Hi,
there is a behavioral change I try to track down that affects virt-aa-helper.
TL;DR:
- it seems backingStore info gets added "later" in recent versions which causes issues in virt-aa-helper
Details:
For a guest containing a qcow2 disk like this:
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/var/lib/uvtool/libvirt/images/kvmguest-artful-normal.qcow'/>
<target dev='vda' bus='virtio'/>
</disk>
And said qcow disk having a backing file:
$ qemu-img info /var/lib/uvtool/libvirt/images/kvmguest-artful-normal.qcow
image: /var/lib/uvtool/libvirt/images/kvmguest-artful-normal.qcow
[...]
backing file: /var/lib/uvtool/libvirt/images/x-uvt-b64-Y29tLnVidW50dS5jbG91ZC5kYWlseTpzZXJ2ZXI6MTcuMTA6cHBjNjRlbCAyMDE3MDcxMw==
Now when instantiating the guest this gets the backingStore info added like:
<backingStore type='file' index='1'>
<format type='qcow2'/>
<source file='/var/lib/uvtool/libvirt/images/x-uvt-b64-Y29tLnVidW50dS5jbG91ZC5kYWlseTpzZXJ2ZXI6MTcuMTA6cHBjNjRlbCAyMDE3MDcxMw=='/>
<backingStore/>
</backingStore>
But this now seems to come in "too late" for virt-aa-helper.
That tool is reading the guest definition to create custom rules for that guest that opens up the apparmor profile.
And in relation to the devices the following in src/security/virt-aa-helper.c is the important part:
Loops over disks and in those "down" the chain of backing stores:
929 for (i = 0; i < ctl->def->ndisks; i++) {
[...]
947 if (virDomainDiskDefForeachPath(disk, true, add_file_path, &buf) < 0)
If you pass virt-aa-helper as in libvirt 3.5 a full snippet with backingStore info it behaves the same as back in 2.5 emmitting a rule for the backing store.
But when starting a guest on libvirt 3.5 this does no more work, so it seems that on instantiating the guest
Past (2.5)
1. add backingStore info to guest representation
2. virt-aa-helper parses guest representation and creates rules
3. guest starts fine
changed to now (3.5):
1. virt-aa-helper parses guest representation and creates rules
2. add backingStore info to guest representation
3. guest fails to start as the apparmor rule to allow it access to its backing file is missing.
I've verified that recent libvirt properly adds the backingStore eventually (by disabling the apparmor profile and then starting the guest). Once fully started the live xml representation has the backing store info added.
But as outlined above, at the point virt-aa-helper runs now the necessary backingStore data seems to be missing.
I couldn't find the related change or a way to fix it so far, so any hints are welcome.
--
Christian EhrhardtSoftware Engineer, Ubuntu Server
Canonical Ltd