On Thu, Mar 30, 2017 at 03:00:06PM +0000, Frank Schreuder wrote:
Hello Guido,
I have great news. I'm able to successfully live attach a disk to a running VM with a loaded apparmor profile.
My setup: Debian 8 Kernel 4.9.11 Libvirt 3.1.0 Apparmor 2.10 from Debian backports
With same software and apparmor 2.9 from the stable Debian repo it fails. So apparently 2.10 has upstream fixes/patches which solve the reload profile bug? Hope this new insight helps you find the commit and backport it to apparmor 2.9 stable?
Thanks for reporting, I added a note to #805002. It's unlikely we'll have a backport of both the kernel changes and appamor for Jessie but we can make things work for stretch (which currently shows a different error I'll have to look into). Cheers, -- Guido
Thanks, Frank
Sent from my iPhone
On 24 Mar 2017, at 09:17, Guido Günther <agx@sigxcpu.org> wrote:
On Thu, Mar 23, 2017 at 01:28:57PM +0100, Cedric Bosdonnat wrote: Hello Frank,
I'm currently investigating some apparmor-related bug with namespaces. This one is surely related. I'll look into it when I'm done with the one I'm working on.
Assuming you're running the Jessie Kernel its likely:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805002
To make sure it's the kernel and not libvirt have a look at:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805002#51
Cheers, -- Guido
-- Cedric
On Thu, 2017-03-23 at 12:07 +0000, Frank Schreuder wrote: Hello,
I'm running libvirt 3.1.0 on a Debian 8 server. I installed apparmor and configured libvirt to use apparmor as security driver. After booting a VM, virsh dumpxml shows an apparmor seclabel.
As soon as I try to attach a second disk to the VM, apparmor blocks this.
virsh attach-device test-vps /tmp/virshXmlDefinition error: Failed to attach device from /tmp/virshXmlDefinition error: operation failed: Could not open '/mnt/images/disk2.raw': Permission denied
Syslogs shows me the following: Mar 22 17:45:20 vps0 kernel: [1136647.318314] audit: type=1400 audit(1490201120.577:30): apparmor="DENIED" operation="open" profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859" name="/mnt/images/disk2.raw" pid=13453 comm="kvm" requested_mask="r" denied_mask="r" fsuid=996 ouid=33 Mar 22 17:45:20 vps0 kernel: [1136647.325155] audit: type=1400 audit(1490201120.577:31): apparmor="DENIED" operation="open" profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859" name="/mnt/images/disk2.raw" pid=13453 comm="kvm" requested_mask="rw" denied_mask="rw" fsuid=996 ouid=33 Mar 22 17:45:20 vps0 libvirtd[10282]: 2017-03-22 16:45:20.596+0000: 10283: error : qemuMonitorTextAddDrive:1968 : operation failed: Could not open '/mnt/images/disk2.raw': Permission denied
In the VM specific apparmor file /etc/apparmor.d/libvirt/libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859.files I see: "/mnt/images/disk1.raw" rw,
Which is my primary VM disk, I expected a virsh attach-device to append /mnt/images/disk2.raw to this file and reload/refresh the apparmor profile?
I'm not able to attach a live disk to a running VM with apparmor. Am I missing something? Or is this a bug/missing feature in libvirt?
Thanks, Frank -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list