7:07 a.m.
Hello,
I'm running libvirt 3.1.0 on a Debian 8 server. I installed apparmor and configured
libvirt to use apparmor as security driver.
After booting a VM, virsh dumpxml shows an apparmor seclabel.
As soon as I try to attach a second disk to the VM, apparmor blocks this.
virsh attach-device test-vps /tmp/virshXmlDefinition
error: Failed to attach device from /tmp/virshXmlDefinition
error: operation failed: Could not open '/mnt/images/disk2.raw': Permission
denied
Syslogs shows me the following:
Mar 22 17:45:20 vps0 kernel: [1136647.318314] audit: type=1400 audit(1490201120.577:30):
apparmor="DENIED" operation="open"
profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859"
name="/mnt/images/disk2.raw" pid=13453 comm="kvm"
requested_mask="r" denied_mask="r" fsuid=996 ouid=33
Mar 22 17:45:20 vps0 kernel: [1136647.325155] audit: type=1400 audit(1490201120.577:31):
apparmor="DENIED" operation="open"
profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859"
name="/mnt/images/disk2.raw" pid=13453 comm="kvm"
requested_mask="rw" denied_mask="rw" fsuid=996 ouid=33
Mar 22 17:45:20 vps0 libvirtd[10282]: 2017-03-22 16:45:20.596+0000: 10283: error :
qemuMonitorTextAddDrive:1968 : operation failed: Could not open
'/mnt/images/disk2.raw': Permission denied
In the VM specific apparmor file
/etc/apparmor.d/libvirt/libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859.files I see:
"/mnt/images/disk1.raw" rw,
Which is my primary VM disk, I expected a virsh attach-device to append
/mnt/images/disk2.raw to this file and reload/refresh the apparmor profile?
I'm not able to attach a live disk to a running VM with apparmor. Am I missing
something? Or is this a bug/missing feature in libvirt?
Thanks,
Frank
7:28 a.m.
Hello Frank,
I'm currently investigating some apparmor-related bug with namespaces. This one
is surely related. I'll look into it when I'm done with the one I'm working
on.
--
Cedric
On Thu, 2017-03-23 at 12:07 +0000, Frank Schreuder wrote:
Hello,
I'm running libvirt 3.1.0 on a Debian 8 server. I installed apparmor and configured
libvirt to use apparmor as
security driver.
After booting a VM, virsh dumpxml shows an apparmor seclabel.
As soon as I try to attach a second disk to the VM, apparmor blocks this.
virsh attach-device test-vps /tmp/virshXmlDefinition
error: Failed to attach device from /tmp/virshXmlDefinition
error: operation failed: Could not open '/mnt/images/disk2.raw': Permission
denied
Syslogs shows me the following:
Mar 22 17:45:20 vps0 kernel: [1136647.318314] audit: type=1400 audit(1490201120.577:30):
apparmor="DENIED"
operation="open"
profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859"
name="/mnt/images/disk2.raw" pid=13453
comm="kvm" requested_mask="r" denied_mask="r" fsuid=996
ouid=33
Mar 22 17:45:20 vps0 kernel: [1136647.325155] audit: type=1400 audit(1490201120.577:31):
apparmor="DENIED"
operation="open"
profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859"
name="/mnt/images/disk2.raw" pid=13453
comm="kvm" requested_mask="rw" denied_mask="rw" fsuid=996
ouid=33
Mar 22 17:45:20 vps0 libvirtd[10282]: 2017-03-22 16:45:20.596+0000: 10283: error :
qemuMonitorTextAddDrive:1968 :
operation failed: Could not open '/mnt/images/disk2.raw': Permission denied
In the VM specific apparmor file
/etc/apparmor.d/libvirt/libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859.files I see:
"/mnt/images/disk1.raw" rw,
Which is my primary VM disk, I expected a virsh attach-device to append
/mnt/images/disk2.raw to this file and
reload/refresh the apparmor profile?
I'm not able to attach a live disk to a running VM with apparmor. Am I missing
something? Or is this a bug/missing
feature in libvirt?
Thanks,
Frank
--
libvir-list mailing list
libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
7:36 a.m.
Hello Cedric,
Please let me know if you need any additional information. I would also be able to help
you test patches regarding this issue.
I'm looking forward to your findings.
