[Pkg-libvirt-maintainers] Bug#876071: Bug#876071: libvirt-daemon-system: Mount namespace and AppArmor confinement are incompatible => breaks networking
Guido Günther
agx at sigxcpu.org
Mon Sep 18 07:45:41 UTC 2017
control: forwarded -1 https://www.redhat.com/archives/libvir-list/2017-September/msg00457.html
Hi,
On Mon, Sep 18, 2017 at 09:33:45AM +0200, intrigeri at debian.org wrote:
> Package: libvirt-daemon-system
> Version: 3.7.0-2
> Severity: normal
>
> Hi,
>
> since some fairly recent sid upgrade, my VMs don't get network
> anymore and my logs contain lots of:
>
> kernel: audit: type=1400 audit(1505719435.761:27425226): apparmor="DENIED" operation="file_perm" info="Failed name lookup - disconnected path" error=-13 profile="libvirt-213ff882-ce4b-035d-e2b1-9059d66cd67d" name="dev/net/tun" pid=25947 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0
>
> I've tried passing flags=(attach_disconnected) in
> /etc/apparmor.d/libvirt/TEMPLATE.qemu but that did not fix the bug for
> some reason, so I've reverted this change.
I saw the same on Friday and used the patch reference above (which
basically does the same, you were on cc: ;)…
>
> My current workaround is to disable private mount namespaces in
> /etc/libvirt/qemu.conf:
>
> namespaces = [ ]
>
> FWIW the network these VMs are connected to looks like:
>
> <network connections='1'>
> <name>routed</name>
> <uuid>054fadcc-23da-4014-94e7-cdde77924045</uuid>
> <forward mode='route'/>
> <bridge name='vmz0' stp='on' delay='0'/>
> […]
> </network>
… however I'm using
<interface type='network'>
<mac address='52:54:00:75:44:c0'/>
<source network='default'/>
<model type='rtl8139'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
Should that make a difference? Did you check if the vm profile did get
recreated correclt?
Cheers,
-- Guido
>
> Cheers!
>
> -- System Information:
> Debian Release: buster/sid
> APT prefers unstable
> APT policy: (990, 'unstable'), (500, 'stable-updates'), (500, 'oldstable-updates'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 4.12.0-2-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages libvirt-daemon-system depends on:
> ii adduser 3.116
> ii debconf 1.5.63
> ii gettext-base 0.19.8.1-4
> ii init-system-helpers 1.49
> ii iptables 1.6.1-2
> ii libacl1 2.2.52-3+b1
> ii libapparmor1 2.11.0-10
> ii libaudit1 1:2.7.7-1+b2
> ii libblkid1 2.29.2-5
> ii libc6 2.24-17
> ii libcap-ng0 0.7.7-3+b1
> ii libdbus-1-3 1.11.16+really1.10.22-1
> ii libdevmapper1.02.1 2:1.02.142-1
> ii libnl-3-200 3.2.27-2
> ii libnl-route-3-200 3.2.27-2
> ii libnuma1 2.0.11-2.1
> ii libselinux1 2.7-2
> ii libvirt-clients 3.7.0-2
> ii libvirt-daemon 3.7.0-2
> ii libvirt0 3.7.0-2
> ii libxml2 2.9.4+dfsg1-4
> ii libyajl2 2.1.0-2+b3
> ii logrotate 3.11.0-0.1
> ii lsb-base 9.20170808
> ii policykit-1 0.105-18
>
> Versions of packages libvirt-daemon-system recommends:
> ii bridge-utils 1.5-14
> ii dmidecode 3.1-1
> ii dnsmasq-base 2.77-2
> ii ebtables 2.0.10.4-3.5+b1
> ii iproute2 4.9.0-2
> ii parted 3.2-17
>
> Versions of packages libvirt-daemon-system suggests:
> ii apparmor 2.11.0-10
> pn auditd <none>
> ii nfs-common 1:1.3.4-2.1+b1
> ii pm-utils 1.4.1-17
> ii radvd 1:2.16-3
> ii systemd 234-3
> pn systemtap <none>
> pn zfsutils <none>
>
> -- debconf information:
> libvirt-daemon-system/id_warning: true
>
> --
> intrigeri
>
> _______________________________________________
> Pkg-libvirt-maintainers mailing list
> Pkg-libvirt-maintainers at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-libvirt-maintainers
More information about the Pkg-libvirt-maintainers
mailing list