------- Comment From balamuruh...@in.ibm.com 2018-02-19 03:35 EDT-------
> Get me right I use virsh save/restore on a regular base and it works in the
> paths that are open by default, > which are the places the images usually are
> from like /var/lib/libvirt/images/.
> If that does not work that might be a modified apparmor rule, but for that
> I'd need to know way more
> about the case and see if it is actually a bug or really just using an
> uncommon dir.
Even with uncommon dir, the denial should be consistent if the path used
by the user is not permitted then apparmor should block/deny when virsh
save is performed and not during the virsh restore.
Observation in Ubuntu 16.04.3,
# virsh save virt-tests-vm1 /var/tmp/virt-tests-vm1.save
Domain virt-tests-vm1 saved to /var/tmp/virt-tests-vm1.save
By default virsh restore fails with same error,
# virsh restore /var/tmp/virt-tests-vm1.save
error: Failed to restore domain from /var/tmp/virt-tests-vm1.save
error: operation failed: job: unexpectedly failed
But as suggested by paelzer,
> If you want to look into potential config issues, remove the silent denies to
> /var and /var temp
> at the end of "/etc/apparmor.d/abstractions/libvirt-qemu".
> Then run your case again, report back with
commenting denials,
# silence spurious denials (see lp#1403648)
deny /tmp/{,**} r,
# deny /var/tmp/{,**} r,
restart libvirtd
# virsh restore /var/tmp/virt-tests-vm1.save
error: Failed to restore domain from /var/tmp/virt-tests-vm1.save
error: internal error: Process exited prior to exec: libvirt: error : unable
to set AppArmor profile 'libvirt-81b387d9-1dfc-4f55-8b98-0318f1f94442' for
'/usr/bin/kvm': No such file or directory
But file exists,
# file /var/tmp/virt-tests-vm1.save
/var/tmp/virt-tests-vm1.save: Libvirt QEMU Suspend Image, version 2, XML length
1970, running
dmesg:
[Mon Feb 19 03:19:16 2018] virbr0: port 2(vnet0) entered blocking state
[Mon Feb 19 03:19:16 2018] virbr0: port 2(vnet0) entered disabled state
[Mon Feb 19 03:19:16 2018] device vnet0 entered promiscuous mode
[Mon Feb 19 03:19:16 2018] virbr0: port 2(vnet0) entered blocking state
[Mon Feb 19 03:19:16 2018] virbr0: port 2(vnet0) entered listening state
[Mon Feb 19 03:19:16 2018] audit: type=1400 audit(1519028363.683:12417):
apparmor="DENIED" operation="change_profile" info="label not found" error=-2
profile="/usr/sbin/libvirtd"
name="libvirt-81b387d9-1dfc-4f55-8b98-0318f1f94442" pid=12949 comm="libvirtd"
[Mon Feb 19 03:19:16 2018] virbr0: port 2(vnet0) entered disabled state
[Mon Feb 19 03:19:16 2018] device vnet0 left promiscuous mode
[Mon Feb 19 03:19:16 2018] virbr0: port 2(vnet0) entered disabled state
Attaching full dmesg with this bugzilla
Environment:
Kernel
# uname -a
Linux ltc-test-ci1 4.13.0-35-generic #39~16.04.1-Ubuntu SMP Mon Feb 12 15:01:58
UTC 2018 ppc64le ppc64le ppc64le GNU/Linux
Libvirt
# dpkg -l | grep libvirt
ii libvirt-bin 1.3.1-1ubuntu10.18
ppc64el programs for the libvirt library
ii libvirt-dev:ppc64el 1.3.1-1ubuntu10.18
ppc64el development files for the libvirt library
ii libvirt0:ppc64el 1.3.1-1ubuntu10.18
ppc64el library for interfacing with different virtualization systems
ii python-libvirt 1.3.1-1ubuntu1.1
ppc64el libvirt Python bindings
Qemu
# dpkg -l | grep qemu
ii ipxe-qemu 1.0.0+git-20150424.a25a16d-1ubuntu1.2
all PXE boot firmware - ROM images for qemu
ii qemu-block-extra:ppc64el 1:2.5+dfsg-5ubuntu10.21
ppc64el extra block backend modules for qemu-system and qemu-utils
ii qemu-kvm 1:2.5+dfsg-5ubuntu10.21
ppc64el QEMU Full virtualization
ii qemu-slof 20151103+dfsg-1ubuntu1.1
all Slimline Open Firmware -- QEMU PowerPC version
ii qemu-system-common 1:2.5+dfsg-5ubuntu10.21
ppc64el QEMU full system emulation binaries (common files)
ii qemu-system-ppc 1:2.5+dfsg-5ubuntu10.21
ppc64el QEMU full system emulation binaries (ppc)
ii qemu-utils 1:2.5+dfsg-5ubuntu10.21
ppc64el QEMU utilities
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1719579
Title:
[Ubuntu 18.04] [libvirt] virsh restore fails from state file saved in
/var/tmp folder using virsh save
Status in The Ubuntu-power-systems project:
Fix Released
Status in apparmor package in Ubuntu:
Invalid
Status in libvirt package in Ubuntu:
Fix Released
Bug description:
== Comment: #1 - SEETEENA THOUFEEK <sthou...@in.ibm.com> - 2017-01-17
00:09:16 ==
Bala, Please mail me the machine information.
