Now the abstraction used in this case via:
#include <abstractions/libvirt-qemu>
Held the following statement like for ages just for this use:
/dev/ptmx rw,
Please note the difference since the Deny is on:
/dev/pts/ptmx
That is especially notworthy since the former is just a link to the latter:
$ ll /dev/ptmx
lrwxrwxrwx 1 root root 13 Apr 20 17:19 /dev/ptmx -> /dev/pts/ptmx
So now inside the container apparmor resolves the path to be checked to
"/dev/pts/ptmx".
Maybe it did all the time, but before profile stacking it didn't matter, but
now it does.
Eventually we might just add /dev/pts/ptmx to the profile, but understanding
why it detects the path. It could after all be an LXD issue (not saying that it
has to be fixed there). It seems LXD binds these as:
'/dev/pts/ptmx'->'/dev/ptmx
At least that is what most search hits on the two paths showed me like in bug
1507959
That said this could be the reason why in this kvm-in-lxd case the path
is no more resolved and checked by apparmor on /dev/ptmx which is
allowed, but on /dev/pts/ptmx instead.
Is this something to be adressed in LXD or in apparmor or just a line to the
libvirt profile - I'm not sure.
Setting LXD to new again to get Stephanes expertise again on that ptmx mapping.
** Changed in: lxd (Ubuntu)
Status: Invalid => New
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1684481
Title:
KVM guest execution start apparmor blocks on /dev/ptmx now
(regression?)
Status in apparmor package in Ubuntu:
New
Status in linux package in Ubuntu:
Confirmed
Status in lxd package in Ubuntu:
New
Bug description:
Setup:
- Xenial host
- lxd guests with Trusty, Xenial, ...
- add a LXD profile to allow kvm [3] (inspired by stgraber)
- spawn KVM guests in the LXD guests using the different distro release
versions
- guests are based on the uvtool default template which has a serial console
[4]
Issue:
- guest starting with serial device gets blocked by apparmor and killed on
creation
- This affects at least ppc64el and x86 (s390x has no serial concept that
would match)
- This appeared in our usual checks on -proposed releases so maybe we
can/should stop something?
Last good was "Apr 5, 2017 10:40:50 AM" first bad one "Apr 8, 2017 5:11:22
AM"
Background:
We use this setup for a while and it was working without a change on our end.
Also the fact that it still works in the Trusty LXD makes it somewhat
suspicious.
Therefore I'd assume an SRUed change in LXD/Kernel/Apparmor might be the
reason and open this bug to get your opinion on it.
You can look into [1] and search for uvt-kvm create in it.
Deny in dmesg:
[652759.606218] audit: type=1400 audit(1492671353.134:4520):
apparmor="DENIED" operation="open"
namespace="root//lxd-testkvm-xenial-from_<var-lib-lxd>"
profile="libvirt-668e21f1-fa55-4a30-b325-0ed5cfd55e5b" name="/dev/pts/ptmx"
pid=27162 comm="qemu-system-ppc" requested_mask="wr" denied_mask="wr" fsuid=0
ouid=0
Qemu-log:
2017-04-20T06:55:53.139450Z qemu-system-ppc64: -chardev pty,id=charserial0:
Failed to create PTY: No such file or directory
There was a similar issue on qmeu namespacing (which we don't use on any of
these releases) [2].
While we surely don't have the "same" issue the debugging on the namespacing
might be worth as it could be related.
