[Pkg-libvirt-maintainers] Bug#933385: Bug#933385: libvirt-daemon: encrypted qemu virtual machines do not start after upgrade to buster: permission denied

Tue Jul 30 10:29:49 BST 2019

Thanks for the hint with the security_driver option.
However, the error still appears after adding the following line to the
configuration file

security_driver = "none"

and restarting the services

sudo service libvirtd restart
sudo service libvirt-guests restart

On a side note:

/etc/libvirt/qemu.conf states that "The default security driver is SELinux"

So could SELinux cause the blocking of the secret file? How would enable
access to the file in SELinux?

the domain xml is attached...

Am Di., 30. Juli 2019 um 11:06 Uhr schrieb Guido Günther <agx at sigxcpu.org>:

> Hi,
> On Tue, Jul 30, 2019 at 10:43:25AM +0200, Dominik Reusser wrote:
> > Thanks for your reply
> >
> > On 30.07.19 09:00, Guido Günther wrote:> Hi,
> > > On Tue, Jul 30, 2019 at 07:36:18AM +0200, Dominik wrote:
> > >> Package: libvirt-daemon
> > >> Version: 5.0.0-4
> > >> Severity: normal
> > >>
> > >> Dear Maintainer,
> > >>
> > >> after upgrading to buster, the encrypted kvm-guests stop to work. An
> > error is thrown about missing rights to the file containing the
> encryption
> > secret, which I placed under /etc/libvirt/secret/.
> > >>
> > >> I openend a question with more details on serverfault a while ago:
> >
> https://serverfault.com/questions/974689/encrypted-qemu-virtual-machines-do-not-start-after-upgrade-to-buster-permission
> > > As a workaround you can disable apparmor
> > Do I need to disable apparmor completely through grub as described here:
> > https://wiki.debian.org/AppArmor/HowToUse or would it be possible to
> > disable the profiles for libvirt with aa-disable?
>
>
> Try
>
> security_driver = "none"
>
> in /etc/libvirt/qemu.conf.
>
> instead of disabling apparmor overall.
>
> Attaching the domain xml might help reproducing the bug.
> Cheers,
>  -- Guido
>
> >
> >
> > > but can you attach the dmesg
> > > output after trying to start a domain?
> > $ virsh --connect qemu:///system start Feigenbaum
> > error: Failed to start domain Feigenbaum
> > error: internal error: process exited while connecting to monitor:
> > 2019-07-30T08:15:39.975264Z qemu-system-x86_64: --object
> > secret,id=sec0,file=/etc/libvirt/secrets/Feigenbaum.secret: Unable to
> read
> > /etc/libvirt/secrets/Feigenbaum.secret: Failed to open file
> > “/etc/libvirt/secrets/Feigenbaum.secret”: Permission denied
> >
> > $ sudo dmesg
> >
> > [585353.519853] virbr0: port 2(vnet0) entered blocking state
> > [585353.519854] virbr0: port 2(vnet0) entered disabled state
> > [585353.519887] device vnet0 entered promiscuous mode
> > [585353.519982] virbr0: port 2(vnet0) entered blocking state
> > [585353.519983] virbr0: port 2(vnet0) entered listening state
> > [585353.706058] virbr0: port 2(vnet0) entered disabled state
> > [585353.707387] device vnet0 left promiscuous mode
> > [585353.707395] virbr0: port 2(vnet0) entered disabled state
> >
> > (I removed a bunch of UFW BLOCK messages)
> >
> > Extract from syslog:
> >
> > Jul 30 10:15:39 www kernel: [585353.519853] virbr0: port 2(vnet0) entered
> > blocking state
> > Jul 30 10:15:39 www kernel: [585353.519854] virbr0: port 2(vnet0) entered
> > disabled state
> > Jul 30 10:15:39 www kernel: [585353.519887] device vnet0 entered
> > promiscuous mode
> > Jul 30 10:15:39 www kernel: [585353.519982] virbr0: port 2(vnet0) entered
> > blocking state
> > Jul 30 10:15:39 www kernel: [585353.519983] virbr0: port 2(vnet0) entered
> > listening state
> > Jul 30 10:15:39 www libvirtd[775]: Domain id=5 name='Feigenbaum'
> > uuid=2734b78b-2dc6-4fed-a47b-9bb2534db76e is tainted: custom-argv
> > Jul 30 10:15:40 www kernel: [585353.706058] virbr0: port 2(vnet0) entered
> > disabled state
> > Jul 30 10:15:40 www kernel: [585353.707387] device vnet0 left promiscuous
> > mode
> > Jul 30 10:15:40 www kernel: [585353.707395] virbr0: port 2(vnet0) entered
> > disabled state
> > Jul 30 10:15:40 www libvirtd[775]: Unable to read from monitor:
> Connection
> > reset by peer
> > Jul 30 10:15:40 www libvirtd[775]: internal error: qemu unexpectedly
> closed
> > the monitor: 2019-07-30T08:15:39.975264Z qemu-system-x86_64: --object
> > secret,id=sec0,file=/etc/libvirt/secrets/Feigenbaum.secret: Unable to
> read
> > /etc/libvirt/secrets/Feigenbaum.secret: Failed to open file
> > “/etc/libvirt/secrets/Feigenbaum.secret”: Permission denied
> > Jul 30 10:15:40 www libvirtd[775]: internal error: process exited while
> > connecting to monitor: 2019-07-30T08:15:39.975264Z qemu-system-x86_64:
> > --object secret,id=sec0,file=/etc/libvirt/secrets/Feigenbaum.secret:
> Unable
> > to read /etc/libvirt/secrets/Feigenbaum.secret: Failed to open file
> > “/etc/libvirt/secrets/Feigenbaum.secret”: Permission denied
> >
> >
> > > That should have details what
> > > fails exactly.
> > Let me know if I can provide additional information to get more details
> on
> > what fails.
> >
> > Greetings
> >
> > Dominik
> >
> >
> > Am Di., 30. Juli 2019 um 09:00 Uhr schrieb Guido Günther <
> agx at sigxcpu.org>:
> >
> > > Hi,
> > > On Tue, Jul 30, 2019 at 07:36:18AM +0200, Dominik wrote:
> > > > Package: libvirt-daemon
> > > > Version: 5.0.0-4
> > > > Severity: normal
> > > >
> > > > Dear Maintainer,
> > > >
> > > > after upgrading to buster, the encrypted kvm-guests stop to work. An
> > > error is thrown about missing rights to the file containing the
> encryption
> > > secret, which I placed under /etc/libvirt/secret/.
> > > >
> > > > I openend a question with more details on serverfault a while ago:
> > >
> https://serverfault.com/questions/974689/encrypted-qemu-virtual-machines-do-not-start-after-upgrade-to-buster-permission
> > >
> > > As a workaround you can disable apparmor but can you attach the dmesg
> > > output after trying to start a domain? That should have details what
> > > fails exactly.
> > > Cheers,
> > >  -- Guido
> > >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-maintainers/attachments/20190730/b911086b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: feigenbaum.xml
Type: text/xml
Size: 3532 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-maintainers/attachments/20190730/b911086b/attachment.xml>