[Pkg-libvirt-maintainers] Bug#932456: libvirt-daemon-system: blockcommit => permission denied
Sebastian Kiesel
sebastian-bug-deb-e3a68 at skiesel.de
Sun Jul 21 21:21:20 BST 2019
Hi,
I'm having the same problem and indeed it seems to be related to apparmor.
My system is using the same library version numbers as Benoit's system.
As a workaround I set set security_driver = "none"
in in /etc/libvirt/qemu.conf and rebooted:
--- /etc/libvirt/qemu.conf 2019/07/21 19:33:30 1.1
+++ /etc/libvirt/qemu.conf 2019/07/21 19:35:54 1.3
@@ -414,6 +414,7 @@
# isolation, but it cannot appear in a list of drivers.
#
#security_driver = "selinux"
+security_driver = "none"
# If set to non-zero, then the default security labeling
# will make guests confined. If set to zero, then guests
This seems to work for me but I suspect that this is not how it is
supposed to be from a security perspective. When explicitly setting
security_driver = "apparmor" I had the same problems as in the
default configuration, when security_driver is completely commented out.
-----
Here the result of some experiments I did *before* changing anything in
/etc/libvirt/qemu.conf - maybe this is helpful for finding the bug
or giving advice how to properly configure our systems:
After host boot, before any VM is started:
$ ls -l /etc/apparmor.d/libvirt
total 8
-rw-r--r-- 1 root root 342 Jun 17 19:05 TEMPLATE.lxc
-rw-r--r-- 1 root root 192 Jun 17 19:05 TEMPLATE.qemu
Start a VM:
virsh # start buster5
Domain buster5 started
$ ls -l /etc/apparmor.d/libvirt
total 16
-rw-r--r-- 1 root root 342 Jun 17 19:05 TEMPLATE.lxc
-rw-r--r-- 1 root root 192 Jun 17 19:05 TEMPLATE.qemu
-rw-r--r-- 1 root root 293 Jul 21 21:07 libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5
-rw-r--r-- 1 root root 649 Jul 21 21:07 libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files
$ cat /etc/apparmor.d/libvirt/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
"/var/log/libvirt/**/buster5.log" w,
"/var/lib/libvirt/qemu/domain-buster5/monitor.sock" rw,
"/var/lib/libvirt/qemu/domain-1-buster5/*" rw,
"/var/run/libvirt/**/buster5.pid" rwk,
"/run/libvirt/**/buster5.pid" rwk,
"/var/run/libvirt/**/*.tunnelmigrate.dest.buster5" rw,
"/run/libvirt/**/*.tunnelmigrate.dest.buster5" rw,
"/var/lib/libvirt/images/buster5.qcow2" rwk,
"/var/lib/libvirt/qemu/domain-1-buster5/{,**}" rwk,
"/var/lib/libvirt/qemu/channel/target/domain-1-buster5/{,**}" rwk,
"/var/lib/libvirt/qemu/domain-1-buster5/master-key.aes" rwk,
"/dev/net/tun" rwk,
$ cp /etc/apparmor.d/libvirt/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files /tmp/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files.1
create a snapshot
virsh # domblklist buster5 --details
Type Device Target Source
-----------------------------------------------------------------
file disk hda /var/lib/libvirt/images/buster5.qcow2
file cdrom hdb -
virsh # snapshot-create-as --domain buster5 --name backup_overlay --disk-only --atomic --no-metadata
Domain snapshot backup_overlay created
virsh # domblklist buster5 --details
Type Device Target Source
--------------------------------------------------------------------------
file disk hda /var/lib/libvirt/images/buster5.backup_overlay
file cdrom hdb -
$ ls -l /etc/apparmor.d/libvirt
total 16
-rw-r--r-- 1 root root 342 Jun 17 19:05 TEMPLATE.lxc
-rw-r--r-- 1 root root 192 Jun 17 19:05 TEMPLATE.qemu
-rw-r--r-- 1 root root 293 Jul 21 21:07 libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5
-rw-r--r-- 1 root root 535 Jul 21 21:13 libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files
$ cat /etc/apparmor.d/libvirt/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
"/var/log/libvirt/**/buster5.log" w,
"/var/lib/libvirt/qemu/domain-buster5/monitor.sock" rw,
"/var/lib/libvirt/qemu/domain-1-buster5/*" rw,
"/var/run/libvirt/**/buster5.pid" rwk,
"/run/libvirt/**/buster5.pid" rwk,
"/var/run/libvirt/**/*.tunnelmigrate.dest.buster5" rw,
"/run/libvirt/**/*.tunnelmigrate.dest.buster5" rw,
"/var/lib/libvirt/images/buster5.qcow2" rwk,
"/dev/pts/5" rw,
"/dev/pts/5" rw,
"/var/lib/libvirt/images/buster5.backup_overlay" rwk,
$ cp /etc/apparmor.d/libvirt/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files /tmp/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files.2
$ diff -u /tmp/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files.{1,2}
