>From the description of Dominque this seemed a common case, so I tried
with just qcow files and got it confirmed.

# Create basic guest (already has two disks)
uvt-simplestreams-libvirt --verbose sync --source 
http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=eoan
uvt-kvm create --password ubuntu eoan arch=amd64 release=eoan label=daily

# Add further disks for the test:
sudo qemu-img create -f qcow2 /var/lib/uvtool/libvirt/images/eoan-disk1.qcow 1G
sudo qemu-img create -f qcow2 /var/lib/uvtool/libvirt/images/eoan-disk2.qcow 1G
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/var/lib/uvtool/libvirt/images/eoan-disk1.qcow'/>
      <target dev='vdc' bus='virtio'/>
    </disk>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/var/lib/uvtool/libvirt/images/eoan-disk2.qcow'/>
      <target dev='vdd' bus='virtio'/>
    </disk>

The guest now looks like:
$ virsh domblklist eoan --details
 Type   Device   Target   Source
--------------------------------------------------------------------------
 file   disk     vda      /var/lib/uvtool/libvirt/images/eoan.qcow
 file   disk     vdb      /var/lib/uvtool/libvirt/images/eoan-ds.qcow
 file   disk     vdc      /var/lib/uvtool/libvirt/images/eoan-disk1.qcow
 file   disk     vdd      /var/lib/uvtool/libvirt/images/eoan-disk2.qcow

Snapshot of single disk works:
$ virsh snapshot-create-as --domain eoan --disk-only --atomic --diskspec 
vda,snapshot=no  --diskspec vdb,snapshot=no --diskspec 
vdc,file=/var/lib/libvirt/images/eoan-disk1.snapshot1.qcow,snapshot=external 
--diskspec vdd,snapshot=no

The apparmor profile got the snapshot added as expected:
cat /etc/apparmor.d/libvirt/libvirt-72b929d2-389d-4c60-9f3b-4c3a8a98b4b0.files
...
  "/var/lib/libvirt/images/eoan-disk1.snapshot1.qcow" rwk,


Snapshot of multiple disks fails:
virsh snapshot-create-as --domain eoan --disk-only --atomic --diskspec 
vda,snapshot=no  --diskspec vdb,snapshot=no --diskspec 
vdc,file=/var/lib/libvirt/images/eoan-disk1.snapshot1.qcow,snapshot=external 
--diskspec 
vdd,file=/var/lib/libvirt/images/eoan-disk2.snapshot1.qcow,snapshot=external
error: internal error: unable to execute QEMU command 'transaction': Could not 
create file: Permission denied

None of the two paths got added to the apparmor profile.

Alongside that we see the expected apparmor denials.
 apparmor="DENIED" operation="open" 
profile="libvirt-72b929d2-389d-4c60-9f3b-4c3a8a98b4b0" 
name="/var/lib/libvirt/images/eoan-disk2.snapshot1.qcow" pid=23603 
comm="qemu-system-x86" requested_mask="wrc" denied_mask="wrc" fsuid=64055 
ouid=64055

This proves the report.
I'll be out for a while after today, but I agree that we need to sort out what 
is missing in this case.
In the single snapshot case I've seen virt-aa-helper called to add a line, 
needs debugging where this fails with more than one snapshot target.

Until then one might as workaround try to snapshot each of the disks one
by one (therefore only medium).

** Changed in: libvirt (Ubuntu)
       Status: Incomplete => Triaged

** Changed in: libvirt (Ubuntu)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1845506

Title:
  Libvirt snapshot doesn't update apparmor profile

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1845506/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to