[opensuse-factory] libvirt broken?
HI! After the last Tumbleweed update starting the VMs does not work anymore: error: internal error: child reported: Kernel does not provide mount namespace: Permission denied Any clue how to work around that? Ciao, Michael.
Michael Ströder wrote:
After the last Tumbleweed update starting the VMs does not work anymore:
error: internal error: child reported: Kernel does not provide mount namespace: Permission denied
Any clue how to work around that?
FYI: Disabling AppArmor "fixed" this. Ciao, Michael.
Hello, Am Dienstag, 14. März 2017, 17:04:29 CET schrieb Michael Ströder:
Michael Ströder wrote:
After the last Tumbleweed update starting the VMs does not work anymore:
error: internal error: child reported: Kernel does not provide mount namespace: Permission denied
Any clue how to work around that?
FYI: Disabling AppArmor "fixed" this.
This means your /var/log/audit/audit.log contains the information needed to update the AppArmor profile ;-) Instead of disabling AppArmor, switching the affected profile into complain mode with aa-complain is usually a better idea. Complain mode will allow everything [1] and at the same time fill the audit.log with everything not allowed in the profile yet. Please open a bugreport and include your audit.log. (And, as usual, please report back the bug number here ;-) Regards, Christian Boltz [1] with the exception of explicit "deny" rules - those get enforced even in complain mode -- Journal is just for "fun" (well, strange values of "fun") for now and the foreseeable future. [Stefan Seyfried in opensuse-factory] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi Michael, I'ld like to fix this, however I can't manage to reproduce it so far. Could you provide the data Christian asked for or get me some detailed steps to reproduce? Thanks -- Cedric On Tue, 2017-03-14 at 17:04 +0100, Michael Ströder wrote:
Michael Ströder wrote:
After the last Tumbleweed update starting the VMs does not work anymore:
error: internal error: child reported: Kernel does not provide mount namespace: Permission denied
Any clue how to work around that?
FYI: Disabling AppArmor "fixed" this.
Ciao, Michael.
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Cedric Bosdonnat wrote:
I'ld like to fix this, however I can't manage to reproduce it so far. Could you provide the data Christian asked for or get me some detailed steps to reproduce?
Hmm, I've re-installed and re-enabled apparmor and this problem does not occur anymore. In the meantime there were some kernel updates. Maybe one of those updates contains a relevant fix? Ciao, Michael.
On Tue, 2017-03-14 at 17:04 +0100, Michael Ströder wrote:
Michael Ströder wrote:
After the last Tumbleweed update starting the VMs does not work anymore:
error: internal error: child reported: Kernel does not provide mount namespace: Permission denied
Any clue how to work around that?
FYI: Disabling AppArmor "fixed" this.
Ciao, Michael.
Hi Michael, Thanks for following up on that bug! On Sat, 2017-04-01 at 20:58 +0200, Michael Ströder wrote:
Cedric Bosdonnat wrote:
I'ld like to fix this, however I can't manage to reproduce it so far. Could you provide the data Christian asked for or get me some detailed steps to reproduce?
Hmm, I've re-installed and re-enabled apparmor and this problem does not occur anymore. In the meantime there were some kernel updates. Maybe one of those updates contains a relevant fix?
That I couldn't say. If you happen to reproduce again, don't hesitate to file a bug with the DENIED messages. -- Cedric -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Cedric Bosdonnat wrote:
Hi Michael,
Thanks for following up on that bug!
On Sat, 2017-04-01 at 20:58 +0200, Michael Ströder wrote:
Cedric Bosdonnat wrote:
I'ld like to fix this, however I can't manage to reproduce it so far. Could you provide the data Christian asked for or get me some detailed steps to reproduce?
Hmm, I've re-installed and re-enabled apparmor and this problem does not occur anymore. In the meantime there were some kernel updates. Maybe one of those updates contains a relevant fix?
That I couldn't say. If you happen to reproduce again, don't hesitate to file a bug with the DENIED messages.