--- /tmp/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files.1 2019-07-21 21:11:55.637296657 +0200
+++ /tmp/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files.2 2019-07-21 21:14:59.759204162 +0200
@@ -7,7 +7,6 @@
"/var/run/libvirt/**/*.tunnelmigrate.dest.buster5" rw,
"/run/libvirt/**/*.tunnelmigrate.dest.buster5" rw,
"/var/lib/libvirt/images/buster5.qcow2" rwk,
- "/var/lib/libvirt/qemu/domain-1-buster5/{,**}" rwk,
- "/var/lib/libvirt/qemu/channel/target/domain-1-buster5/{,**}" rwk,
- "/var/lib/libvirt/qemu/domain-1-buster5/master-key.aes" rwk,
- "/dev/net/tun" rwk,
+ "/dev/pts/5" rw,
+ "/dev/pts/5" rw,
+ "/var/lib/libvirt/images/buster5.backup_overlay" rwk,
cp /var/lib/libvirt/images/buster5.qcow2 /backups/buster5-20190721.qcow2
try blockcommit
virsh # blockcommit --domain buster5 --path hda --pivot
error: internal error: unable to execute QEMU command 'block-commit': Could not reopen file: Permission denied
syslog says:
Jul 21 21:16:13 virthost kernel: [20738.344485] audit: type=1400 audit(1563736573.754:28): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5" pid=12452 comm="apparmor_parser"
Jul 21 21:16:13 virthost kernel: [20738.472223] audit: type=1400 audit(1563736573.882:29): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5" pid=12456 comm="apparmor_parser"
$ ls -l /etc/apparmor.d/libvirt
total 16
-rw-r--r-- 1 root root 342 Jun 17 19:05 TEMPLATE.lxc
-rw-r--r-- 1 root root 192 Jun 17 19:05 TEMPLATE.qemu
-rw-r--r-- 1 root root 293 Jul 21 21:07 libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5
-rw-r--r-- 1 root root 672 Jul 21 21:16 libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files
$ cat /etc/apparmor.d/libvirt/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
"/var/log/libvirt/**/buster5.log" w,
"/var/lib/libvirt/qemu/domain-buster5/monitor.sock" rw,
"/var/lib/libvirt/qemu/domain-1-buster5/*" rw,
"/var/run/libvirt/**/buster5.pid" rwk,
"/run/libvirt/**/buster5.pid" rwk,
"/var/run/libvirt/**/*.tunnelmigrate.dest.buster5" rw,
"/run/libvirt/**/*.tunnelmigrate.dest.buster5" rw,
"/var/lib/libvirt/images/buster5.backup_overlay" rwk,
"/var/lib/libvirt/images/buster5.qcow2" rk,
# don't audit writes to readonly files
deny "/var/lib/libvirt/images/buster5.qcow2" w,
"/dev/pts/5" rw,
"/dev/pts/5" rw,
"/var/lib/libvirt/images/buster5.qcow2" rwk,
$ cp /etc/apparmor.d/libvirt/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files /tmp/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files.3
$ diff -u /tmp/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files.{2,3}
--- /tmp/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files.2 2019-07-21 21:14:59.759204162 +0200
+++ /tmp/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files.3 2019-07-21 21:17:51.601252623 +0200
@@ -6,7 +6,10 @@
"/run/libvirt/**/buster5.pid" rwk,
"/var/run/libvirt/**/*.tunnelmigrate.dest.buster5" rw,
"/run/libvirt/**/*.tunnelmigrate.dest.buster5" rw,
- "/var/lib/libvirt/images/buster5.qcow2" rwk,
+ "/var/lib/libvirt/images/buster5.backup_overlay" rwk,
+ "/var/lib/libvirt/images/buster5.qcow2" rk,
+ # don't audit writes to readonly files
+ deny "/var/lib/libvirt/images/buster5.qcow2" w,
"/dev/pts/5" rw,
"/dev/pts/5" rw,
- "/var/lib/libvirt/images/buster5.backup_overlay" rwk,
+ "/var/lib/libvirt/images/buster5.qcow2" rwk,
stopping apparmor allows me to do the blockcommit
$ sudo aa-teardown
Unloading AppArmor profiles
virsh # blockcommit --domain buster5 --path hda --pivot
Successfully pivoted
$ sudo rm /var/lib/libvirt/images/buster5.backup_overlay
$ cp /etc/apparmor.d/libvirt/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files /tmp/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files.4
$ diff -u /tmp/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files.{3,4}
(unchanged)
Maybe the "deny ..." line causes the problems?
$ sudo grep -r 'DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.' /etc /usr
/etc/apparmor.d/libvirt/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files:# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
Binary file /usr/lib/libvirt/virt-aa-helper matches
So /usr/lib/libvirt/virt-aa-helper or its configuration will probably
need further examination.
Thanks
Sebastian
More information about the Pkg-libvirt-maintainers
mailing list