[Pkg-libvirt-maintainers] Bug#932456: libvirt-daemon-system: blockcommit => permission denied

gskm gskm08 at gmail.com
Fri Mar 27 05:48:28 GMT 2020 

Hello

 

Before blockcommit I do

aa-disable /etc/apparmor.d/libvirt/libvirt-`sudo virsh domuuid $activevm`

then

virsh blockcommit $activevm $disk --active --verbose --pivot

 

From: Kaulkwappe <kaulkwappe.debian at prvy.eu> 
Sent: Monday, March 23, 2020 9:55 PM
To: 932456 at bugs.debian.org
Cc: pkg-libvirt-maintainers at lists.alioth.debian.org
Subject: Bug#932456: libvirt-daemon-system: blockcommit => permission denied

 

Dear Maintainer!

 

I can confirm that this bug (#932456) unfortunately still exists in Debian 10.3 (Buster) while using only default configurations, no custom paths (so all images are placed in /var/lib/libvirt/images):

 

> root at root:~# virsh blockcommit {vm-name} vda --active --wait --pivot

> error: internal error: unable to execute QEMU command 'block-commit': Could not reopen file: Permission denied

 

> qemu-img version 3.1.0 (Debian 1:3.1+dfsg-8+deb10u4)

> libvirtd (libvirt) 5.0.0

 

After some research I suspected the AppArmor configs to be the reason for the permission error which corresponds to the research Robert Niederreiter has already done on 13th October 2019 (Message #25):

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932456#25

 

However, the behaviour does *not* disappear when AppArmor is disabled using complain mode:

 

> apt install apparmor-utils

> aa-complain /usr/sbin/libvirtd

> aa-complain /etc/apparmor.d/libvirt/libvirt-{id}

 

But what I noticed is that the owner and rights of the guest XML files (/run/libvirt/qemu/{vm-name}.xml) always change back to root:root and 0600 even if "dynamic_ownership" is set to 0 in /etc/libvirt/qemu.conf. Since the other file permissions look good I suspect this to have something to do with that issue.

 

Setting "security_driver" in /etc/libvirt/qemu.conf to "none" or changing "user" and "group" to root:root or to unprivileged:unprivileged did not solve the issue.

 

This bug is critical because one is not able to create backups of the guests without shutting them down.

 

Is there any workaround available?

 

Kind Regards,

Kaulkwappe

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-maintainers/attachments/20200327/e6769f3c/attachment.html>

More information about the Pkg-libvirt-maintainers mailing list