Thanks,
Frank
________________________________
Van: Cedric Bosdonnat <cbosdonnat(a)suse.com>
Verzonden: donderdag 23 maart 2017 13:28:57
Aan: Frank Schreuder; libvir-list(a)redhat.com
Onderwerp: Re: [libvirt] Live attaching a disk to a VM fails with apparmor enabled
Hello Frank,
I'm currently investigating some apparmor-related bug with namespaces. This one
is surely related. I'll look into it when I'm done with the one I'm working
on.
--
Cedric
On Thu, 2017-03-23 at 12:07 +0000, Frank Schreuder wrote:
Hello,
I'm running libvirt 3.1.0 on a Debian 8 server. I installed apparmor and configured
libvirt to use apparmor as
security driver.
After booting a VM, virsh dumpxml shows an apparmor seclabel.
As soon as I try to attach a second disk to the VM, apparmor blocks this.
virsh attach-device test-vps /tmp/virshXmlDefinition
error: Failed to attach device from /tmp/virshXmlDefinition
error: operation failed: Could not open '/mnt/images/disk2.raw': Permission
denied
Syslogs shows me the following:
Mar 22 17:45:20 vps0 kernel: [1136647.318314] audit: type=1400 audit(1490201120.577:30):
apparmor="DENIED"
operation="open"
profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859"
name="/mnt/images/disk2.raw" pid=13453
comm="kvm" requested_mask="r" denied_mask="r" fsuid=996
ouid=33
Mar 22 17:45:20 vps0 kernel: [1136647.325155] audit: type=1400 audit(1490201120.577:31):
apparmor="DENIED"
operation="open"
profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859"
name="/mnt/images/disk2.raw" pid=13453
comm="kvm" requested_mask="rw" denied_mask="rw" fsuid=996
ouid=33
Mar 22 17:45:20 vps0 libvirtd[10282]: 2017-03-22 16:45:20.596+0000: 10283: error :
qemuMonitorTextAddDrive:1968 :
operation failed: Could not open '/mnt/images/disk2.raw': Permission denied
In the VM specific apparmor file
/etc/apparmor.d/libvirt/libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859.files I see:
"/mnt/images/disk1.raw" rw,
Which is my primary VM disk, I expected a virsh attach-device to append
/mnt/images/disk2.raw to this file and
reload/refresh the apparmor profile?
I'm not able to attach a live disk to a running VM with apparmor. Am I missing
something? Or is this a bug/missing
feature in libvirt?
Thanks,
Frank
--
libvir-list mailing list
libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
3:17 a.m.
On Thu, Mar 23, 2017 at 01:28:57PM +0100, Cedric Bosdonnat wrote:
Hello Frank,
I'm currently investigating some apparmor-related bug with namespaces. This one
is surely related. I'll look into it when I'm done with the one I'm working
on.
Assuming you're running the Jessie Kernel its likely:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805002
To make sure it's the kernel and not libvirt have a look at:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805002#51
Cheers,
-- Guido
--
Cedric
On Thu, 2017-03-23 at 12:07 +0000, Frank Schreuder wrote:
> Hello,
>
> I'm running libvirt 3.1.0 on a Debian 8 server. I installed apparmor and
configured libvirt to use apparmor as
> security driver.
> After booting a VM, virsh dumpxml shows an apparmor seclabel.
>
> As soon as I try to attach a second disk to the VM, apparmor blocks this.
>
> virsh attach-device test-vps /tmp/virshXmlDefinition
> error: Failed to attach device from /tmp/virshXmlDefinition
> error: operation failed: Could not open '/mnt/images/disk2.raw': Permission
denied
>
> Syslogs shows me the following:
> Mar 22 17:45:20 vps0 kernel: [1136647.318314] audit: type=1400
audit(1490201120.577:30): apparmor="DENIED"
> operation="open"
profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859"
name="/mnt/images/disk2.raw" pid=13453
> comm="kvm" requested_mask="r" denied_mask="r"
fsuid=996 ouid=33
> Mar 22 17:45:20 vps0 kernel: [1136647.325155] audit: type=1400
audit(1490201120.577:31): apparmor="DENIED"
> operation="open"
profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859"
name="/mnt/images/disk2.raw" pid=13453
> comm="kvm" requested_mask="rw" denied_mask="rw"
fsuid=996 ouid=33
> Mar 22 17:45:20 vps0 libvirtd[10282]: 2017-03-22 16:45:20.596+0000: 10283: error :
qemuMonitorTextAddDrive:1968 :
> operation failed: Could not open '/mnt/images/disk2.raw': Permission denied
>
> In the VM specific apparmor file
/etc/apparmor.d/libvirt/libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859.files I see:
> "/mnt/images/disk1.raw" rw,
>
> Which is my primary VM disk, I expected a virsh attach-device to append
/mnt/images/disk2.raw to this file and
> reload/refresh the apparmor profile?
