Ubuntu
libvirt package

Apparmor denies qemu access to a number of important directories.

Bug #1403648 reported by Dave Chiluk
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Fix Released
High
Dave Chiluk
Trusty
Fix Released
High
Dave Chiluk
Utopic
Fix Released
High
Dave Chiluk

Bug Description

[Impact]
* Log files become overloaded with apparmor denials when launching large numbers of qemu virtual machines such as the case in an openstack cloud.

[Test Case]
* Launch a qemu instance using libvirt.
* See logged apparmor error in /var/log/syslog

[Regression Potential]
* Current defaults are to deny access to these files, but users may have modified apparmor to permit access to silence these warnings. Since we don't want to break these users and permitting access to /tmp and /var/tmp is not considered to be a great increase in security risk we will proceed with permissive for the SRU, and restrictive policies going forward for development.

__________________________________________________________________________
Apparmor denise libvirt access to a number of important directories.

syslog.4:Dec 12 17:18:08 nuc2 kernel: [54334.001494] type=1400 audit(1418404688.659:48): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.537222] type=1400 audit(1418404689.195:49): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.745412] type=1400 audit(1418404689.403:50): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.808978] type=1400 audit(1418404689.467:51): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.858862] type=1400 audit(1418404689.515:52): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.909608] type=1400 audit(1418404689.567:53): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.976979] type=1400 audit(1418404689.635:54): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.978163] type=1400 audit(1418408725.790:56): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/var/lib/charm/ceph/ceph.conf" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.979670] type=1400 audit(1418408725.790:57): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/tmp/" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.979680] type=1400 audit(1418408725.790:58): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/var/tmp/" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0

In this case the machine was installed using juju and maas. Specific charms in play on this machine are ceph, and nova-compute.

I'm not sure if the juju charms need to be updated or if the libvirt template needs to be updated or something else altogether.

It's important to not that without ceph apparmor still denies access to /tmp and /var/tmp

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: libvirt-bin 1.2.2-0ubuntu13.1.7
ProcVersionSignature: User Name 3.13.0-35.62-generic 3.13.11.6
Uname: Linux 3.13.0-35-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.6
Architecture: amd64
Date: Wed Dec 17 21:15:20 2014
KernLog:

ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.default.libvirt.bin: [modified]
modified.conffile..etc.libvirt.libvirtd.conf: [modified]
modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf']
mtime.conffile..etc.default.libvirt.bin: 2014-12-12T02:21:56.792085
mtime.conffile..etc.libvirt.libvirtd.conf: 2014-12-12T02:21:49.403764

See original description
Revision history for this message
Dave Chiluk (chiluk) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

We should not allow access to /tmp and /var/tmp as that breaks application isolation. As for /var/lib/charm/ceph/ceph.conf, this sounds like something virt-aa-helper should be adding. Can you attach the domain xml for the affected VM?

Changed in libvirt (Ubuntu):
status: New → Incomplete
Revision history for this message
Dave Chiluk (chiluk) wrote :

I just realized there's another bug opened that's similar to this
bug 1365261.

However, the resolution for the /tmp/ errors and the resolution for /var/lib/charm/ceph errors may be different, so I'll leave this one open.

summary: - Apparmor denies libvirt access to a number of important directories.
+ Apparmor denies qemu access to a number of important directories.
Revision history for this message
Dave Chiluk (chiluk) wrote :

Is there any way to get rid of the messages? Perhaps we should patch qemu to not attempt to access /tmp or /var/tmp?

Basically these messages are now filling up logs on openstack compute nodes.

Revision history for this message
Dave Chiluk (chiluk) wrote :

xml for the created vm.

This applies to all vm's created via openstack through libvirt.

Dave Chiluk (chiluk)
tags: added: cts
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

qemu doesn't normally need /tmp and /var/tmp. Something is making it use it (ie, VMs launched under local libvirt (ie, not OpenStack) don't have this problem). One could add an explicit deny rule to /etc/apparmor.d/abstractions/libvirt-qemu to deny /tmp and /var/tmp, but I think it would be better to understand the problem (and that might break testing environment that legitimately put the disk in /tmp).

