[libvirt] Live attaching a disk to a VM fails with apparmor enabled
Hello, I'm running libvirt 3.1.0 on a Debian 8 server. I installed apparmor and configured libvirt to use apparmor as security driver. After booting a VM, virsh dumpxml shows an apparmor seclabel. As soon as I try to attach a second disk to the VM, apparmor blocks this. virsh attach-device test-vps /tmp/virshXmlDefinition error: Failed to attach device from /tmp/virshXmlDefinition error: operation failed: Could not open '/mnt/images/disk2.raw': Permission denied Syslogs shows me the following: Mar 22 17:45:20 vps0 kernel: [1136647.318314] audit: type=1400 audit(1490201120.577:30): apparmor="DENIED" operation="open" profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859" name="/mnt/images/disk2.raw" pid=13453 comm="kvm" requested_mask="r" denied_mask="r" fsuid=996 ouid=33 Mar 22 17:45:20 vps0 kernel: [1136647.325155] audit: type=1400 audit(1490201120.577:31): apparmor="DENIED" operation="open" profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859" name="/mnt/images/disk2.raw" pid=13453 comm="kvm" requested_mask="rw" denied_mask="rw" fsuid=996 ouid=33 Mar 22 17:45:20 vps0 libvirtd[10282]: 2017-03-22 16:45:20.596+0000: 10283: error : qemuMonitorTextAddDrive:1968 : operation failed: Could not open '/mnt/images/disk2.raw': Permission denied In the VM specific apparmor file /etc/apparmor.d/libvirt/libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859.files I see: "/mnt/images/disk1.raw" rw, Which is my primary VM disk, I expected a virsh attach-device to append /mnt/images/disk2.raw to this file and reload/refresh the apparmor profile? I'm not able to attach a live disk to a running VM with apparmor. Am I missing something? Or is this a bug/missing feature in libvirt? Thanks, Frank
Hello Frank, I'm currently investigating some apparmor-related bug with namespaces. This one is surely related. I'll look into it when I'm done with the one I'm working on. -- Cedric On Thu, 2017-03-23 at 12:07 +0000, Frank Schreuder wrote:
Hello,
I'm running libvirt 3.1.0 on a Debian 8 server. I installed apparmor and configured libvirt to use apparmor as security driver. After booting a VM, virsh dumpxml shows an apparmor seclabel.
As soon as I try to attach a second disk to the VM, apparmor blocks this.
virsh attach-device test-vps /tmp/virshXmlDefinition error: Failed to attach device from /tmp/virshXmlDefinition error: operation failed: Could not open '/mnt/images/disk2.raw': Permission denied
Syslogs shows me the following: Mar 22 17:45:20 vps0 kernel: [1136647.318314] audit: type=1400 audit(1490201120.577:30): apparmor="DENIED" operation="open" profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859" name="/mnt/images/disk2.raw" pid=13453 comm="kvm" requested_mask="r" denied_mask="r" fsuid=996 ouid=33 Mar 22 17:45:20 vps0 kernel: [1136647.325155] audit: type=1400 audit(1490201120.577:31): apparmor="DENIED" operation="open" profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859" name="/mnt/images/disk2.raw" pid=13453 comm="kvm" requested_mask="rw" denied_mask="rw" fsuid=996 ouid=33 Mar 22 17:45:20 vps0 libvirtd[10282]: 2017-03-22 16:45:20.596+0000: 10283: error : qemuMonitorTextAddDrive:1968 : operation failed: Could not open '/mnt/images/disk2.raw': Permission denied
In the VM specific apparmor file /etc/apparmor.d/libvirt/libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859.files I see: "/mnt/images/disk1.raw" rw,
Which is my primary VM disk, I expected a virsh attach-device to append /mnt/images/disk2.raw to this file and reload/refresh the apparmor profile?
I'm not able to attach a live disk to a running VM with apparmor. Am I missing something? Or is this a bug/missing feature in libvirt?
Thanks, Frank -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Hello Cedric, Please let me know if you need any additional information. I would also be able to help you test patches regarding this issue. I'm looking forward to your findings. Thanks, Frank ________________________________ Van: Cedric Bosdonnat <cbosdonnat@suse.com> Verzonden: donderdag 23 maart 2017 13:28:57 Aan: Frank Schreuder; libvir-list@redhat.com Onderwerp: Re: [libvirt] Live attaching a disk to a VM fails with apparmor enabled Hello Frank, I'm currently investigating some apparmor-related bug with namespaces. This one is surely related. I'll look into it when I'm done with the one I'm working on. -- Cedric On Thu, 2017-03-23 at 12:07 +0000, Frank Schreuder wrote:
Hello,
I'm running libvirt 3.1.0 on a Debian 8 server. I installed apparmor and configured libvirt to use apparmor as security driver. After booting a VM, virsh dumpxml shows an apparmor seclabel.
