Ubuntu
libvirt package

[SRU] virt-aa-helper denied access to qcow2 backing file running nova in a snap

Bug #1644507 reported by James Page
20
This bug affects 2 people
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Fix Released
Medium
Corey Bryant
Xenial
Fix Released
Medium
Corey Bryant
Zesty
Fix Released
Medium
Corey Bryant
Artful
Fix Released
Medium
Corey Bryant

Bug Description

[Impact]
The apparmor profile for virt-aa-helper allows access to qcow2 backing images in some well know locations for OpenStack Nova:

  /var/lib/nova/images/** r,
  /var/lib/nova/instances/_base/** r,
  /var/lib/nova/instances/snapshots/** r,

which is great when openstack is installed using deb's from the archive; I'm working on a snap for a Nova hypervisor, and the base images are stored in:

  /var/snap/nova-hypervisor/common/instances/_base

so instances fail to boot as the generated profile for the instance does not contain access to the backing file as virt-aa-helper is DENIED access to it:

[ 5144.554120] audit: type=1400 audit(1479983132.426:49771): apparmor="DENIED" operation="open" profile="libvirt-d140e3d0-071d-453f-99f2-a777fd1a1c3d" name="/var/snap/nova-hypervisor/common/instances/_base/a9dd2a42f4d46f9d8a628643d9aede38924668e6" pid=663 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=115 ouid=115

switched virt-aa-helper into complain mode:

[ 5531.325617] audit: type=1400 audit(1479983519.193:49776): apparmor="ALLOWED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/var/snap/nova-hypervisor/common/instances/_base/a9dd2a42f4d46f9d8a628643d9aede38924668e6" pid=5509 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=115

and the instance booted successfully.

The actual disk for the instance is covered by:

  /**/disk{,.*} r,

unfortunately the base image does not have a nice general-izable path in the same way.

We could do:

  /var/**/images/** r,
  /var/**/_base/** r,
  /var/**/snapshots/** r,

which would capture other locations for the openstack instances path in the event that its not the default path for nova.

[Testcase]

Run snap-test from the following to deploy openstack from snaps:
github.com/openstack-snaps/snap-test

[Regression Potential]
Minimal regression potential, as this augments the existing virt-aa-helper to allow a new path to be accessed.

See original description
Christian Ehrhardt  (paelzer)
Changed in libvirt (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Tyler Hicks (tyhicks) wrote :

libvirt already has the ability to inject AppArmor rules into the profile that it generates for a domain when you set/modify the path to a disk image. You can test this manually by running `virsh edit DOMAIN`, adjusting one of the paths in the xml, and then looking at the corresponding change in /etc/apparmor.d/libvirt/libvirt-*.files.

I'm confused about why this isn't working for you. Maybe you're going through libvirt to set/update the paths to your images?

Can you post a sample XML file and the AppArmor denials that you're seeing when using the XML file?

Changed in libvirt (Ubuntu):
status: Triaged → Incomplete
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

If you are wanting to use the deb libvirt from the archive with the snapped nova from Canonical then you are going to need to adjust the profile for virt-aa-helper to account for that, just like we adjusted the profile when moving from eucalyptus to nova. I suggest just adding:

  /var/snap/nova-hypervisor/common/instances/_base/** r,

Changed in libvirt (Ubuntu):
status: Incomplete → Triaged
Christian Ehrhardt  (paelzer)
tags: added: virt-aa-helper
Corey Bryant (corey.bryant)
Changed in libvirt (Ubuntu):
assignee: nobody → Corey Bryant (corey.bryant)
Changed in libvirt (Ubuntu Xenial):
status: New → Triaged
Changed in libvirt (Ubuntu Zesty):
status: New → Triaged
importance: Undecided → Medium
Changed in libvirt (Ubuntu Xenial):
importance: Undecided → Medium
Changed in libvirt (Ubuntu Zesty):
assignee: nobody → Corey Bryant (corey.bryant)
Changed in libvirt (Ubuntu Xenial):
assignee: nobody → Corey Bryant (corey.bryant)
Changed in libvirt (Ubuntu Artful):
status: Triaged → Fix Released
summary: - virt-aa-helper denied access to qcow2 backing file running nova in a
- snap
+ [SRU] virt-aa-helper denied access to qcow2 backing file running nova in
+ a snap
Corey Bryant (corey.bryant)
description: updated
Revision history for this message
Andy Whitcroft (apw) wrote : Please test proposed package

Hello James, or anyone else affected,

Accepted libvirt into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libvirt/2.5.0-3ubuntu5.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in libvirt (Ubuntu Zesty):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-zesty
Changed in libvirt (Ubuntu Xenial):
status: Triaged → Fix Committed
tags: added: verification-needed-xenial
Revision history for this message
Andy Whitcroft (apw) wrote :

Hello James, or anyone else affected,

Accepted libvirt into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libvirt/1.3.1-1ubuntu10.11 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Corey Bryant (corey.bryant) wrote :

Hi Andy,

I've verified this on both xenial-proposed [1] and zesty-proposed [2].

I tested using https://github.com/openstack-snaps/snap-test to deploy a minimal OpenStack cloud, deployed an instance on top of it, and created a snapshot from that instance.

Thanks,
Corey

[1] xenial-proposed
libvirt-bin:
  Installed: 1.3.1-1ubuntu10.11

[2] zesty-proposed
libvirt-bin:
  Installed: 2.5.0-3ubuntu5.3

tags: added: verification-done verification-done-xenial verification-done-zesty
removed: verification-needed verification-needed-xenial verification-needed-zesty
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Note to SRU Team: we want this to go to -updates (probably next week, all pre-reqs except time in proposed are complete) before accepting 1705132 which is in -unapproved waiting for this one here to complete.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 2.5.0-3ubuntu5.3

---------------
libvirt (2.5.0-3ubuntu5.3) zesty; urgency=medium

  * d/p/ubuntu/0004-apparmor-apply-ubuntu-delta.patch: Allow access to base
    images and snapshots stored in nova-hypervisor snap's $SNAP_COMMON
    directory, enabling use of the libvirt deb from the nova-hypervisor
    snap (LP: #1644507).

 -- Corey Bryant <email address hidden> Thu, 22 Jun 2017 14:39:39 -0400

Changed in libvirt (Ubuntu Zesty):
status: Fix Committed → Fix Released
Revision history for this message
Chris J Arges (arges) wrote : Update Released

The verification of the Stable Release Update for libvirt has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 1.3.1-1ubuntu10.11

---------------
libvirt (1.3.1-1ubuntu10.11) xenial; urgency=medium

  * d/apparmor/usr.lib.libvirt.virt-aa-helper: Allow access to base
    images and snapshots stored in nova-hypervisor snap's $SNAP_COMMON
    directory, enabling use of the libvirt deb from the nova-hypervisor
    snap (LP: #1644507).

 -- Corey Bryant <email address hidden> Thu, 22 Jun 2017 14:43:11 -0400

Changed in libvirt (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.