[Pkg-libvirt-maintainers] Bug#933385: Bug#933385: libvirt-daemon: encrypted qemu virtual machines do not start after upgrade to buster: permission denied

Dominik Reusser dr896543 at gmail.com
Wed Jul 31 06:41:50 BST 2019 

Hi Guido,
thanks for your support.

I can confirm that changes to /etc/apparmor.d/libvirt/TEMPLATE.qemu are
taking effect. Besides the secret file, also the location of my
vm-image-files needs to be configured in the template file.

I added the following to get the VM running:

  /etc/libvirt/secret/** r,
  /var/lib/libvirt/images/** rwk,

Greetings
Dominik


Am Di., 30. Juli 2019 um 11:50 Uhr schrieb Guido Günther <agx at sigxcpu.org>:

> control: -1 retitle qemu domain with encryption via qemu:commandline
> denied by apparmor
> control: -1 tag wontfix
>
> Hi Dominik,
> On Tue, Jul 30, 2019 at 11:29:49AM +0200, Dominik Reusser wrote:
> >   <qemu:commandline>
> >     <qemu:arg value='--object'/>
> >     <qemu:arg
> value='secret,id=sec0,file=/etc/libvirt/secrets/Feigenbaum.secret'/>
> >     <qemu:arg value='-drive'/>
> >     <qemu:arg
> value='driver=qcow2,file.filename=/var/lib/libvirt/images/Feigenbaum.qcow2,encrypt.key-secret=sec0'/>
> >   </qemu:commandline>
>
> So you're using custom command line arguments. Which is not supported:
>
>     https://libvirt.org/drvqemu.html#qemucommand
>
> since there's no way for libvirt's apparmor helper to figure out what
> you want.
>
> You should use libvirt's volume encryption:
>
>     https://libvirt.org/formatstorageencryption.html#StorageEncryption
>
> if that fails either we need to fix that but that's something we can
> support since we have the information in a structured form and can make
> virt-aa-helper know about it.
>
> If you want to keep using apparmor and your current configuration modify
>
>     /etc/apparmor.d/libvirt/TEMPLATE.qemu
>
> to allow access to that file. Something like
>
>     /etc/libvirt/secrets/** r,
>
> might already do the trick.
>
> Note that this will allow all domains to access that file but it might
> be better than turning off apparmor completely.
>
> In case you work something out please add this to the bug since others
> might be hitting issues with custom command lines too.
>
> Cheers,
>  -- Guido
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-maintainers/attachments/20190731/c87a0889/attachment.html>

More information about the Pkg-libvirt-maintainers mailing list