The attached xml isn't what I was looking for. When an affected VM is running, can you do:
$ virsh dumpxml <domain>

where '<domain>' can be found from 'virsh list'.

Revision history for this message
Dave Chiluk (chiluk) wrote :

Somehow the earlier xml upload was corrupted trying again.

Revision history for this message
Dave Chiluk (chiluk) wrote :

Launchpad fail... One more time.

Revision history for this message
Dave Chiluk (chiluk) wrote :

Launchpad fail... One more time.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This is in the domain xml:
      <auth username='nova-compute'>
        <secret type='ceph' uuid='514c9fca-8cbe-11e2-9c52-3bc8c7819472'/>
      </auth>

there is nothing else in it regarding ceph. I looked at https://libvirt.org/storage.html and don't see where you would tell qemu to look at /var/lib/charm/ceph/ceph.conf. The way forward:
1. adjust the charm to not have qemu need to access ceph.conf
2. add the following to /etc/apparmor.d/abstractions/libvirt-qemu (assuming there is nothing sensitive in there):
  /var/lib/charm/ceph/ceph.conf r,
3. if /var/lib/charm/ceph/ceph.conf is set via some libvirt directive, adjust virt-aa-helper and/or libvirt to add this setting to the VM-specific .files file in /etc/apparmor.d/libvirt

I'm not well-versed with ceph and how OpenStack is using it to make a recommendation on which is best (but am happy to discuss the correct path forward if someone can discuss how /var/lib/charm/ceph/ceph.conf is being set).

Changed in libvirt (Ubuntu):
status: Incomplete → New
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Dave and I spoke on irc. Here is a summary:
 * qemu uses librbd which under the hood looks at ceph.conf, etc
 * /etc/ceph/ceph.conf -> /etc/alternatives/ceph.conf -> /var/lib/charm/ceph/ceph.conf
 * we already allow access to /etc/ceph/ceph.conf in /etc/apparmor.d/abstraction/libvirt-qemu
 * /var/lib/charm/ceph/ceph.conf does not contain anything particularly sensitive
 * /var/lib/charm/ceph/ceph.conf does tell qemu (via librbd) where to find the keyring and other options

Therefore, adding this to /etc/apparmor.d/abstraction/libvirt-qemu is ok:
  /var/lib/charm/ceph/ceph.conf r,

but note that /var/lib/charm/ceph/ceph.conf seems rather charm-specific. If we add more of these, we'll want to consider a way to clean this up (eg, via a glob).

If qemu then goes to look at the keyring files, then libvirt/aa-virt-helper needs to be updated to add the VM-specific keyring files to the VM-specific .files file in /etc/apparmor.d/libvirt such that only VMs specifiying ceph have access to the keyring files, and the VMs should be limited to accessing only the keyring file it should have access to. Based on Dave's feedback, the VM doesn't seem to need access to the keyring files and the readonly access to /var/lib/charm/ceph/ceph.conf is sufficient.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

As for the /tmp and /var/tmp denials, Dave mentioned that adding the following rules silenced the denials:
  /tmp/ r,
  /var/tmp/ r,

I'm not a fan of those rules in general, because it gives the VMs read access to the directory and they can see what is in there. However I also don't want to break existing setups by adding an explicit deny rule that would block all access to /tmp and /var/tmp if the user updated policy for that or is putting disks in /tmp for testing environments.

As such I suggest the following:
1. for stable releases, add the following to /etc/apparmor.d/abstractions/libvirt-qemu:
  /tmp/ r,
  /var/tmp/ r,
2. for vivid, add the following to /etc/apparmor.d/abstractions/libvirt-qemu:
  deny /tmp/{,**} r,
  deny /var/tmp/{,**} r,

'1' is suitable for SRU since it only allows access where it wasn't allowed before. If we get bug reports in 15.04+ for '2', the proper solution is to have libvirt setup a vm-specific tmp dir, and have aa-virt-helper add this directory to the .files file for that VM.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

We should implement (2) right after the holiday break (in case there are actually breakages).

