Hi Chris nice to hear from you again,
very interesting but not related to bug 1546674 IMHO (other than being an
virt-aa-helper AA violation as well).
I checked the logs and found that ALL Denies follow this pattern
operation="open"
profile="virt-aa-helper"
name="/var/lib/virt/images/<Guest-UUID>"
comm="virt-aa-helper"
requested_mask="r"
It is normal (and correct) that virt-aa-helper tries to read the disks
specified in a guest definition. This is needed to read the full backing chain
e.g. if a qcow2 image refers to a backing image in juts another path. The guest
might work with that failing, but it really is recommended to either
a) stick to the recommended default paths
or
b) add local overrides to support the custom paths
See [1] for more on that.
So much for what it looks like and some general background.
Now lets check if that holds true for this case.
You are running on Bionic as it seems in the logs, there
/etc/apparmor.d/usr.lib.libvirt.virt-aa-helper expects images to be in one of
those paths:
@{HOME}/ r,
@{HOME}/** r,
/var/lib/libvirt/images/ r,
/var/lib/libvirt/images/** r,
# nova base images (LP: #907269)
/var/lib/nova/images/** r,
/var/lib/nova/instances/_base/** r,
# nova snapshots (LP: #1244694)
/var/lib/nova/instances/snapshots/** r,
# nova base/snapshot files in snapped nova (LP: #1644507)
/var/snap/nova-hypervisor/common/instances/_base/** r,
/var/snap/nova-hypervisor/common/instances/snapshots/** r,
# eucalyptus (LP: #564914)
/var/lib/eucalyptus/instances/**/disk* r,
# eucalyptus loader (LP: #637544)
/var/lib/eucalyptus/instances/**/loader* r,
# for uvtool
/var/lib/uvtool/libvirt/images/** r,
# for multipass
/var/snap/multipass/common/data/multipassd/vault/instances/** r,
/{media,mnt,opt,srv}/** r,
# For virt-sandbox
/{,var/}run/libvirt/**/[sv]d[a-z] r,
Yep, your configuration (for whatever reason) uses an uncommon path being
/var/lib/virt/images/
So you either have to:
a) fix who-/whatever is driving the setup to that path to use one of the common
paths
or
b) make these paths be allowed in the local override:
printf "/var/lib/virt/images/ r,\n/var/lib/virt/images/** r," | sudo tee -a
/etc/apparmor.d/local/usr.lib.libvirt.virt-aa-helper
As it seems to me atm this is not a bug in the packages in Ubuntu but in the
setup.
I hope this helped you to track where to fix it for real, but for libvirt as a
package I'll mark the bug invalid.
cu in CPT I guess :-)
[1]: https://wiki.ubuntu.com/LibvirtApparmor#Using_uncommon_paths
** Changed in: libvirt (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1803742
Title:
[Bionic] apparmor="DENIED" operation="open" profile="virt-aa-helper"
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1803742/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