As soon as I try to attach a second disk to the VM, apparmor blocks this.
virsh attach-device test-vps /tmp/virshXmlDefinition error: Failed to attach device from /tmp/virshXmlDefinition error: operation failed: Could not open '/mnt/images/disk2.raw': Permission denied
Syslogs shows me the following: Mar 22 17:45:20 vps0 kernel: [1136647.318314] audit: type=1400 audit(1490201120.577:30): apparmor="DENIED" operation="open" profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859" name="/mnt/images/disk2.raw" pid=13453 comm="kvm" requested_mask="r" denied_mask="r" fsuid=996 ouid=33 Mar 22 17:45:20 vps0 kernel: [1136647.325155] audit: type=1400 audit(1490201120.577:31): apparmor="DENIED" operation="open" profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859" name="/mnt/images/disk2.raw" pid=13453 comm="kvm" requested_mask="rw" denied_mask="rw" fsuid=996 ouid=33 Mar 22 17:45:20 vps0 libvirtd[10282]: 2017-03-22 16:45:20.596+0000: 10283: error : qemuMonitorTextAddDrive:1968 : operation failed: Could not open '/mnt/images/disk2.raw': Permission denied
In the VM specific apparmor file /etc/apparmor.d/libvirt/libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859.files I see: "/mnt/images/disk1.raw" rw,
Which is my primary VM disk, I expected a virsh attach-device to append /mnt/images/disk2.raw to this file and reload/refresh the apparmor profile?
I'm not able to attach a live disk to a running VM with apparmor. Am I missing something? Or is this a bug/missing feature in libvirt?
Thanks, Frank -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On Thu, Mar 23, 2017 at 01:28:57PM +0100, Cedric Bosdonnat wrote:
Hello Frank,
I'm currently investigating some apparmor-related bug with namespaces. This one is surely related. I'll look into it when I'm done with the one I'm working on.
Assuming you're running the Jessie Kernel its likely: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805002 To make sure it's the kernel and not libvirt have a look at: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805002#51 Cheers, -- Guido
-- Cedric
On Thu, 2017-03-23 at 12:07 +0000, Frank Schreuder wrote:
Hello,
I'm running libvirt 3.1.0 on a Debian 8 server. I installed apparmor and configured libvirt to use apparmor as security driver. After booting a VM, virsh dumpxml shows an apparmor seclabel.
As soon as I try to attach a second disk to the VM, apparmor blocks this.
virsh attach-device test-vps /tmp/virshXmlDefinition error: Failed to attach device from /tmp/virshXmlDefinition error: operation failed: Could not open '/mnt/images/disk2.raw': Permission denied
Syslogs shows me the following: Mar 22 17:45:20 vps0 kernel: [1136647.318314] audit: type=1400 audit(1490201120.577:30): apparmor="DENIED" operation="open" profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859" name="/mnt/images/disk2.raw" pid=13453 comm="kvm" requested_mask="r" denied_mask="r" fsuid=996 ouid=33 Mar 22 17:45:20 vps0 kernel: [1136647.325155] audit: type=1400 audit(1490201120.577:31): apparmor="DENIED" operation="open" profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859" name="/mnt/images/disk2.raw" pid=13453 comm="kvm" requested_mask="rw" denied_mask="rw" fsuid=996 ouid=33 Mar 22 17:45:20 vps0 libvirtd[10282]: 2017-03-22 16:45:20.596+0000: 10283: error : qemuMonitorTextAddDrive:1968 : operation failed: Could not open '/mnt/images/disk2.raw': Permission denied
In the VM specific apparmor file /etc/apparmor.d/libvirt/libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859.files I see: "/mnt/images/disk1.raw" rw,
Which is my primary VM disk, I expected a virsh attach-device to append /mnt/images/disk2.raw to this file and reload/refresh the apparmor profile?
I'm not able to attach a live disk to a running VM with apparmor. Am I missing something? Or is this a bug/missing feature in libvirt?
Thanks, Frank -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Hello Guido, I have great news. I'm able to successfully live attach a disk to a running VM with a loaded apparmor profile. My setup: Debian 8 Kernel 4.9.11 Libvirt 3.1.0 Apparmor 2.10 from Debian backports With same software and apparmor 2.9 from the stable Debian repo it fails. So apparently 2.10 has upstream fixes/patches which solve the reload profile bug? Hope this new insight helps you find the commit and backport it to apparmor 2.9 stable? Thanks, Frank Sent from my iPhone
On 24 Mar 2017, at 09:17, Guido Günther <agx@sigxcpu.org> wrote:
On Thu, Mar 23, 2017 at 01:28:57PM +0100, Cedric Bosdonnat wrote: Hello Frank,
I'm currently investigating some apparmor-related bug with namespaces. This one is surely related. I'll look into it when I'm done with the one I'm working on.
Assuming you're running the Jessie Kernel its likely:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805002
To make sure it's the kernel and not libvirt have a look at:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805002#51
Cheers, -- Guido
-- Cedric
On Thu, 2017-03-23 at 12:07 +0000, Frank Schreuder wrote: Hello,
I'm running libvirt 3.1.0 on a Debian 8 server. I installed apparmor and configured libvirt to use apparmor as security driver. After booting a VM, virsh dumpxml shows an apparmor seclabel.
