[Bug 1045158] New: libvirt doesn't start virtual machines if apparmor is enabled
http://bugzilla.opensuse.org/show_bug.cgi?id=1045158 Bug ID: 1045158 Summary: libvirt doesn't start virtual machines if apparmor is enabled Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor Assignee: suse-beta@cboltz.de Reporter: alarrosa@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- I updated my Leap 42.2 machine to Leap 42.3 Beta today and my virtual machines (using virt-manager) can't be started anymore. The error I get is: Error al iniciar dominio: internal error: child reported: Kernel does not provide mount namespace: Permission denied Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/asyncjob.py", line 88, in cb_wrapper callback(asyncjob, *args, **kwargs) File "/usr/share/virt-manager/virtManager/asyncjob.py", line 124, in tmpcb callback(*args, **kwargs) File "/usr/share/virt-manager/virtManager/libvirtobject.py", line 83, in newfn ret = fn(self, *args, **kwargs) File "/usr/share/virt-manager/virtManager/domain.py", line 1488, in startup self._backend.create() File "/usr/lib64/python2.7/site-packages/libvirt.py", line 1062, in create if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self) libvirtError: internal error: child reported: Kernel does not provide mount namespace: Permission denied Once I stopped apparmor with systemctl stop apparmor.service, virtual machines can be started fine. If I start apparmor afterwards, I can stop and start virtual machines correctly, but if I do: systemctl restart libvirtd with apparmor running, then I can't run virtual machines anymore. In Factory it works fine, so it seems there's some fix done in Factory's apparmor-profiles that wasn't backported to Leap 42.3 (nor SLE12 SP3). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1045158
http://bugzilla.opensuse.org/show_bug.cgi?id=1045158#c1
Christian Boltz
Once I stopped apparmor with systemctl stop apparmor.service, virtual machines can be started fine. If I start apparmor afterwards, I can stop and start virtual machines correctly, but if I do: systemctl restart libvirtd with apparmor running, then I can't run virtual machines anymore.
That's easy to explain - by stopping AppArmor, you remove the confinement from running processes, and "rcapparmor start" isn't able to (re-)confine running processes (unless you restart those processes). That's why AppArmor gets in your way again after restarting libvirtd. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1045158
http://bugzilla.opensuse.org/show_bug.cgi?id=1045158#c2
Antonio Larrosa
http://bugzilla.opensuse.org/show_bug.cgi?id=1045158
http://bugzilla.opensuse.org/show_bug.cgi?id=1045158#c3
--- Comment #3 from Antonio Larrosa
The libvirt AppArmor profiles are shipped in the libvirt packages, therefore I'm CC'ing the libvirt maintainers.
Ah, thanks for the information, I didn't notice that. Just fyi, I did:
md5sum /etc/apparmor.d/abstractions/libvirt-lxc /etc/apparmor.d/abstractions/libvirt-qemu /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper /etc/apparmor.d/usr.sbin.libvirtd b0dbd7b35a91314b592474772fe17cb8 /etc/apparmor.d/abstractions/libvirt-lxc 18809bf3afe854b2434e71ee6780988d /etc/apparmor.d/abstractions/libvirt-qemu 2424ab5112f759d7f17c2fdf508c1000 /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper f4609c49e7bbee160b13b5001f5a55e4 /etc/apparmor.d/usr.sbin.libvirtd
And they're the same in my Leap 42.3 and TW systems. Which was completely unexpected.
To find out what the problem is, can you please attach your /var/log/audit/audit.log? (If you don't have auditd running, check /var/log/messages, journal and/or the dmesg output for AppArmor messages.)
Done -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1045158
http://bugzilla.opensuse.org/show_bug.cgi?id=1045158#c4
--- Comment #4 from Christian Boltz
http://bugzilla.opensuse.org/show_bug.cgi?id=1045158
http://bugzilla.opensuse.org/show_bug.cgi?id=1045158#c5
--- Comment #5 from Antonio Larrosa
The relevant log line is
... apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/libvirtd" name="" ...
This means the libvirtd profile needs the attach_disconnected flag: /usr/sbin/libvirtd (flags=attach_disconnected) {
Does libvirt work after adding the flag and "systemctl reload apparmor"?
Hmm, I think you meant /usr/sbin/libvirtd flags=(attach_disconnected) { right? I'm afraid the flag was already there, so it must be something else. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1045158
http://bugzilla.opensuse.org/show_bug.cgi?id=1045158#c6
--- Comment #6 from Christian Boltz
Hmm, I think you meant
/usr/sbin/libvirtd flags=(attach_disconnected) {
right?
Right, sorry for mistyping it.
I'm afraid the flag was already there, so it must be something else.
Hmm, strange - the message indicates that attach_disconnected wasn't there yet. Anyway, please switch the profile to complain mode: aa-complain /etc/apparmor.d/usr.sbin.libvirtd This will allow everything and log what isn't listed in the profile. Use libvirtd for a while and then check the audit.log (you'll find ALLOWED instead of DENIED events). Oh, and don't forget to switch back the profile to enforce mode afterwards: aa-enforce /etc/apparmor.d/usr.sbin.libvirtd -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1045158
http://bugzilla.opensuse.org/show_bug.cgi?id=1045158#c7
--- Comment #7 from Christian Boltz
http://bugzilla.opensuse.org/show_bug.cgi?id=1045158
http://bugzilla.opensuse.org/show_bug.cgi?id=1045158#c8
--- Comment #8 from Antonio Larrosa
http://bugzilla.opensuse.org/show_bug.cgi?id=1045158
http://bugzilla.opensuse.org/show_bug.cgi?id=1045158#c9
Christian Boltz
participants (1)
-
bugzilla_noreply@novell.com