Ref for internal backlog tracking: SD-1070
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1677398
Title:
Apparmor prevents using storage pools and hostdev networks
To manage notifications about this
Hi Martin,
first of all sorry and I totally understand that this can be annoying if you
face it and wonder why it fails. I think you bring a nice thought to the case
that wasn't very present so far.
> I don't understand why after 8 years this still fails in a way ...
The short and honest answer
I just pulled my hair over this issue, trying to use a pool volume on
Debian 12.
I gather from the gitlab issue that there's still no solution on the
horizon. I also gather that a general solution is hard to find. I don't
understand that exactly but I can see that there are lots of different
type
** Changed in: libvirt
Status: Unknown => New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1677398
Title:
Apparmor prevents using storage pools and hostdev networks
To manage notifications
Also check bug 1573192 if it might be resolved by this as well.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1677398
Title:
Apparmor prevents using storage pools and hostdev networks
To manage not
This now has a related upstream issue
https://gitlab.com/libvirt/libvirt/-/issues/135
** Bug watch added: gitlab.com/libvirt/libvirt/-/issues #135
https://gitlab.com/libvirt/libvirt/-/issues/135
** Also affects: libvirt via
https://gitlab.com/libvirt/libvirt/-/issues/135
Importance: Unkn
Hi Yury,
until implemented for real adding apparmor rules for the uncommon paths are the
way to go.
The difference I'd suggest to your solution is to use local overrides since
they will neither prompt you nor be overwritten on updates.
This can be done in:
# allow virt-aa-helper to generate per-
I hit this issue today when trying `terraform-provider-libvirt`. So I
spent some time debugging it. Below are my findings.
1. Dir-based pools are affected. I didn't tried with default one as I
created custom storage pool in terraform (`/srv/libvirt/images`). Then I
was able to catch `/etc/apparmor
I found the quick "fix"...
"Double check that `security_driver = "none"` is uncommented in
`/etc/libvirt/qemu.conf` and issue `sudo systemctl restart libvirt-bin`
to restart the daemon."
https://github.com/dmacvicar/terraform-provider-libvirt/commit/22f096d9
Doesn't sound good. But it worked! l
Hey guys,
I'm trying to play with Terraform and it's failing too! Ubuntu 20.04.1.
Guide:
https://fabianlee.org/2020/02/22/kvm-terraform-and-cloud-init-to-create-
local-kvm-resources/
NOTE: I'm using the latest "terraform-provider-libvirt-0.6.3" binary for
Ubuntu 20.04.
The "terraform apply" fa
> There is a comment in this bug that says that dir based pools aren't
> affected, but it seems they are.
Should probably be more like:
Dir based with full path work, Dir based with just filename needs path
from the pool and fails.
> Here's the disk definition in XML using
> a "default" named poo
There is a comment in this bug that says that dir based pools aren't
affected, but it seems they are. Here's the disk definition in XML using
a "default" named pool that resides in /var/lib/libvirt/images.
Starting the VM with virsh start, yield the following error in dmesg:
[10757
> I stumbled upon the same issue but with dir based pools. I have all
> relevant information posted on a SO question, do you want me to paste
> them here too?
Thanks George,
yeah this is another case where it would need to "talk back to the
storage subsystem" of libvirt to get info from the pools
I stumbled upon the same issue but with dir based pools. I have all
relevant information posted on a SO question, do you want me to paste
them here too? The question is here:
https://stackoverflow.com/questions/63767647/virt-aa-helper-doesnt-add-
path-for-storage-pool-in-apparmor-generated-rules
-
I finally had time to revisit this. It appears that not only did my
patch not connect to the remote libvirtd storage driver (as Christian
pointed out), but that the storage driver does not establish remote
connections at all. As such, I agree with Christian that my patch is a
dead-end and would als
Hi Garry,
thanks for your reply.
Q: what do you mean by "setting up a new storage context" in your last comment?
A: the code was not only trying to connect to libvirtd, by tracking in gdb I
found that it was also trying to itself do some actions that would make
virt-aa-helper behave like the bac
Thanks for subscribing me; I'm a launchpad newbie and didn't realize
that wasn't automatic when I posted here. I'll try to answer your
questions to the best of my recollection.
#1
I can't remember exactly why I needed to drop the storage driver load; I think
the local storage driver it started di
FYI after some debugging I was chatting with libvirt upstream and
setting up a new storage context inside virt-aa-helper really won't work
architecturally.
But I've found as part of the same discussion that there is a chance we
can move the profile load a bit back until after
qemuProcessPrepareDom
Iterating over the usual disks into the pools.
