libvirt, libxl, and AppArmor

Stefan Bader stefan.bader at canonical.com
Thu Jun 26 13:08:25 UTC 2014 

On 26.06.2014 13:26, George Dunlap wrote:
> There appears to be a bug in the AppArmor profile for libvirtd, so
> that it refuses to allow libvirtd to run pygrub.
> 
> After using virt-install to create a VM image, creation of the VM fails:
> 
> # virsh -c xen:/// start ubuntu
> error: Failed to start domain ubuntu
> error: internal error: libxenlight failed to create new domain 'ubuntu'
> 
> /var/log/libvirt/libvirtd.log has a not-particularly-useful repeat:
> 2014-06-26 11:20:39.422+0000: 1187: error : libxlVmStart:787 :
> internal error: libxenlight failed to create new domain 'ubuntu'
> 
> /var/log/libvirt/libxl/ubuntu.log has more useful information
> libxl: debug: libxl_bootloader.c:535:bootloader_gotptys: executing
> bootloader: /usr/lib/xen-4.4/bin/pygrub
> libxl: debug: libxl_bootloader.c:539:bootloader_gotptys:   bootloader
> arg: /usr/lib/xen-4.4/bin/pygrub
> libxl: debug: libxl_bootloader.c:539:bootloader_gotptys:   bootloader
> arg: --output=/var/run/xen/bootloader.3.out
> libxl: debug: libxl_bootloader.c:539:bootloader_gotptys:   bootloader
> arg: --output-format=simple0
> libxl: debug: libxl_bootloader.c:539:bootloader_gotptys:   bootloader
> arg: --output-directory=/var/run/xen/bootloader.3.d
> libxl: debug: libxl_bootloader.c:539:bootloader_gotptys:   bootloader
> arg: /root/F0L1.img
> libxl: debug: libxl_event.c:514:watchfd_callback: watch
> w=0x7f46780011e8 wpath=/local/domain/3 token=3/1: event
> epath=/local/domain/3
> libxl: error: libxl_bootloader.c:628:bootloader_finished: bootloader
> failed - consult logfile /var/log/xen/bootloader.3.log
> 
> /var/log/xen/bootloader.3.log says:
> libxl: cannot execute /usr/lib/xen-4.4/bin/pygrub: Permission denied
> 
> But when I run pygrub manually, or if I use "virsh domxl-to-native
> xen-xm" to create an xl config, I can boot the VM with xl.  Eventually
> I looked in /var/log/kern.log:
> 
> Jun 26 07:20:39 unassigned-hostname kernel: [ 2957.634455] type=1400
> audit(1403781639.410:24): apparmor="DENIED" operation="exec"
> profile="/usr/sbin/libvirtd" name="/usr/lib/xen-4.4/bin/pygrub"
> pid=1773 comm="libvirtd" requested_mask="x" denied_mask="x" fsuid=0
> ouid=0
> 
> There's probably a handful of other Xen helper processes that need to
> be whitelisted.
> 
>  -George
> 
Yes, pygrub has to be whitelisted in the profile. I uploaded a modified libcirt
to Utopic but need to backport the change to Trusty.
The same thing applies to libxl-save-helper which I just recently found.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-server/attachments/20140626/87c8d3b2/attachment.pgp>

More information about the ubuntu-server mailing list