Re: [libvirt] Live attaching a disk to a VM fails with apparmor enabled
Hello Guido,
I have great news. I'm able to successfully live attach a disk to a running VM with a
loaded apparmor profile.
My setup:
Debian 8
Kernel 4.9.11
Libvirt 3.1.0
Apparmor 2.10 from Debian backports
With same software and apparmor 2.9 from the stable Debian repo it fails. So apparently
2.10 has upstream fixes/patches which solve the reload profile bug? Hope this new insight
helps you find the commit and backport it to apparmor 2.9 stable?
Thanks,
Frank
Sent from my iPhone
On 24 Mar 2017, at 09:17, Guido Günther <agx(a)sigxcpu.org>
wrote:
> On Thu, Mar 23, 2017 at 01:28:57PM +0100, Cedric Bosdonnat wrote:
> Hello Frank,
>
> I'm currently investigating some apparmor-related bug with namespaces. This one
> is surely related. I'll look into it when I'm done with the one I'm
working on.
Assuming you're running the Jessie Kernel its likely:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805002
To make sure it's the kernel and not libvirt have a look at:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805002#51
Cheers,
-- Guido
>
> --
> Cedric
>
>> On Thu, 2017-03-23 at 12:07 +0000, Frank Schreuder wrote:
>> Hello,
>>
>> I'm running libvirt 3.1.0 on a Debian 8 server. I installed apparmor and
configured libvirt to use apparmor as
>> security driver.
>> After booting a VM, virsh dumpxml shows an apparmor seclabel.
>>
>> As soon as I try to attach a second disk to the VM, apparmor blocks this.
>>
>> virsh attach-device test-vps /tmp/virshXmlDefinition
>> error: Failed to attach device from /tmp/virshXmlDefinition
>> error: operation failed: Could not open '/mnt/images/disk2.raw':
Permission denied
>>
>> Syslogs shows me the following:
>> Mar 22 17:45:20 vps0 kernel: [1136647.318314] audit: type=1400
audit(1490201120.577:30): apparmor="DENIED"
>> operation="open"
profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859"
name="/mnt/images/disk2.raw" pid=13453
>> comm="kvm" requested_mask="r" denied_mask="r"
fsuid=996 ouid=33
>> Mar 22 17:45:20 vps0 kernel: [1136647.325155] audit: type=1400
audit(1490201120.577:31): apparmor="DENIED"
>> operation="open"
profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859"
name="/mnt/images/disk2.raw" pid=13453
>> comm="kvm" requested_mask="rw" denied_mask="rw"
fsuid=996 ouid=33
>> Mar 22 17:45:20 vps0 libvirtd[10282]: 2017-03-22 16:45:20.596+0000: 10283: error
: qemuMonitorTextAddDrive:1968 :
>> operation failed: Could not open '/mnt/images/disk2.raw': Permission
denied
>>
>> In the VM specific apparmor file
/etc/apparmor.d/libvirt/libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859.files I see:
>> "/mnt/images/disk1.raw" rw,
>>
>> Which is my primary VM disk, I expected a virsh attach-device to append
/mnt/images/disk2.raw to this file and
>> reload/refresh the apparmor profile?
>>
>> I'm not able to attach a live disk to a running VM with apparmor. Am I
missing something? Or is this a bug/missing
>> feature in libvirt?
>>
>> Thanks,
>> Frank
>> --
>> libvir-list mailing list
>> libvir-list(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/libvir-list
>
> --
> libvir-list mailing list
> libvir-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
>