(gdb) p *disk->src->srcpool
$9 = {pool = 0x565040c0a590 "internal", volume = 0x565040c09ad0 "foo", voltype
= 0, pooltype = 0, actualtype = 0, mode = 0}
(gdb) p *disk->src->srcpool
$11 = {pool = 0x565040c093d0 "testvg", volume = 0x565040c09650 "guest1"
I was giving this a try
PPA:
https://launchpad.net/~paelzer/+archive/ubuntu/lp-1677398-pool-experiment-groovy
Changes:
- Add a silly sleep to catch it in flight more easily
- add the core elment of the patch around virDomainDiskTranslateSourcePool
- build without optimization
- install related de
Indeed the read to /etc/libvirt/libvirt.conf is from the call to
virDomainDiskTranslateSourcePool as I have assumed above.
[ 628.266012] audit: type=1400 audit(1590487555.258:74):
apparmor="DENIED" operation="open" profile="virt-aa-helper"
name="/etc/libvirt/libvirt.conf" pid=3683 comm="virt-aa-h
** Description changed:
Apparmor prevents qemu-kvm guests from using ZFS volumes.
[Impact]
* storage pools are not usable.
- Examples with zfs and LVM pools
+ Examples with zfs and LVM pools
[Test Case 1]
# Prep ZFS
1) Create a zpool
- $ for i in $(seq 1 3); do dd if=/dev/ze
FYI - dir based pools already work if they are in a common and expected path
like seen in
/etc/apparmor.d/usr.lib.libvirt.virt-aa-helper
@{HOME}/ r,
@{HOME}/** r,
/var/lib/libvirt/images/ r,
/var/lib/libvirt/images/** r,
# nova base images (LP: #907269)
/var/lib/nova/images/** r,
/v
Hi Garry,
why thanks for the patch - I was missing that update earlier in the year and
beg your pardon.
#1
Why did you drop the "load the storage driver so that backing store can be
accessed" section - that will continue to be needed at least for other storage
types so I wonder why this was dro
I have subscribed Garry to increase the chance he is seeing and replying
to my questions?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1677398
Title:
Apparmor prevents using storage pools and hostd
The attachment "virt-aa-helper-support-pools.patch" seems to be a patch.
If it isn't, please remove the "patch" flag from the attachment, remove
the "patch" tag, and if you are a member of the ~ubuntu-reviewers,
unsubscribe the team.
[This is an automated message performed by a Launchpad user owne
I've written a quick patch that seems to fix the storage pool side of
this issue, at least for dir/fs like pool types. It does connect to the
libvirtd socket; I saw that there was some concern with that approach
earlier, but this solution didn't require any changes to virt-aa-
helper's calling conv
Hi Nicolas,
yeah that isn't easy to fix and at least I didn't find the time to develop
something completely new to cover this yet.
I challenge the statement "Even the default storage pool
/var/lib/libvirt/images is not working", it does and it does well.
And for things that are under the control
The linked/original bug is quite old. Looks not like there is a quick
solutions.
Looks like many people have that issue now with the terraform libvirt provider.
Even the default storage pool /var/lib/libvirt/images is not working.
audit: type=1400 audit(1553443109.481:44): apparmor="DENIED"
opera
Up, causing issues with terraform libvirt provider :/
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1677398
Title:
Apparmor prevents using storage pools and hostdev networks
To manage notifications
Hi Ultrabit, can you please include the DENIED lines from your dmesg or
auditd logs?
Thanks
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1677398
Title:
Apparmor prevents using storage pools and ho
I have the same problem using raw lvm logical volumes as disk on Ubuntu 18.04.
When i try to start a vm with virt-manager qemu says Permission denied on
device.
The lvm uses device mapper to map the logical volumes so i need to
handle devices like
brw-rw 1 libvirt-qemu kvm 253, 4 mar 17 1
** Tags added: libvirt-apparmor-dev
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1677398
Title:
Apparmor prevents using storage pools and hostdev networks
To manage notifications about this bug go
TODO: retest these with the domain label callbacks implemented, maybe
some of the devices/images might trigger that
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1677398
Title:
Apparmor prevents usi
In the same scope of required "out of context information" fall cases of vfio
devices for hostdevs.
Those work fine if defined in the guest or added to the guest.
But if only referred by an interface like:
And the definition being external like:
pf-et0p0
I found that bug 1343245 is about the same general issue.
The descriptions in there were great, but since I started to document the debug
and potential coding and more here I dupp'ed it onto here.
The thoughts there also already were around "how to get the translation done".
I changed title and d
** Changed in: libvirt (Ubuntu)
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1677398
Title:
Apparmor prevents using storage pools
To manage notifications about t
** Summary changed:
- Apparmor prevents using ZFS storage pools
+ Apparmor prevents using storage pools
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1677398
Title:
Apparmor prevents using storage
38 matches
Mail list logo