Changed in libvirt (Ubuntu):
importance: Undecided → High
status: New → Confirmed
Serge Hallyn (serge-hallyn)
Changed in libvirt (Ubuntu Trusty):
importance: Undecided → High
Changed in libvirt (Ubuntu Utopic):
importance: Undecided → High
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 1.2.8-0ubuntu19

---------------
libvirt (1.2.8-0ubuntu19) vivid; urgency=medium

  * apparmor libvirt-qemu template: allow reading charm-specific ceph config
    and silence denials for /tmp/**. (LP: #1403648)
 -- Serge Hallyn <email address hidden> Tue, 06 Jan 2015 10:27:33 -0600

Changed in libvirt (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

@Dave,

could you please update the description with a concise test case for the SRU process?

Dave Chiluk (chiluk)
description: updated
description: updated
description: updated
Revision history for this message
Chris J Arges (arges) wrote : Please test proposed package

Hello Dave, or anyone else affected,

Accepted libvirt into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/libvirt/1.2.2-0ubuntu13.1.9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in libvirt (Ubuntu Trusty):
status: New → Fix Committed
tags: added: verification-needed
Changed in libvirt (Ubuntu Utopic):
status: New → Fix Committed
Revision history for this message
Chris J Arges (arges) wrote :

Hello Dave, or anyone else affected,

Accepted libvirt into utopic-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/libvirt/1.2.8-0ubuntu11.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Dave Chiluk (chiluk)
tags: added: verification-done-trusty verification-needed-utopic
removed: verification-needed
tags: added: verification-needed
removed: verification-needed-utopic
Dave Chiluk (chiluk)
tags: added: verification-done-utopic
tags: added: verification-done
removed: verification-needed
Dave Chiluk (chiluk)
Changed in libvirt (Ubuntu Trusty):
assignee: nobody → Dave Chiluk (chiluk)
Changed in libvirt (Ubuntu Utopic):
assignee: nobody → Dave Chiluk (chiluk)
Changed in libvirt (Ubuntu):
assignee: nobody → Dave Chiluk (chiluk)
Changed in ceph (Juju Charms Collection):
status: New → Incomplete
status: Incomplete → Invalid
no longer affects: ceph (Juju Charms Collection)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 1.2.2-0ubuntu13.1.9

---------------
libvirt (1.2.2-0ubuntu13.1.9) trusty-proposed; urgency=medium

  * apparmor libvirt-qemu template: allow reading charm-specific ceph config
    and allow reading under /tmp and /var/tmp (for SRU only) (LP: #1403648)
  * numa-cgroups-fix-cpuset-mems-init.patch - cherrypicked, refreshed patch
    (by Richard Laager) to fix failure to start on numa node 1 (LP: #1404388)
  * libvirt-qemu: add r to sgabios.bin (LP: #1393548)
 -- Serge Hallyn <email address hidden> Tue, 06 Jan 2015 10:39:15 -0600

Changed in libvirt (Ubuntu Trusty):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for libvirt has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Ante Karamatić (ivoks) wrote :

Ideally, this would've been:

/var/lib/charm/*/ceph.conf r,

service name can be different. For example:

[534614.823259] type=1400 audit(1422553522.478:143): apparmor="DENIED" operation="open" profile="libvirt-a7605ca2-0b10-4afa-b25e-3b6a83ae5552" name="/var/lib/charm/az1-compute/ceph.conf" pid=43088 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=110 ouid=0

Changed in libvirt (Ubuntu Trusty):
status: Fix Released → Confirmed
Changed in libvirt (Ubuntu):
status: Fix Released → Confirmed
Changed in libvirt (Ubuntu Utopic):
status: Fix Committed → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 1.2.8-0ubuntu21

---------------
libvirt (1.2.8-0ubuntu21) vivid; urgency=medium

  * d/apparmor/libvirt-qemu: Update the ceph.conf allow rule (LP: #1403648)
 -- Serge Hallyn <email address hidden> Fri, 30 Jan 2015 10:02:20 +0100

Changed in libvirt (Ubuntu):
status: Confirmed → Fix Released
Dave Chiluk (chiluk)
Changed in libvirt (Ubuntu Trusty):
status: Confirmed → Fix Released
Changed in libvirt (Ubuntu Utopic):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.