== Comment: #3 - SEETEENA THOUFEEK <sthou...@in.ibm.com> - 2017-01-17
02:14:06 ==
2017-01-16 12:09:37.707+0000: 7024: info :
virSecurityDACRestoreFileLabelInternal:388 : Restoring DAC user and group on
'/var/tmp/bala'
2017-01-16 12:09:37.707+0000: 7024: info :
virSecurityDACSetOwnershipInternal:290 : Setting DAC user and group on
'/var/tmp/bala' to '0:0'
2017-01-16 12:09:37.707+0000: 7024: warning : qemuDomainSaveImageStartVM:6750
: failed to restore save state label on /var/tmp/bala
2017-01-16 12:09:37.707+0000: 7024: info : virObjectUnref:259 : OBJECT_UNREF:
obj=0x3fff4ca62b00
2017-01-16 12:09:37.707+0000: 7024: debug : qemuDomainObjEndAsyncJob:1848 :
Stopping async job: start (vm=0x3fff4ca535c0 name=virt-tests-vm1-bala)
2017-01-16 12:09:37.707+0000: 7024: info : virObjectRef:296 : OBJECT_REF:
obj=0x3fff4ca62b00
2017-01-16 12:09:37.707+0000: 7024: info : virObjectUnref:259 : OBJECT_UNREF:
obj=0x3fff4ca62b00
2017-01-16 12:09:37.707+0000: 7024: info : virObjectUnref:259 : OBJECT_UNREF:
obj=0x3fff4ca535c0
2017-01-16 12:09:37.707+0000: 7024: debug : virThreadJobClear:121 : Thread
7024 (virNetServerHandleJob) finished job remoteDispatchDomainRestore with
ret=-1
2017-01-16 12:09:37.707+0000: 7024: info : virObjectUnref:259 : OBJECT_UNREF:
obj=0x3fff7c002c10
2017-01-16 12:09:37.707+0000: 7024: debug : virNetServerProgramSendError:153
: prog=536903814 ver=1 proc=54 type=1 serial=4 msg=0x100133d2590
rerr=0x3fffa59be3c0
2017-01-16 12:09:37.707+0000: 7024: debug : virNetMessageEncodePayload:376 :
Encode length as 172
2017-01-16 12:09:37.707+0000: 7024: debug :
virNetServerClientSendMessageLocked:1399 : msg=0x100133d2590 proc=54 len=172
offset=0
2017-01-16 12:09:37.707+0000: 7024: info :
virNetServerClientSendMessageLocked:1407 : RPC_SERVER_CLIENT_MSG_TX_QUEUE:
client=0x100133d23c0 len=172 prog=536903814 vers=1 proc=54 type=1 status=1
serial=4
2017-01-16 12:09:37.707+0000: 7024: debug :
virNetServerClientCalculateHandleMode:157 : tls=(nil) hs=-1, rx=0x100133d0670
tx=0x100133d2590
2017-01-16 12:09:37.707+0000: 7024: debug :
virNetServerClientCalculateHandleMode:192 : mode=3
2017-01-16 12:09:37.707+0000: 7024: info : virEventPollUpdateHandle:152 :
EVENT_POLL_UPDATE_HANDLE: watch=417 events=3
2017-01-16 12:09:37.707+0000: 7024: debug : virEventPollInterruptLocked:727 :
Interrupting
2017-01-16 12:09:37.707+0000: 7024: info : virObjectUnref:259 : OBJECT_UNREF:
obj=0x3fff7c002c10
2017-01-16 12:09:37.707+0000: 7024: info : virObjectUnref:259 : OBJECT_UNREF:
obj=0x100133caea0
2017-01-16 12:09:37.707+0000: 7024: info : virObjectUnref:259 : OBJECT_UNREF:
obj=0x100133d23c0
.