Workaround for now:
- drop serial section from guest xml
[1]:
https://jenkins.ubuntu.com/server/view/Virt/job/virt-migration-cross-release-amd64/78/consoleFull
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1421036
[3]:
https://git.launchpad.net/~ubuntu-server/ubuntu/+source/qemu-migration-test/tree/kvm_profile.yaml
[4]: https://libvirt.org/formatdomain.html#elementsCharPTY
---
ApportVersion: 2.20.1-0ubuntu2.5
Architecture: ppc64el
DistroRelease: Ubuntu 16.04
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
Package: lxd
PackageArchitecture: ppc64el
ProcKernelCmdline: root=UUID=902eaad1-2164-4f9a-bec4-7ff3abc15804 ro
console=hvc0
ProcLoadAvg: 3.15 3.02 3.83 1/3056 79993
ProcSwaps:
Filename Type Size Used Priority
/swap.img file 8388544 0 -1
ProcVersion: Linux version 4.4.0-72-generic (buildd@bos01-ppc64el-022) (gcc
version 5.4.0 20160609 (Ubuntu/IBM 5.4.0-6ubuntu1~16.04.4) ) #93-Ubuntu SMP Fri
Mar 31 14:05:15 UTC 2017
ProcVersionSignature: Ubuntu 4.4.0-72.93-generic 4.4.49
Syslog:
Tags: xenial uec-images
Uname: Linux 4.4.0-72-generic ppc64le
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: utah
_MarkForUpload: True
cpu_cores: Number of cores present = 20
cpu_coreson: Number of cores online = 20
cpu_smt: SMT is off
---
ApportVersion: 2.20.1-0ubuntu2.5
Architecture: ppc64el
DistroRelease: Ubuntu 16.04
NonfreeKernelModules: cfg80211 ebtable_broute ebtable_nat binfmt_misc veth
nbd openvswitch vhost_net vhost macvtap macvlan xt_conntrack ipt_REJECT
nf_reject_ipv4 ebtable_filter ebtables ip6t_MASQUERADE nf_nat_masquerade_ipv6
ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_filter
ip6_tables xt_comment xt_CHECKSUM iptable_mangle ipt_MASQUERADE
nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4
nf_nat nf_conntrack xt_tcpudp bridge stp llc iptable_filter ip_tables x_tables
zfs zunicode zcommon znvpair spl zavl kvm_hv kvm ipmi_powernv ipmi_msghandler
uio_pdrv_genirq vmx_crypto powernv_rng ibmpowernv leds_powernv uio ib_iser
rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp
libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov
async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0
multipath linear ses enclosure mlx4_en vxlan ip6_udp_tunnel udp_tunnel
mlx4_core ipr
Package: lxd
PackageArchitecture: ppc64el
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
LANG=C.UTF-8
SHELL=/bin/bash
ProcKernelCmdline: root=UUID=902eaad1-2164-4f9a-bec4-7ff3abc15804 ro
console=hvc0
ProcLoadAvg: 5.56 5.25 4.60 1/3057 3526
ProcSwaps:
Filename Type Size Used Priority
none virtual 8388544 8388544 0
ProcVersion: Linux version 4.4.0-72-generic (buildd@bos01-ppc64el-022) (gcc
version 5.4.0 20160609 (Ubuntu/IBM 5.4.0-6ubuntu1~16.04.4) ) #93-Ubuntu SMP Fri
Mar 31 14:05:15 UTC 2017
ProcVersionSignature: Ubuntu 4.4.0-72.93-generic 4.4.49
Syslog:
Tags: xenial uec-images
Uname: Linux 4.4.0-72-generic ppc64le
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups:
_MarkForUpload: True
cpu_cores: Number of cores present = 20
cpu_coreson: Number of cores online = 20
cpu_smt: SMT is off
---
AlsaDevices:
total 0
crw-rw---- 1 root audio 116, 1 Apr 12 17:37 seq
crw-rw---- 1 root audio 116, 33 Apr 12 17:37 timer
AplayDevices: Error: [Errno 2] No such file or directory
ApportVersion: 2.20.1-0ubuntu2.5
Architecture: ppc64el
ArecordDevices: Error: [Errno 2] No such file or directory
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq',
'/dev/snd/timer'] failed with exit code 1:
DistroRelease: Ubuntu 16.04
IwConfig: Error: [Errno 2] No such file or directory
Lsusb:
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
Package: linux (not installed)
PciMultimedia:
ProcFB:
ProcKernelCmdLine: root=UUID=902eaad1-2164-4f9a-bec4-7ff3abc15804 ro
console=hvc0
ProcLoadAvg: 6.01 5.68 4.92 1/3060 83740
ProcSwaps:
Filename Type Size Used Priority
/swap.img file 8388544 0 -1
ProcVersion: Linux version 4.4.0-72-generic (buildd@bos01-ppc64el-022) (gcc
version 5.4.0 20160609 (Ubuntu/IBM 5.4.0-6ubuntu1~16.04.4) ) #93-Ubuntu SMP Fri
Mar 31 14:05:15 UTC 2017
ProcVersionSignature: Ubuntu 4.4.0-72.93-generic 4.4.49
RelatedPackageVersions:
linux-restricted-modules-4.4.0-72-generic N/A
linux-backports-modules-4.4.0-72-generic N/A
linux-firmware 1.157.8
RfKill: Error: [Errno 2] No such file or directory
Tags: xenial uec-images
Uname: Linux 4.4.0-72-generic ppc64le
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: utah
_MarkForUpload: True
cpu_cores: Number of cores present = 20
cpu_coreson: Number of cores online = 20
cpu_dscr: DSCR is 0
cpu_freq:
min: 3.691 GHz (cpu 120)
max: 3.691 GHz (cpu 8)
avg: 3.691 GHz
cpu_runmode:
Could not retrieve current diagnostics mode,
No kernel interface to firmware
cpu_smt: SMT is off
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1684481/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