Hmmpf! It seems I've not thoroughly tested last time: # virsh start ae-dir-deb-p1 error: Failed to start domain ae-dir-deb-p1 error: internal error: child reported: Kernel does not provide mount namespace: Permission denied Here's the DENIED line (see more lines below): type=AVC msg=audit(1491411990.547:300): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/libvirtd" name="" pid=5413 comm="libvirtd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Ciao, Michael. ------------------------------ snip ------------------------------ type=VIRT_MACHINE_ID msg=audit(1491411990.375:294): pid=1565 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7 vm-ctx=? img-ctx=? model=apparmor exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' type=ANOM_PROMISCUOUS msg=audit(1491411990.451:295): dev=vnet0 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295 type=VIRT_RESOURCE msg=audit(1491411990.515:296): pid=1565 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm resrc=net reason=open vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7 net=52:54:00:23:42:31 path="/dev/net/tun" rdev=0A:C8 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' type=VIRT_RESOURCE msg=audit(1491411990.547:297): pid=1565 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm resrc=cgroup reason=deny vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7 cgroup="/sys/fs/cgroup/devices/machine.slice/machine-qemu\x2d9\x2dae\x2ddir\x2ddeb\x2dp1.scope/" class=all exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' type=VIRT_RESOURCE msg=audit(1491411990.547:298): pid=1565 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm resrc=cgroup reason=allow vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7 cgroup="/sys/fs/cgroup/devices/machine.slice/machine-qemu\x2d9\x2dae\x2ddir\x2ddeb\x2dp1.scope/" class=path path="/var/lib/libvirt/images/ae-dir-deb-p1.qcow2" rdev=? acl=rw exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' type=VIRT_RESOURCE msg=audit(1491411990.547:299): pid=1565 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm resrc=cgroup reason=allow vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7 cgroup="/sys/fs/cgroup/devices/machine.slice/machine-qemu\x2d9\x2dae\x2ddir\x2ddeb\x2dp1.scope/" class=major category=pty maj=88 acl=rw exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1491411990.547:300): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/libvirtd" name="" pid=5413 comm="libvirtd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=ANOM_PROMISCUOUS msg=audit(1491411990.571:301): dev=vnet0 prom=0 old_prom=256 auid=4294967295 uid=395 gid=479 ses=4294967295 type=VIRT_RESOURCE msg=audit(1491411990.759:302): pid=1565 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm resrc=disk reason=start vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7 old-disk="?" new-disk="/var/lib/libvirt/images/ae-dir-deb-p1.qcow2" exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' type=VIRT_RESOURCE msg=audit(1491411990.759:303): pid=1565 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm resrc=net reason=start vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7 old-net="?" new-net="52:54:00:23:42:31" exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' type=VIRT_RESOURCE msg=audit(1491411990.759:304): pid=1565 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm resrc=dev reason=start vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7 bus=usb device=555342207265646972646576 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' type=VIRT_RESOURCE msg=audit(1491411990.759:305): pid=1565 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm resrc=dev reason=start vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7 bus=usb device=555342207265646972646576 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' type=VIRT_RESOURCE msg=audit(1491411990.759:306): pid=1565 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm resrc=rng reason=start vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7 old-rng="?" new-rng="/dev/random" exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' type=VIRT_RESOURCE msg=audit(1491411990.759:307): pid=1565 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm resrc=mem reason=start vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7 old-mem=0 new-mem=524288 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' type=VIRT_RESOURCE msg=audit(1491411990.759:308): pid=1565 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm resrc=vcpu reason=start vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7 old-vcpu=0 new-vcpu=1 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' type=VIRT_CONTROL msg=audit(1491411990.759:309): pid=1565 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm op=start reason=booted vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7 vm-pid=-1 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=failed'
Hi Michael, On Wed, 2017-04-05 at 19:08 +0200, Michael Ströder wrote:
Hmmpf! It seems I've not thoroughly tested last time:
# virsh start ae-dir-deb-p1 error: Failed to start domain ae-dir-deb-p1 error: internal error: child reported: Kernel does not provide mount namespace: Permission denied
To help me reproduce, could you provide me the output of this command and tell me if you changed anything to files in /etc/libvirt? virsh dumpxml ae-dir-deb-p1
Here's the DENIED line (see more lines below):
type=AVC msg=audit(1491411990.547:300): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/libvirtd" name="" pid=5413 comm="libvirtd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Could you try adding one of the attach_disconnect and chroot_attach flags in the /etc/apparmor.d/usr.sbin.libvirtd. Theoritically you only need to reload the profile to update it, but I usually also restart libvirtd to be on the safe side. I guess attach_disconnect would work, while I'm not sure about chroot_attach. Could you please open a bug report in bugzilla to track this down (and assign it to me). -- Cedric -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (3)
-
Cedric Bosdonnat
-
Christian Boltz
-
Michael Ströder