[Bug 694197] New: libvirt cannot start dnsmasq due to AppArmor and thus has no network bridge
https://bugzilla.novell.com/show_bug.cgi?id=694197 https://bugzilla.novell.com/show_bug.cgi?id=694197#c0 Summary: libvirt cannot start dnsmasq due to AppArmor and thus has no network bridge Classification: openSUSE Product: openSUSE 12.1 Version: Factory Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor AssignedTo: jeffm@novell.com ReportedBy: seife@novell.slipkontur.de QAContact: qa@suse.de CC: jfehlig@novell.com, ug@novell.com Found By: Third Party Developer/Partner Blocker: --- I have configured a bridge with NAT forwarding for libvirt. Libvirt cannot start dnsmasq on this bridge and thus the bridge never gets up: May 17 08:53:08 susi dnsmasq[2216]: cannot open or create lease file /var/lib/libvirt/dnsmasq/default.leases: Permission denied May 17 08:53:08 susi dnsmasq[2216]: FAILED to start up As usual, "rcapparmor stop" fixes it. Not sure where to fix it, if libvirt or dnsmasq is to blame. Did not happen before with libvirt 0.8.8 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=694197
https://bugzilla.novell.com/show_bug.cgi?id=694197#c1
Christoph Thiel
https://bugzilla.novell.com/show_bug.cgi?id=694197
https://bugzilla.novell.com/show_bug.cgi?id=694197#c2
Stefan Seyfried
https://bugzilla.novell.com/show_bug.cgi?id=694197
https://bugzilla.novell.com/show_bug.cgi?id=694197#c3
--- Comment #3 from Christoph Thiel
https://bugzilla.novell.com/show_bug.cgi?id=694197
https://bugzilla.novell.com/show_bug.cgi?id=694197#c
Christoph Thiel
https://bugzilla.novell.com/show_bug.cgi?id=694197
https://bugzilla.novell.com/show_bug.cgi?id=694197#c4
--- Comment #4 from James Fehlig
https://bugzilla.novell.com/show_bug.cgi?id=694197
https://bugzilla.novell.com/show_bug.cgi?id=694197#c5
--- Comment #5 from Christoph Thiel
https://bugzilla.novell.com/show_bug.cgi?id=694197
https://bugzilla.novell.com/show_bug.cgi?id=694197#c6
--- Comment #6 from Stefan Seyfried
https://bugzilla.novell.com/show_bug.cgi?id=694197
https://bugzilla.novell.com/show_bug.cgi?id=694197#c7
James Fehlig
https://bugzilla.novell.com/show_bug.cgi?id=694197
https://bugzilla.novell.com/show_bug.cgi?id=694197#c8
--- Comment #8 from James Fehlig
can we get this fixed? otherwise, the "disable apparmor for 12.1!!!!1!!11!1!!" trolls on opensuse-factory will likely have another good argument for their case...
Hmm, I was considering building the libvirt apparmor security driver for openSUSE. It was requested for SLE11 SP2 so I've enabled and tested it there, but hesitated for openSUSE since I was under the impression that the community wasn't too keen on apparmor. Seems I was right and should continue disabling the libvirt apparmor driver. I've never had any bugs or requests for it in openSUSE. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=694197
https://bugzilla.novell.com/show_bug.cgi?id=694197#c9
Christian Boltz
Hmm, I was considering building the libvirt apparmor security driver for openSUSE. It was requested for SLE11 SP2 so I've enabled and tested it there, but hesitated for openSUSE since I was under the impression that the community wasn't too keen on apparmor. Seems I was right and should continue disabling the libvirt apparmor driver. I've never had any bugs or requests for it in openSUSE.
My guess is that most users don't even know about the libvirt apparmor support ;-) If I get http://libvirt.org/drvqemu.html#securitysvirtaa right, libvirt has two sets of protection: a) protection of the host vs. all guests - that's what openSUSE currently has b) protection between guests - that's only possible with the libvirt apparmor support enabled I have to admit I don't really use virtualization, but I'd vote to enable apparmor support in libvirt. The reason is simple - protection between guests sounds very useful to me. Additionally: If someone doesn't like protection between guests (which would be a strange wish IMHO), he can easily disable it with a config option (security_driver="none" in /etc/libvirt/qemu.conf). OTOH, if libvirt is built without apparmor support, it probably needs to be recompiled to enable this feature. That's a lot more work compared to editing a config file. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=694197
https://bugzilla.novell.com/show_bug.cgi?id=694197#c10
--- Comment #10 from James Fehlig
I have to admit I don't really use virtualization,
As it turns out, I had already enabled building the apparmor driver.
Additionally: If someone doesn't like protection between guests (which would be a strange wish IMHO), he can easily disable it with a config option (security_driver="none" in /etc/libvirt/qemu.conf).
Right, and that is the default. The apparmor driver has to be enabled in qemu.conf. But apparmor profiles for libvirtd and virt-aa-helper are installed in /etc/apparmor.d/ and will be under apparmor protection (if apparmor is enabled) regardless of the setting in qemu.conf. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=694197
https://bugzilla.novell.com/show_bug.cgi?id=694197#c11
--- Comment #11 from Stefan Seyfried
https://bugzilla.novell.com/show_bug.cgi?id=694197
https://bugzilla.novell.com/show_bug.cgi?id=694197#c12
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=694197
https://bugzilla.novell.com/show_bug.cgi?id=694197#c13
--- Comment #13 from Bernhard Wiedemann
participants (1)
-
bugzilla_noreply@novell.com