[Bug 1677398] Re: Apparmor prevents using storage pools

Tue, 19 Sep 2017 02:52:12 -0700 

I found that bug 1343245 is about the same general issue.
The descriptions in there were great, but since I started to document the debug 
and potential coding and more here I dupp'ed it onto here.
The thoughts there also already were around "how to get the translation done".

I changed title and description here - especially of the testcase - to now 
cover both.
This shall show that it is a more general issue.

On the bug itself still waiting for upstream feedback to my mail linked
in c#16

** Description changed:

  Apparmor prevents qemu-kvm guests from using ZFS volumes.
  
  [Impact]
- * ZFS storage pools are not usable.
+ * storage pools are not usable.
+   Examples with zfs and LVM pools
  
- [Test Case]
- 0) Create a zpool (system specific so not documented here)
- 1) Create a ZFS storage pool (named like your zpool, "internal" here)
-   virsh pool-define-as internal zfs
-   virsh pool-start internal
- 2) Create a volume
-   virsh vol-create-as internal foo 2G
- 2) Create a KVM guest
- 4) Edit the guest's XML profile to use the ZFS volume (zvol)
+ [Test Case 1]
+ # Prep ZFS
+ 1) Create a zpool
+  $ for i in $(seq 1 3); do dd if=/dev/zero of=/tmp/fdisk${i} bs=1M 
count=1024; done
+  $ sudo zpool create internal /tmp/fdisk*
+ 2) Create a ZFS storage pool and volume (named like your zpool, "internal" 
here)
+   $ virsh pool-define-as internal zfs
+   $ virsh pool-start internal
+   $ virsh vol-create-as internal foo 2G
+ 
+ # prep LVM
+ 4) prepare a (fake) LVM
+   $ for i in $(seq 1 3); do dd if=/dev/zero of=/tmp/lvdisk${i} bs=1M 
count=1024; done
+   $ sync
+   $ DISKS=$(for i in $(seq 1 3); do sudo losetup -f show /tmp/lvdisk${i}; 
done)
+   $ sudo pvcreate --verbose $DISKS
+   $ sudo vgcreate --verbose testvg $DISKS
+ 5) Create LVM Pool and volume
+  $ virsh pool-define-as testvg logical
+  $ virsh pool-start testvg
+  $ virsh vol-create-as testvg guest1 2G
+ 
+ # Prep Guest and use Pools
+ 6) Create a KVM guest e.g. via uvtool
+  $ uvt-simplestreams-libvirt --verbose sync --source 
http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=xenial
+  $ ssh-keygen
+  $ uvt-kvm create --password=ubuntu testguest release=xenial arch=amd64 
label=daily
+ 7) Edit the guest's XML profile to use the ZFS and LVM volumes (zvol)
+     <disk type='volume' device='disk'>
+       <driver name='qemu' type='raw' cache='none'/>
+       <source pool='internal' volume='foo'/>
+       <target dev='vda' bus='virtio'/>
+     </disk>
      <disk type='volume' device='disk'>
-       <driver name='qemu' type='raw' cache='none'/>
-       <source pool='internal' volume='foo'/>
+       <driver name='qemu' type='raw'/>
+       <source pool='testvg' volume='guest1'/>
        <target dev='vda' bus='virtio'/>
      </disk>
- 5) Start the guest
+ 8) Start the guest
  
  The guest refuses to start:
  
-   # virsh start nms
-   error: Failed to start domain foo
-   error: internal error: process exited while connecting to monitor: 
2017-03-29T22:07:31.507017Z qemu-system-x86_64: -drive 
file=/dev/zvol/internal/foo,format=raw,if=none,id=drive-virtio-disk0,cache=none:
 Could not open '/dev/zvol/internal/foo': Permission denied
+   # virsh start nms
+   error: Failed to start domain foo
+   error: internal error: process exited while connecting to monitor: 
2017-03-29T22:07:31.507017Z qemu-system-x86_64: -drive 
file=/dev/zvol/internal/foo,format=raw,if=none,id=drive-virtio-disk0,cache=none:
 Could not open '/dev/zvol/internal/foo': Permission denied
  