2017-01-16 12:14:28.445+0000: 7019: info : qemuMonitorJSONIOProcessLine:201 :
QEMU_MONITOR_RECV_EVENT: mon=0x3fff94004d90 event={"timestamp": {"seconds":
1484568868, "microseconds": 444620}, "event": "MIGRATION", "data": {"status":
"failed"}}
2017-01-16 12:14:28.445+0000: 7019: debug : qemuMonitorJSONIOProcessEvent:147
: mon=0x3fff94004d90 obj=0x100133b5670
2017-01-16 12:14:28.445+0000: 7019: debug : virJSONValueToString:1762 :
object=0x100133a8000
2017-01-16 12:14:28.445+0000: 7019: debug : virJSONValueToStringOne:1691 :
object=0x100133a8000 type=0 gen=0x100133d1160
2017-01-16 12:14:28.445+0000: 7019: debug : virJSONValueToStringOne:1691 :
object=0x100133d2a80 type=2 gen=0x100133d1160
2017-01-16 12:14:28.445+0000: 7019: debug : virJSONValueToString:1795 :
result={"status":"failed"}
2017-01-16 12:14:28.445+0000: 7019: debug : qemuMonitorEmitEvent:1218 :
mon=0x3fff94004d90 event=MIGRATION
2017-01-16 12:14:28.445+0000: 7019: info : virObjectRef:296 : OBJECT_REF:
obj=0x3fff94004d90
2017-01-16 12:14:28.445+0000: 7019: debug : qemuProcessHandleEvent:629 :
vm=0x3fff4ca535c0
2017-01-16 12:14:28.445+0000: 7019: info : virObjectNew:202 : OBJECT_NEW:
obj=0x100133d2870 classname=virDomainQemuMonitorEvent
2017-01-16 12:14:28.445+0000: 7019: debug : virObjectEventNew:645 :
obj=0x100133d2870
2017-01-16 12:14:28.445+0000: 7019: info : virObjectUnref:259 : OBJECT_UNREF:
obj=0x100133d2870
2017-01-16 12:14:28.445+0000: 7019: info : virObjectUnref:261 :
OBJECT_DISPOSE: obj=0x100133d2870
2017-01-16 12:14:28.445+0000: 7019: debug :
virDomainQemuMonitorEventDispose:477 : obj=0x100133d2870
2017-01-16 12:14:28.445+0000: 7019: debug : virObjectEventDispose:121 :
obj=0x100133d2870
2017-01-16 12:14:28.445+0000: 7019: info : virObjectUnref:259 : OBJECT_UNREF:
obj=0x3fff94004d90
2017-01-16 12:14:28.445+0000: 7019: debug : qemuMonitorJSONIOProcessEvent:172
: handle MIGRATION handler=0x3fff9d7247e0 data=0x100133a8000
2017-01-16 12:14:28.445+0000: 7019: debug :
qemuMonitorEmitMigrationStatus:1488 : mon=0x3fff94004d90, status=failed
2017-01-16 12:14:28.445+0000: 7019: info : virObjectRef:296 : OBJECT_REF:
obj=0x3fff94004d90
2017-01-16 12:14:28.445+0000: 7019: debug :
qemuProcessHandleMigrationStatus:1502 : Migration of domain 0x3fff4ca535c0
virt-tests-vm1-bala changed state to failed
2017-01-16 12:14:28.445+0000: 7019: info : virObjectUnref:259 : OBJECT_UNREF:
obj=0x3fff94004d90
2017-01-16 12:14:28.445+0000: 7019: debug : qemuMonitorJSONIOProcess:255 :
Total used 232 bytes out of 232 available in buffer
2017-01-16 12:14:28.445+0000: 7019: info : virEventPollUpdateHandle:152 :
EVENT_POLL_UPDATE_HANDLE: watch=430 events=13
2017-01-16 12:14:28.445+0000: 7023: error : qemuMigrationCheckJobStatus:2641
: operation failed: job: unexpectedly failed
this is an apparmor issue and there is no libvirt bug here.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1719579/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
