Hi,
Currently virt-aa-helper has no support for pools, so if you use a volume from a pool like:
<disk type='volume' device='disk'>
<driver name='qemu' type='raw' cache='none'/>
<source pool='internal' volume='foo'/>
<target dev='vdc' bus='virtio'/>
</disk>
Then there is no matching apparmor rule generated to allow qemu to access the related devices.
That goes along a simple pool like:
# create a zpool to use
$ for i in $(seq 1 3); do dd if=/dev/zero of=/tmp/fdisk${i} bs=1M count=1024; done
$ sudo zpool create internal /tmp/fdisk*
# make pool in libvirt and guest disk foo
$ virsh pool-define-as internal zfs
$ virsh pool-start internal
$ virsh vol-create-as internal foo 2G
When libvirt actually builds up the command for qemu what to use based on the pools information it uses the function "virStorageTranslateDiskSourcePool" to learn about the actual path of the disk.
Usually virt-aa-helper tries to stay close to what libvirt does to spawn the guest, because only then the generated rules match what will be used. But in this case this isn't as easy.
The lookup by "virStorageTranslateDiskSourcePool" is done on a virConnectPtr via:
conn->storageDriver->storagePoolLookupByName
That is fine from the code that sets up the guest, but virt-aa-helper has no virConnectPtr context.
Surely virt-aa-helper could connect via e.g. "virConnectOpenReadOnly" but the lifecycle of virt-aa-helper doesn't match that. It is invoked as external program by libvirtd local to the execution of the guest e.g. the qemu. So adding a connection via a socket makes not much sense. Also in this environment the connect URI is not set and also not passed to virt-aa-helper so we can't be sure we have "the same".
I found that while trying to implement that, but I don't like the preliminary change [1] for the reasons I identified and outlined above. It initializes the storage drivers correctly, but then fails to look up [2] and since I doubt it is the right way for the environment and lifecycle of virt-aa-helper I don't want to go down that way before having a discussion about it.
Therefore I wanted to ask for some guidance:
1. is there a reasonable way to be able to call virStorageTranslateDiskSourcePool from virt-aa-helper
2. maybe I overlook a path to get to a valid virConnectPtr from the virDomainDefPtr or any other in [3] that virt-aa-helper aready has.
3. what would be an alternative to be able to translate pool/volume info to real paths from virt-aa-helper
[3]: http://paste.ubuntu.com/25570720/
--
Christian EhrhardtSoftware Engineer, Ubuntu Server
Canonical Ltd