>
> I'm not able to attach a live disk to a running VM with apparmor. Am I missing
something? Or is this a bug/missing
> feature in libvirt?
>
> Thanks,
> Frank
> --
> libvir-list mailing list
> libvir-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
--
libvir-list mailing list
libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
10 a.m.
Hello Guido,
I have great news. I'm able to successfully live attach a disk to a running VM with a
loaded apparmor profile.
My setup:
Debian 8
Kernel 4.9.11
Libvirt 3.1.0
Apparmor 2.10 from Debian backports
With same software and apparmor 2.9 from the stable Debian repo it fails. So apparently
2.10 has upstream fixes/patches which solve the reload profile bug? Hope this new insight
helps you find the commit and backport it to apparmor 2.9 stable?
Thanks,
Frank
Sent from my iPhone
On 24 Mar 2017, at 09:17, Guido Günther <agx(a)sigxcpu.org>
wrote:
> On Thu, Mar 23, 2017 at 01:28:57PM +0100, Cedric Bosdonnat wrote:
> Hello Frank,
>
> I'm currently investigating some apparmor-related bug with namespaces. This one
> is surely related. I'll look into it when I'm done with the one I'm
working on.
Assuming you're running the Jessie Kernel its likely:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805002
To make sure it's the kernel and not libvirt have a look at:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805002#51
Cheers,
-- Guido
>
> --
> Cedric
>
>> On Thu, 2017-03-23 at 12:07 +0000, Frank Schreuder wrote:
>> Hello,
>>
>> I'm running libvirt 3.1.0 on a Debian 8 server. I installed apparmor and
configured libvirt to use apparmor as
>> security driver.
>> After booting a VM, virsh dumpxml shows an apparmor seclabel.
>>
>> As soon as I try to attach a second disk to the VM, apparmor blocks this.
>>
>> virsh attach-device test-vps /tmp/virshXmlDefinition
>> error: Failed to attach device from /tmp/virshXmlDefinition
>> error: operation failed: Could not open '/mnt/images/disk2.raw':
Permission denied
>>
>> Syslogs shows me the following:
>> Mar 22 17:45:20 vps0 kernel: [1136647.318314] audit: type=1400
audit(1490201120.577:30): apparmor="DENIED"
>> operation="open"
profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859"
name="/mnt/images/disk2.raw" pid=13453
>> comm="kvm" requested_mask="r" denied_mask="r"
fsuid=996 ouid=33
>> Mar 22 17:45:20 vps0 kernel: [1136647.325155] audit: type=1400
audit(1490201120.577:31): apparmor="DENIED"
>> operation="open"
profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859"
name="/mnt/images/disk2.raw" pid=13453
>> comm="kvm" requested_mask="rw" denied_mask="rw"
fsuid=996 ouid=33
>> Mar 22 17:45:20 vps0 libvirtd[10282]: 2017-03-22 16:45:20.596+0000: 10283: error
: qemuMonitorTextAddDrive:1968 :
>> operation failed: Could not open '/mnt/images/disk2.raw': Permission
denied
>>
>> In the VM specific apparmor file
/etc/apparmor.d/libvirt/libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859.files I see:
>> "/mnt/images/disk1.raw" rw,
>>
>> Which is my primary VM disk, I expected a virsh attach-device to append
/mnt/images/disk2.raw to this file and
>> reload/refresh the apparmor profile?
>>
>> I'm not able to attach a live disk to a running VM with apparmor. Am I
missing something? Or is this a bug/missing
>> feature in libvirt?
>>
>> Thanks,
>> Frank
>> --
>> libvir-list mailing list
>> libvir-list(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/libvir-list
>
> --
> libvir-list mailing list
> libvir-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
>
1:15 a.m.
