/etc/apparmor.d/abstractions/libvirt-qemu is shipped by libvirt-daemon-
system, reassigning. I can reproduce this, and I'll attempt to work on a
fix. I'll update the Debian bug as well.
Complete copy&paste-able reproducer:
virt-install --connect qemu:///system --quiet --os-variant fedora28 --memory
128 --name test --wait -1 --disk size=0.125,format=qcow2 --graphics
vnc,listen=127.0.0.1 --graphics spice,listen=127.0.0.1 --print-xml 1 | sed
"s/<os/& firmware='efi'/" > /tmp/test1.xml
virsh define /tmp/test1.xml
touch /var/lib/libvirt/novell.iso
virt-install --connect qemu:///system --reinstall test --wait -1
--noautoconsole --cdrom /var/lib/libvirt/novell.iso --autostart
** Package changed: apparmor (Ubuntu) => libvirt (Ubuntu)
** Changed in: libvirt (Ubuntu)
Status: New => Triaged
** Changed in: libvirt (Ubuntu)
Assignee: (unassigned) => Martin Pitt (pitti)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1962035
Title:
apparmor blocks VM installation when automatic UEFI firmware is set
Status in libvirt package in Ubuntu:
Triaged
Status in apparmor package in Debian:
New
Bug description:
# lsb_release -rd
Description: Ubuntu 21.10
Release: 21.10
Package: apparmor
Version: 3.0.3-0ubuntu1
Package: virtinst
Version: 1:3.2.0-3
When trying to re-install an existing VM with uefi boot set up using the
recently introduced `--reinstall` option apparmor makes the installation
fail with the following error:
Could not open '/var/lib/libvirt/qemu/nvram/test_VARS.fd': Permission
denied
Steps to reproduce:
Create a VM:
root@ubuntu:~# virt-install --connect qemu:///system --quiet --os-variant
fedora28 --memory 1024 --name test --wait -1 --disk size=1,format=qcow2
--print-xml 1 > /tmp/test1.xml
Edit the VM configuration to enable automatic UEFI boot by changing the
<os> like follows:
- <os>
+ <os firmware='efi'>
Define the VM:
root@ubuntu:~# virsh define /tmp/test1.xml
Start VM installation:
root@ubuntu:~# virt-install --connect qemu:///system --reinstall test --wait
-1 --noautoconsole --cdrom /var/lib/libvirt/novell.iso --autostart
WARNING No operating system detected, VM performance may suffer. Specify an
OS with --os-variant for optimal results.
Starting install...
ERROR internal error: process exited while connecting to monitor:
2022-02-23T18:56:54.738510Z qemu-system-x86_64: -blockdev
{"driver":"file","filename":"/var/lib/libvirt/qemu/nvram/test_VARS.fd","node-name":"libvirt-pflash1-storage","auto-read-only":true,"discard":"unmap"}:
Could not open '/var/lib/libvirt/qemu/nvram/test_VARS.fd': Permission denied
Domain installation does not appear to have been successful.
If it was, you can restart your domain by running:
virsh --connect qemu:///system start test
otherwise, please restart your installation.
Expected behavior:
VM installation will start without apparmor error.
Actual behavior:
The above denial happens:
Feb 23 18:56:54 ubuntu audit[4420]: AVC apparmor="DENIED"
operation="open" profile="libvirt-
bdd92fa6-6030-4980-951c-2a52ec7e406c"
name="/var/lib/libvirt/qemu/nvram/test_VARS.fd" pid=4420 comm="qemu-
system-x86" requested_mask="r" denied_m>
and stop the installation.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1962035/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
