control: -1 retitle qemu domain with encryption via qemu:commandline denied by
apparmor
control: -1 tag wontfix
Hi Dominik,
On Tue, Jul 30, 2019 at 11:29:49AM +0200, Dominik Reusser wrote:
> <qemu:commandline>
> <qemu:arg value='--object'/>
> <qemu:arg
> value='secret,id=sec0,file=/etc/libvirt/secrets/Feigenbaum.secret'/>
> <qemu:arg value='-drive'/>
> <qemu:arg
> value='driver=qcow2,file.filename=/var/lib/libvirt/images/Feigenbaum.qcow2,encrypt.key-secret=sec0'/>
> </qemu:commandline>
So you're using custom command line arguments. Which is not supported:
https://libvirt.org/drvqemu.html#qemucommand
since there's no way for libvirt's apparmor helper to figure out what
you want.
You should use libvirt's volume encryption:
https://libvirt.org/formatstorageencryption.html#StorageEncryption
if that fails either we need to fix that but that's something we can
support since we have the information in a structured form and can make
virt-aa-helper know about it.
If you want to keep using apparmor and your current configuration modify
/etc/apparmor.d/libvirt/TEMPLATE.qemu
to allow access to that file. Something like
/etc/libvirt/secrets/** r,
might already do the trick.
Note that this will allow all domains to access that file but it might
be better than turning off apparmor completely.
In case you work something out please add this to the bug since others
might be hitting issues with custom command lines too.
Cheers,
-- Guido