On Thu, Mar 30, 2017 at 03:00:06PM +0000, Frank Schreuder wrote:
Hello Guido,
I have great news. I'm able to successfully live attach a disk to a running VM with a
loaded apparmor profile.
My setup:
Debian 8
Kernel 4.9.11
Libvirt 3.1.0
Apparmor 2.10 from Debian backports
With same software and apparmor 2.9 from the stable Debian repo it fails. So apparently
2.10 has upstream fixes/patches which solve the reload profile bug? Hope this new insight
helps you find the commit and backport it to apparmor 2.9 stable?
Thanks for reporting, I added a note to #805002. It's unlikely we'll
have a backport of both the kernel changes and appamor for Jessie but we
can make things work for stretch (which currently shows a different
error I'll have to look into).
Cheers,
-- Guido
Thanks,
Frank
Sent from my iPhone
> On 24 Mar 2017, at 09:17, Guido Günther <agx(a)sigxcpu.org> wrote:
>
>> On Thu, Mar 23, 2017 at 01:28:57PM +0100, Cedric Bosdonnat wrote:
>> Hello Frank,
>>
>> I'm currently investigating some apparmor-related bug with namespaces. This
one
>> is surely related. I'll look into it when I'm done with the one I'm
working on.
>
> Assuming you're running the Jessie Kernel its likely:
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805002
>
> To make sure it's the kernel and not libvirt have a look at:
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805002#51
>
> Cheers,
> -- Guido
>
>>
>> --
>> Cedric
>>
>>> On Thu, 2017-03-23 at 12:07 +0000, Frank Schreuder wrote:
>>> Hello,
>>>
>>> I'm running libvirt 3.1.0 on a Debian 8 server. I installed apparmor and
configured libvirt to use apparmor as
>>> security driver.
>>> After booting a VM, virsh dumpxml shows an apparmor seclabel.
>>>
>>> As soon as I try to attach a second disk to the VM, apparmor blocks this.
>>>
>>> virsh attach-device test-vps /tmp/virshXmlDefinition
>>> error: Failed to attach device from /tmp/virshXmlDefinition
>>> error: operation failed: Could not open '/mnt/images/disk2.raw':
Permission denied
>>>
>>> Syslogs shows me the following:
>>> Mar 22 17:45:20 vps0 kernel: [1136647.318314] audit: type=1400
audit(1490201120.577:30): apparmor="DENIED"
>>> operation="open"
profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859"
name="/mnt/images/disk2.raw" pid=13453
>>> comm="kvm" requested_mask="r" denied_mask="r"
fsuid=996 ouid=33
>>> Mar 22 17:45:20 vps0 kernel: [1136647.325155] audit: type=1400
audit(1490201120.577:31): apparmor="DENIED"
>>> operation="open"
profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859"
name="/mnt/images/disk2.raw" pid=13453
>>> comm="kvm" requested_mask="rw"
denied_mask="rw" fsuid=996 ouid=33
>>> Mar 22 17:45:20 vps0 libvirtd[10282]: 2017-03-22 16:45:20.596+0000: 10283:
error : qemuMonitorTextAddDrive:1968 :
>>> operation failed: Could not open '/mnt/images/disk2.raw': Permission
denied
>>>
>>> In the VM specific apparmor file
/etc/apparmor.d/libvirt/libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859.files I see:
>>> "/mnt/images/disk1.raw" rw,
>>>
>>> Which is my primary VM disk, I expected a virsh attach-device to append
/mnt/images/disk2.raw to this file and
>>> reload/refresh the apparmor profile?
>>>
>>> I'm not able to attach a live disk to a running VM with apparmor. Am I
missing something? Or is this a bug/missing
>>> feature in libvirt?
>>>
>>> Thanks,
>>> Frank
>>> --
>>> libvir-list mailing list
>>> libvir-list(a)redhat.com
>>> https://www.redhat.com/mailman/listinfo/libvir-list
>>
>> --
>> libvir-list mailing list
>> libvir-list(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/libvir-list
>>
2789
days inactive
2800
days old
5 comments
3 participants
participants (3)
-
Cedric Bosdonnat -
Frank Schreuder -
Guido Günther