apparmor denies save and restore

Bug #457716 reported by Jamie Strandboge
30
This bug affects 3 people
Affects Status Importance Assigned to Milestone
libvirt (Fedora)
Fix Released
High
libvirt (Ubuntu)
Fix Released
High
Jamie Strandboge
Karmic
Fix Released
High
Jamie Strandboge
Lucid
Won't Fix
High
Jamie Strandboge
Maverick
Fix Released
High
Jamie Strandboge

Bug Description

The following no longer work:
$ virsh save <vm name> <state file>
$ virsh restart <state file>

The following fixes the problem, at least for saving somewhere in $HOME:
  # for save and resume
  #include <abstractions/private-files-strict>
  /bin/dash rmix,
  /bin/dd rmix,
  /bin/cat rmix,
  # 'owner' makes sure we don't overwrite the user's files (ie, if the file
  # exists, it must be owned by 'root')
  owner @{HOME}/ r,
  owner @{HOME}/** rw,

ProblemType: Bug
Architecture: amd64
Date: Wed Oct 21 18:00:31 2009
DistroRelease: Ubuntu 9.10
Package: libvirt-bin 0.7.0-1ubuntu12
ProcEnviron:
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-14.48-generic
SourcePackage: libvirt
Uname: Linux 2.6.31-14-generic x86_64

Related branches

Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Changed in libvirt (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → High
milestone: none → karmic-updates
status: New → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This may be better:

  # for save and resume
  #include <abstractions/private-files-strict>
  /bin/dash rmix,
  /bin/dd rmix,
  /bin/cat rmix,
  # 'owner' makes sure we don't overwrite the user's files (ie, if the file
  # exists, it must be owned by 'root')
  owner @{HOME}/ r,
  owner @{HOME}/** rw,
  owner /var/tmp/** rw,
  owner /var/tmp/ rw,
  owner /tmp/** rw,
  owner /tmp/ rw,

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Err:
  # for save and resume
  #include <abstractions/private-files-strict>
  /bin/dash rmix,
  /bin/dd rmix,
  /bin/cat rmix,
  # 'owner' makes sure we don't overwrite the user's files (ie, if the file
  # exists, it must be owned by 'root')
  owner @{HOME}/ r,
  owner @{HOME}/** rw,
  owner /var/tmp/** rw,
  owner /var/tmp/ r,
  owner /tmp/** rw,
  owner /tmp/ r,

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This also affects the selinux svirt driver. According to upstream, the svirt driver needs to be modified to 'relabel' the specified state file. Until this is fixed upstream, we can temporarily work around this with documentation and profiling.

Changed in libvirt (Fedora):
status: Unknown → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I'll provide a workaround in an SRU after 9.10 release.

Changed in libvirt (Ubuntu):
status: Triaged → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

In retrospect, this loss of functionality is likely important to users and it would be best to get it in before release if possible. Subscribing ubuntu-release. The final workaround is a simple profile adjustment:
  # for save and resume
  /bin/dash rmix,
  /bin/dd rmix,
  /bin/cat rmix,

  # workaround https://launchpad.net/bugs/457716. The svirt driver does not
  # relabel the state file (https://bugzilla.redhat.com/show_bug.cgi?id=529363)
  # resulting in denied messages. The below works around this somewhat by
  # allowing users to save state files in their home directories. We use
  # 'owner' to make sure we don't overwrite the user's files. This will be
  # removed when the upstream bug is fixed.
  #include <abstractions/private-files-strict>
  owner @{HOME}/ r,
  owner @{HOME}/** rw,

Changed in libvirt (Ubuntu):
milestone: karmic-updates → ubuntu-9.10
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 0.7.0-1ubuntu13

---------------
libvirt (0.7.0-1ubuntu13) karmic; urgency=low

  * allow save/restore to work in $HOME. This is a workaround until upstream
    https://bugzilla.redhat.com/show_bug.cgi?id=529363 is fixed. (LP: #457716)
  * debian/libvirt-bin.cron.daily: don't comlain if no domain XML definitions
    or domain AppArmor profiles. Based on work by Loïc Minier. (LP: #457607)

 -- Jamie Strandboge <email address hidden> Fri, 23 Oct 2009 03:52:33 -0500

Changed in libvirt (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
In , IBM (ibm-redhat-bugs) wrote :

=Comment: #0=================================================
SANTWANA SAMANTRAY <email address hidden> -

virsh save of the kvm guest hangs in Fedora12 rawhide.
After this, virsh doesn't respond properly, and even restarting libvirtd doesn't help.

