster

** Affects: nova (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to nova in Ubuntu.
https://bugs.launchpad.net/bugs/1365261

Title:
  Apparmor denies qemu access to /tmp directory

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nova/+bug/1365261/+subscriptions

More information about the Ubuntu-server-bugs mailing list