As soon as I try to attach a second disk to the VM, apparmor blocks this.
virsh attach-device test-vps /tmp/virshXmlDefinition error: Failed to attach device from /tmp/virshXmlDefinition error: operation failed: Could not open '/mnt/images/disk2.raw': Permission denied
Syslogs shows me the following: Mar 22 17:45:20 vps0 kernel: [1136647.318314] audit: type=1400 audit(1490201120.577:30): apparmor="DENIED" operation="open" profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859" name="/mnt/images/disk2.raw" pid=13453 comm="kvm" requested_mask="r" denied_mask="r" fsuid=996 ouid=33 Mar 22 17:45:20 vps0 kernel: [1136647.325155] audit: type=1400 audit(1490201120.577:31): apparmor="DENIED" operation="open" profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859" name="/mnt/images/disk2.raw" pid=13453 comm="kvm" requested_mask="rw" denied_mask="rw" fsuid=996 ouid=33 Mar 22 17:45:20 vps0 libvirtd[10282]: 2017-03-22 16:45:20.596+0000: 10283: error : qemuMonitorTextAddDrive:1968 : operation failed: Could not open '/mnt/images/disk2.raw': Permission denied
In the VM specific apparmor file /etc/apparmor.d/libvirt/libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859.files I see: "/mnt/images/disk1.raw" rw,
Which is my primary VM disk, I expected a virsh attach-device to append /mnt/images/disk2.raw to this file and reload/refresh the apparmor profile?
I'm not able to attach a live disk to a running VM with apparmor. Am I missing something? Or is this a bug/missing feature in libvirt?
Thanks, Frank -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On Thu, Mar 30, 2017 at 03:00:06PM +0000, Frank Schreuder wrote:
Hello Guido,
I have great news. I'm able to successfully live attach a disk to a running VM with a loaded apparmor profile.
My setup: Debian 8 Kernel 4.9.11 Libvirt 3.1.0 Apparmor 2.10 from Debian backports
With same software and apparmor 2.9 from the stable Debian repo it fails. So apparently 2.10 has upstream fixes/patches which solve the reload profile bug? Hope this new insight helps you find the commit and backport it to apparmor 2.9 stable?
Thanks for reporting, I added a note to #805002. It's unlikely we'll have a backport of both the kernel changes and appamor for Jessie but we can make things work for stretch (which currently shows a different error I'll have to look into). Cheers, -- Guido
Thanks, Frank
Sent from my iPhone
On 24 Mar 2017, at 09:17, Guido Günther <agx@sigxcpu.org> wrote:
On Thu, Mar 23, 2017 at 01:28:57PM +0100, Cedric Bosdonnat wrote: Hello Frank,
I'm currently investigating some apparmor-related bug with namespaces. This one is surely related. I'll look into it when I'm done with the one I'm working on.
Assuming you're running the Jessie Kernel its likely:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805002
To make sure it's the kernel and not libvirt have a look at:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805002#51
Cheers, -- Guido
-- Cedric
On Thu, 2017-03-23 at 12:07 +0000, Frank Schreuder wrote: Hello,
I'm running libvirt 3.1.0 on a Debian 8 server. I installed apparmor and configured libvirt to use apparmor as security driver. After booting a VM, virsh dumpxml shows an apparmor seclabel.
As soon as I try to attach a second disk to the VM, apparmor blocks this.
virsh attach-device test-vps /tmp/virshXmlDefinition error: Failed to attach device from /tmp/virshXmlDefinition error: operation failed: Could not open '/mnt/images/disk2.raw': Permission denied
Syslogs shows me the following: Mar 22 17:45:20 vps0 kernel: [1136647.318314] audit: type=1400 audit(1490201120.577:30): apparmor="DENIED" operation="open" profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859" name="/mnt/images/disk2.raw" pid=13453 comm="kvm" requested_mask="r" denied_mask="r" fsuid=996 ouid=33 Mar 22 17:45:20 vps0 kernel: [1136647.325155] audit: type=1400 audit(1490201120.577:31): apparmor="DENIED" operation="open" profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859" name="/mnt/images/disk2.raw" pid=13453 comm="kvm" requested_mask="rw" denied_mask="rw" fsuid=996 ouid=33 Mar 22 17:45:20 vps0 libvirtd[10282]: 2017-03-22 16:45:20.596+0000: 10283: error : qemuMonitorTextAddDrive:1968 : operation failed: Could not open '/mnt/images/disk2.raw': Permission denied
In the VM specific apparmor file /etc/apparmor.d/libvirt/libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859.files I see: "/mnt/images/disk1.raw" rw,
Which is my primary VM disk, I expected a virsh attach-device to append /mnt/images/disk2.raw to this file and reload/refresh the apparmor profile?
I'm not able to attach a live disk to a running VM with apparmor. Am I missing something? Or is this a bug/missing feature in libvirt?
Thanks, Frank -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
participants (3)
-
Cedric Bosdonnat -
Frank Schreuder -
Guido Günther