Attachment: dmesg and strace of virsh save

[root@mx3550 ~]# strace -o virsh_save -f virsh save rhel6 /home/latest_save
-------HANGS HERE-----------

uname -a :Linux mx3550.in.ibm.com 2.6.31.5-96.fc12.x86_64 #1 SMP Fri Oct 23 19:30:30 EDT 2009 x86_64
x86_64 x86_64 GNU/Linux

Below are the versions installed:
[root@mx3550 ~]# rpm -qa|grep libvirt
libvirt-client-0.7.1-13.fc12.x86_64
libvirt-debuginfo-0.7.1-13.fc12.x86_64
libvirt-devel-0.7.1-13.fc12.x86_64
libvirt-python-0.7.1-13.fc12.x86_64
libvirt-0.7.1-13.fc12.x86_64

[root@mx3550 ~]# rpm -qa|grep kvm
qemu-kvm-0.11.0-9.fc12.x86_64

=Comment: #1=================================================
ANOOP C. VIJAYAN <email address hidden> -
The save hangs because the qemu process is not able to write to the file which libvirtd created.
This happens because qemu-kvm runs with uid of qemu user whereas libvirtd runs as a root user.
Moreover libvirtd creates the save file with only owner (root) read & write permissions.

[root@mx3550 ~]# tail /var/log/libvirt/qemu/rhel6.log
LC_ALL=C PATH=/sbin:/usr/sbin:/bin:/usr/bin HOME=/root USER=root LOGNAME=root QEMU_AUDIO_DRV=none
/usr/bin/qemu-kvm -S -M pc-0.11 -m 500 -smp 1 -name rhel6 -uuid 47b90387-e42a-d493-f037-0425f580cb9d
-monitor unix:/var/lib/libvirt/qemu/rhel6.monitor,server,nowait -boot c -drive
file=/var/lib/libvirt/images/rhel6.raw,if=ide,index=0,boot=on,format=raw -drive
file=,if=ide,media=cdrom,index=2 -net nic,macaddr=52:54:00:39:3f:5c,vlan=0,name=nic.0 -net
tap,fd=17,vlan=0,name=tap.0 -serial pty -parallel none -usb -vnc 127.0.0.1:0 -vga cirrus
char device redirected to /dev/pts/1
sh: /home/newguest: Permission denied <=======

[root@mx3550 ~]# ls -l /home/newguest
-rw------- 1 root root 1468 2009-11-03 15:59 /home/newguest

[root@mx3550 ~]# ps -eaf|grep qemu
qemu 4616 1 71 15:56 ? 00:00:28 /usr/bin/qemu-kvm -S -M pc-0.11 -m 500 -smp 1 -name
rhel6 -uuid 47b90387-e42a-d493-f037-0425f580cb9d -monitor
unix:/var/lib/libvirt/qemu/rhel6.monitor,server,nowait -boot c -drive
file=/var/lib/libvirt/images/rhel6.raw,if=ide,index=0,boot=on,format=raw -drive
file=,if=ide,media=cdrom,index=2 -net nic,macaddr=52:54:00:39:3f:5c,vlan=0,name=nic.0 -net
tap,fd=17,vlan=0,name=tap.0 -serial pty -parallel none -usb -vnc 127.0.0.1:0 -vga cirrus

[root@mx3550 ~]# ps -eaf|grep libvirtd
root 3800 1 0 15:32 ? 00:00:02 libvirtd --daemon

file: libvirt-0.7.1/src/qemu_driver.c
3803 static int qemudDomainSave(virDomainPtr dom,
3804 const char *path)
3805 {
------cut-----------
3874 /* Write header to file, followed by XML */
3875 if ((fd = open(path, O_CREAT|O_TRUNC|O_WRONLY, S_IRUSR|S_IWUSR)) < 0) {
3876 qemudReportError(dom->conn, dom, NULL, VIR_ERR_OPERATION_FAILED,
3877 _("failed to create '%s'"), path);

Revision history for this message
In , IBM (ibm-redhat-bugs) wrote :

Created attachment 367283
dmesg and strace of virsh save

Revision history for this message
In , IBM (ibm-redhat-bugs) wrote :

Created attachment 367606
fix_virsh_save.patch

------- Comment on attachment From <email address hidden> 2009-11-05 07:47 EDT-------

Attaching a patch which gives write permission for the qemu user on the save file. Santwana, please test it and update with the results.