  dmesg reveals the culprit:
  
  apparmor="DENIED" operation="open" 
profile="libvirt-988a8c25-5190-4762-8170-55dc75fc66ca" name="/dev/zd224" 
pid=23052 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=109 
ouid=109
  apparmor="DENIED" operation="open" 
profile="libvirt-988a8c25-5190-4762-8170-55dc75fc66ca" name="/dev/zd224" 
pid=23052 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=109 
ouid=109
  
  Checking /etc/apparmor.d/libvirt/libvirt-$UUID.files shows that no
  "/dev/zdXX" has been added.
  
- 
  [Additional info]
  
  # lsb_release -rd
  Description:  Ubuntu 16.04.2 LTS
  Release:      16.04
  
  # apt-cache policy libvirt-bin apparmor linux-image-generic
  libvirt-bin:
-   Installed: 1.3.1-1ubuntu10.8
-   Candidate: 1.3.1-1ubuntu10.8
-   Version table:
-  *** 1.3.1-1ubuntu10.8 500
-         500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 
Packages
-         100 /var/lib/dpkg/status
-      1.3.1-1ubuntu10 500
-         500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
+   Installed: 1.3.1-1ubuntu10.8
+   Candidate: 1.3.1-1ubuntu10.8
+   Version table:
+  *** 1.3.1-1ubuntu10.8 500
+         500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 
Packages
+         100 /var/lib/dpkg/status
+      1.3.1-1ubuntu10 500
+         500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
  apparmor:
-   Installed: 2.10.95-0ubuntu2.5
-   Candidate: 2.10.95-0ubuntu2.5
-   Version table:
-  *** 2.10.95-0ubuntu2.5 500
-         500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 
Packages
-         100 /var/lib/dpkg/status
-      2.10.95-0ubuntu2 500
-         500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
+   Installed: 2.10.95-0ubuntu2.5
+   Candidate: 2.10.95-0ubuntu2.5
+   Version table:
+  *** 2.10.95-0ubuntu2.5 500
+         500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 
Packages
+         100 /var/lib/dpkg/status
+      2.10.95-0ubuntu2 500
+         500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
  linux-image-generic:
-   Installed: 4.4.0.70.76
-   Candidate: 4.4.0.70.76
-   Version table:
-  *** 4.4.0.70.76 500
-         500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 
Packages
-         500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 
Packages
-         100 /var/lib/dpkg/status
-      4.4.0.21.22 500
-         500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
+   Installed: 4.4.0.70.76
+   Candidate: 4.4.0.70.76
+   Version table:
+  *** 4.4.0.70.76 500
+         500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 
Packages
+         500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 
Packages
+         100 /var/lib/dpkg/status
+      4.4.0.21.22 500
+         500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
  
  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: libvirt-bin 1.3.1-1ubuntu10.8
  ProcVersionSignature: Ubuntu 4.4.0-70.91-generic 4.4.49
  Uname: Linux 4.4.0-70-generic x86_64
  NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
  ApportVersion: 2.20.1-0ubuntu2.5
  Architecture: amd64
  Date: Wed Mar 29 17:48:06 2017
  SourcePackage: libvirt
  UpgradeStatus: No upgrade log present (probably fresh install)
  modified.conffile..etc.default.libvirt-guests: [modified]
  modified.conffile..etc.libvirt.qemu.conf: [modified]
  modified.conffile..etc.libvirt.qemu.networks.default.xml: [modified]
  mtime.conffile..etc.default.libvirt-guests: 2016-08-29T21:09:57.632048
  mtime.conffile..etc.libvirt.qemu.conf: 2017-03-29T17:26:03.924234
  mtime.conffile..etc.libvirt.qemu.networks.default.xml: 
2016-04-23T19:24:13.505208

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1677398

Title:
  Apparmor prevents using storage pools

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1677398/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to