Re: [libvirt] Live attaching a disk to a VM fails with apparmor enabled
On Thu, Mar 30, 2017 at 03:00:06PM +0000, Frank Schreuder wrote:
Hello Guido,
I have great news. I'm able to successfully live attach a disk to a running VM with a
loaded apparmor profile.
My setup:
Debian 8
Kernel 4.9.11
Libvirt 3.1.0
Apparmor 2.10 from Debian backports
With same software and apparmor 2.9 from the stable Debian repo it fails. So apparently
2.10 has upstream fixes/patches which solve the reload profile bug? Hope this new insight
helps you find the commit and backport it to apparmor 2.9 stable?
Thanks for reporting, I added a note to #805002. It's unlikely we'll
have a backport of both the kernel changes and appamor for Jessie but we
can make things work for stretch (which currently shows a different
error I'll have to look into).
Cheers,
-- Guido
Thanks,
Frank
Sent from my iPhone
> On 24 Mar 2017, at 09:17, Guido Günther <agx(a)sigxcpu.org> wrote:
>
>> On Thu, Mar 23, 2017 at 01:28:57PM +0100, Cedric Bosdonnat wrote:
>> Hello Frank,
>>
>> I'm currently investigating some apparmor-related bug with namespaces. This
one
>> is surely related. I'll look into it when I'm done with the one I'm
working on.
>
> Assuming you're running the Jessie Kernel its likely:
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805002
>
> To make sure it's the kernel and not libvirt have a look at:
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805002#51
>
> Cheers,
> -- Guido
>
>>
>> --
>> Cedric
>>
>>> On Thu, 2017-03-23 at 12:07 +0000, Frank Schreuder wrote:
>>> Hello,
>>>
>>> I'm running libvirt 3.1.0 on a Debian 8 server. I installed apparmor and
configured libvirt to use apparmor as
>>> security driver.
>>> After booting a VM, virsh dumpxml shows an apparmor seclabel.
>>>
>>> As soon as I try to attach a second disk to the VM, apparmor blocks this.
>>>
>>> virsh attach-device test-vps /tmp/virshXmlDefinition
>>> error: Failed to attach device from /tmp/virshXmlDefinition
>>> error: operation failed: Could not open '/mnt/images/disk2.raw':
Permission denied
>>>
>>> Syslogs shows me the following:
>>> Mar 22 17:45:20 vps0 kernel: [1136647.318314] audit: type=1400
audit(1490201120.577:30): apparmor="DENIED"
>>> operation="open"
profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859"
name="/mnt/images/disk2.raw" pid=13453
>>> comm="kvm" requested_mask="r" denied_mask="r"
fsuid=996 ouid=33
>>> Mar 22 17:45:20 vps0 kernel: [1136647.325155] audit: type=1400
audit(1490201120.577:31): apparmor="DENIED"
>>> operation="open"
profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859"
name="/mnt/images/disk2.raw" pid=13453
>>> comm="kvm" requested_mask="rw"
denied_mask="rw" fsuid=996 ouid=33
>>> Mar 22 17:45:20 vps0 libvirtd[10282]: 2017-03-22 16:45:20.596+0000: 10283:
error : qemuMonitorTextAddDrive:1968 :
>>> operation failed: Could not open '/mnt/images/disk2.raw': Permission
denied
>>>
>>> In the VM specific apparmor file
/etc/apparmor.d/libvirt/libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859.files I see:
>>> "/mnt/images/disk1.raw" rw,
>>>
>>> Which is my primary VM disk, I expected a virsh attach-device to append
/mnt/images/disk2.raw to this file and
>>> reload/refresh the apparmor profile?
>>>
>>> I'm not able to attach a live disk to a running VM with apparmor. Am I
missing something? Or is this a bug/missing
>>> feature in libvirt?
>>>
>>> Thanks,
>>> Frank
>>> --
>>> libvir-list mailing list
>>> libvir-list(a)redhat.com
>>> https://www.redhat.com/mailman/listinfo/libvir-list
>>
>> --
>> libvir-list mailing list
>> libvir-list(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/libvir-list
>>