Revision history for this message
Norio Suzuki (nosuz) wrote :

I might be affected this problem though I installed released version of Ubuntu 9.10.

Phenomenon:
I executed next command in "sudo su -".

# virsh save VM_NAME STATE_FILE

This command never finish and make block other libvirt related programs like virt-top or virt-manager, and virsh, of course. I must enter ^C to get back command prompt.

Reproduction:
This problem is reproduced on newly installed and upgraded from 9.04 machines.

Enviroment:
I am using newly installed and upgraded Ubuntu 9.10 (64 bit Server ed.)
"uname -r" is 2.6.31-14-server
libvirt(libvirt-bin, libvirt0, python-libvirt) version is 0.7.0-1ubuntu13. This version number was get from "dpkg -l | grep libvirt".

Thank you.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

The apparmor profile in Ubuntu works around the upstream bug, which lacks the proper functionality. Look in your /var/log/kern.log, you are probably trying to save the file outside of the allowed location. See /etc/apparmor.d/abstractions/libvirt-qemu for details.

Basically, you can write state files in your home directory if you own them. If this does not fit your workflow, please update /etc/apparmor.d/abstractions/libvirt-qemu for the location(s) you want to give write access until this functionality is properly implemented in libvirt itself.

Revision history for this message
Norio Suzuki (nosuz) wrote :

Thank you for your advice.

I was able to save VM's state file under my own HOME directory.

I also tried to modify the apparmor configuration file(/etc/apparmor.d/abstractions/libvirt-qemu) and was able to make state files in where specified by the configuration file.

Revision history for this message
In , IBM (ibm-redhat-bugs) wrote :

------- Comment From <email address hidden> 2009-11-06 06:51 EDT-------
Hello Anoop,

I verified the issue, after the patch was applied. This patch solves the write permission for the qemu user while saving the guest, and the guest saves properly. The issue is now resolved.

Thanks for the patch.
Santwana

Revision history for this message
In , Andrew (andrew-redhat-bugs) wrote :

I have seen this problem, too. Are there any plans for when this patch will be included in the RPMs for Fedora 12? Thanks.

Revision history for this message
In , Daniel (daniel-redhat-bugs) wrote :

Created attachment 369012
Fix save & restore with unprivileged guests, and SELinux

When running qemu:///system instance, libvirtd runs as root, but QEMU may optionally be configured to run non-root. When then saving a guest to a state file, the file is initially created as root, and thus QEMU cannot write to it. It is also missing labelling required to allow access via SELinux. This patch fixes those issues.

http://www.redhat.com/archives/libvir-list/2009-November/msg00376.html

Revision history for this message
In , Daniel (daniel-redhat-bugs) wrote :

*** Bug 529363 has been marked as a duplicate of this bug. ***

Changed in libvirt (Fedora):
status: In Progress → Invalid
Changed in libvirt (Fedora):
status: Invalid → Unknown
Revision history for this message
In , Bug (bug-redhat-bugs) wrote :

This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Revision history for this message
In , Mark (mark-redhat-bugs) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I have developed a proper fix for this for Lucid as part of the security-lucid-libvirt-apparmor-devel blueprint. As such, I added a Lucid task and marked In Progress.

Changed in libvirt (Ubuntu Karmic):
importance: Undecided → High
status: New → Fix Released
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in libvirt (Ubuntu Lucid):
status: Fix Released → In Progress
milestone: ubuntu-9.10 → ubuntu-10.04-beta-2
Revision history for this message
Chris Bainbridge (chris-bainbridge) wrote :

Is bug #523148 related to apparmor?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Seems unrelated. Check kern.log for denials to be sure.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I'm going to unmilestone this since it mostly depends on bug #553737. If that bug is fixed, I can add my upstream work to it, otherwise this may have to wait until lucid+1.

Changed in libvirt (Ubuntu Lucid):
milestone: ubuntu-10.04-beta-2 → none
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Changes are too big for Lucid. This will be fixed in Maverick and upstream libvirt 0.7.8.

Changed in libvirt (Ubuntu Lucid):
status: In Progress → Won't Fix
Changed in libvirt (Ubuntu):
status: In Progress → Triaged
milestone: none → later
Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

libvirt-0.7.1-16.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/libvirt-0.7.1-16.fc12

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

libvirt-0.7.1-16.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with
 su -c 'yum --enablerepo=updates-testing update libvirt'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/libvirt-0.7.1-16.fc12

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

libvirt-0.7.1-16.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.

