On Thu, Nov 03, 2022 at 05:23:27PM +0000, Daniel P. Berrangé wrote:
On Thu, Nov 03, 2022 at 12:35:15PM -0400, Andrea Bolognani wrote:
> On Thu, Nov 03, 2022 at 03:39:44PM +0100, Peter Krempa wrote:
> > On Thu, Nov 03, 2022 at 12:13:53 +0100, Andrea Bolognani wrote:
> > > Distros that use AppArmor, such as Debian and Ubuntu, install
> > > QEMU under /usr/bin/qemu-system-*, and our AppArmor profile is
> > > written with that assumption in mind.
> > >
> > > If you try to run the RHEL or CentOS version of libvirt and
> > > QEMU inside a privileged container on such distros, however,
> > > that will result in an error, because the path
> > > /usr/libexec/qemu-kvm is used instead.
> >
> > So IIUC by this patch you modify the profile which gets installed into
> > the Debian/Ubuntu host system by the Debian/Ubuntu package which then in
> > turn allows the non-Debian/Ubuntu libvirt in the container to do it's
> > job?
>
> Pretty much.
>
> > I'm basing the above on the fact that the RHEL/Centos package is
> > compiled with:
> >
> > -Dapparmor=disabled \
> > -Dapparmor_profiles=disabled \
> > -Dsecdriver_apparmor=disabled \
> >
> > By extension, does that mean that you have to install libvirt on your
> > host so that you can in turn run a container (which I'd presume is
> > opaque) with libvirt bundled inside?
>
> It's actually the other way around :)
>
> If you don't have libvirt installed on the Debian/Ubuntu host, then
> the AppArmor profile won't be present and the containerized CentOS
> libvirt will be allowed to start the containerized CentOS QEMU.
>
> If you *do* have libvirt installed on the Debian/Ubuntu host, then
> the AppArmor profile will also be applied to the containerized CentOS
> libvirt and running the containerized CentOS QEMU will be forbidden.
>
> Patching the AppArmor policy is supposed to help with the second
> scenario.
I don't see how this can work properly.
If running with AppArmor, I would expect libvirtd itself needs to be
built with AppArmor, so that when launching a VM it can spawn
virt-aa-helper to create the per-VM customized profile. The CentOS
based libvirt running inside the container will be built without
virt-aa-helper, so won't load this.
I would rather expect that AppArmor does not attempt to control
any processes inside the containers, other than with a generic
'docker' AppArmor profile. It makes no sense for profiles from
the host OS install to apply to stuff in containers, as we can't
assume the host + container installs are the same versions. Are
you sure the KubeVirt problem isn't simply a mis-configuration
of the host environment allowing AppArmor to leak inside the
container.
IIUC a specific profile (cri-containerd.apparmor.d) is used for
unprivileged containers such as virt-launcher, but a privileged one
such as virt-handler falls under the same profile as the host.
This makes some amount of sense to me: unprivileged containers are
already limited in what they can do by the usual restrictions on user
processes. Privileged containers, on the other hand, are effectively
root processes, so it's advisable to be significantly more cautious
with them.
Note that this is just my current understanding of the situation, and
I'm far from an expert when it comes to containers in general and
their interactions with AppArmor in particular. I recommend taking a
look at
https://github.com/kubevirt/kubevirt/pull/8692
and the issues linked therein, which will provide more context coming
from people who actually know what they're talking about :)
Now that I've typed all of the above, I wonder if the problem
wouldn't be better solved by making sure that KubeVirt runs the
libvirtd instance used to figure out node capabilities in an
unprivileged container? Maybe there's something that prevents them
from doing so.
I'll bring up the idea and see what they think of it.
--
Andrea Bolognani / Red Hat / Virtualization