Changed in libvirt (Ubuntu Maverick):
status: Triaged → In Progress
milestone: later → maverick-alpha-2
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (8.5 KiB)

This bug was fixed in the package libvirt - 0.8.1-2ubuntu1

---------------
libvirt (0.8.1-2ubuntu1) maverick; urgency=low

  * Merge from debian unstable. Remaining changes:
    - Fixes:
      LP: #522845
      LP: #553737
      LP: #520386
    - debian/control:
      + Build-Depends on qemu-kvm, not qemu
      + Build-Depends on open-iscsi-utils, not open-iscsi
      + Build-Depends on libxml2-utils
      + Build-Depends on libapparmor-dev and Suggests apparmor
      + Bump bridge-utils, dnsmasq-base, netcat-openbsd, and iptables
        to Depends of libvirt-bin
      + Drop qemu-kvm and qemu to Suggests
      + We call libxen-dev libxen3-dev, so change all references
      + Rename Vcs-* to XS-Debian-Vcs-*
    - debian/libvirt-bin.postinst:
      + rename the libvirt group to libvirtd
      + add each admin user to the libvirtd group
      + reload apparmor profiles
    - debian/libvirt-bin.postrm:
      + rename the libvirt group to libvirtd
      + remove apparmor symlinks on purge
    - debian/README.Debian: add AppArmor section based on the upstream
      documentation
    - debian/rules:
      + update DEB_DH_INSTALLINIT_ARGS for upstart
      + add DEB_MAKE_CHECK_TARGET := check
      + use --with-apparmor
      + copy apparmor and apport hook to debian/tmp
    - add debian/libvirt-bin.upstart
    - debian/libvirt-bin.dirs: add /etc/apparmor.d/abstractions,
      /etc/apparmor.d/disable, /etc/apparmor.d/force-complain,
      /etc/apparmor.d/libvirt, /etc/cron.daily and
      /usr/share/apport/package-hooks
    - add debian/libvirt-bin.cron.daily
    - add debian/libvirt-bin.apport
    - debian/libvirt-bin.install: install apparmor profiles, abstractions
      and apport hook
    - debian/apparmor:
      - add TEMPLATE
      - add libvirt-qemu abstraction
      - add usr.lib.libvirt.virt-aa-helper
      - add usr.sbin.libvirtd
    - debian/patches/series:
      + don't apply 0002-qemu-disable-network.diff.patch
      + don't apply 0005-Terminate-nc-on-EOF.patch. Use
        9010-autodetect-nc-params.patch instead
      + 9000-delayed_iff_up_bridge.patch (refreshed)
      + 9001-dont_clobber_existing_bridges.patch
      + 9002-better_default_uri_virsh.patch (updated)
      + 9004-better-default-arch.patch
      + 9005-libvirtd-group-name.patch
      + 9006-increase-unix-socket-timeout.patch (refreshed)
      + 9007-default-config-test-case.patch (updated)
      + 9008-fix-daemon-conf-ftbfs.patch (rewritten)
      + 9009-run-as-root-by-default.patch (refreshed)
      + 9010-autodetect-nc-params.patch (refreshed, formerly 9015)
      + 9011-dont-disable-ipv6.patch (updated)
  * Dropped following packaging changes, no longer required with upgrades
    from Lucid:
    - debian/control:
      + versioned Conflicts/Replaces to libvirt0 for libvirt0-dbg
      + remove Build-Depends on libcap-ng-dev
    - debian/libvirt-bin.postinst: virt-aa-helper profile migration to
      /usr/lib/libvirt
    - debian/libvirt-bin.preinst: added to force complain on certain
      upgrades
  * Dropped the following patches, included upstream:
    - 0010-Use-base-16-for-product-vendor.patch
    - 9003-increase-logoutput-timeout.patch
    - 9010-apparmor-ftbfs...

Read more...

Changed in libvirt (Ubuntu Maverick):
status: In Progress → Fix Released
Revision history for this message
In , IBM (ibm-redhat-bugs) wrote :

Created attachment 451893
strace o/p

------- Comment (attachment only) From <email address hidden> 2010-10-06 09:20 EDT-------

Changed in libvirt (Fedora):
importance: Unknown → High
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.