Ubuntu
libvirt package

VM constantly tries to access /run/shm/lttng-ust-wait-5

Bug #1529319 reported by Mohammed Naser
16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Fix Released
High
Unassigned
Wily
Won't Fix
High
Unassigned

Bug Description

=============================
SRU Justification
Impact: log is flooded by apparmor access denials
Fix: silence the denials using an explicity 'deny' rule in apparmor policy
Test case: XXX
Regression potential: we already had an explicit deny rule for this, but the path at which shm is mounted has changed.
=============================

This seems like a regression of the following bug

https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1432644

It seems that the path is now /run/shm/lttng-ust-wait-5 which results in a flood of the following

Dec 26 04:47:44 compute-4-ca-ymq-2 kernel: [1751079.003742] audit: type=1400 audit(1451105264.249:80133): apparmor="DENIED" operation="open" profile="libvirt-5923eded-8cbd-4257-a4c6-a8f4c2cf06cb" name="/run/shm/lttng-ust-wait-5" pid=5018 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=107

The fix would be similar

See original description
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Hi,

Looking through the history of bug 1432644, AFAICS it was never "fixed", it was worked around.

Ceph was built without support for lttng. The libvirt patch was only to *silence* the denial for attempted access to lttng, not to grant the access.

Are you asking only to update the explit denial to keep your logs cleaner? If so that's trivial as you say.

@sage-newdream, @jamespage, @jdstrand - is there any news on properly supporting lttng support built into ceph for libvirt?

Revision history for this message
Mohammed Naser (mnaser) wrote :

Serge,

Yes, because it creates a *tremendous* amount of messages in the system log which causes other issues to go unnoticed (or forces us to implement filtering to drop this -- both of which are not ideal).

In a loaded system of 40 VMs, the syslog is bombarded with these messages non-stop. Ideally fixing lttng would be nice but if that's going to take a long time, addressing this for now would be good

Thanks,
Mohammed

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Thanks - I'll push that fix to xenial and SRU to wily.

Where else do you need it?

Changed in libvirt (Ubuntu):
importance: Undecided → High
status: New → In Progress
Revision history for this message
Mohammed Naser (mnaser) wrote :

Thank you Serge. We would appreciate if it can make it the OpenStack cloud archive. We're running Liberty on Trusty at the moment.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 1.2.21-2ubuntu7

---------------
libvirt (1.2.21-2ubuntu7) xenial; urgency=medium

  * d/apparmor/libvirt-qemu: silence denial to shm/lttng file since shm
    mountpoint has moved (LP: #1529319)

 -- Serge Hallyn <email address hidden> Mon, 11 Jan 2016 11:55:28 -0800

Changed in libvirt (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

@mnaser,

We need a simple testcase in the Description for SRU. do you know the minimal set of things needed to make this happen? Are you running an unmodified ceph, or ceph from a particular ppa which re-enables lttng?

description: updated
Changed in libvirt (Ubuntu Wily):
importance: Undecided → High
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Mohammed, or anyone else affected,

Accepted libvirt into wily-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libvirt/1.2.16-2ubuntu11.15.10.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in libvirt (Ubuntu Wily):
status: New → Fix Committed
tags: added: verification-needed
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote : [libvirt/wily] verification still needed

The fix for this bug has been awaiting testing feedback in the -proposed repository for wily for more than 90 days. Please test this fix and update the bug appropriately with the results. In the event that the fix for this bug is still not verified 15 days from now, the package will be removed from the -proposed repository.

tags: added: removal-candidate
Revision history for this message
Mathew Hodson (mhodson) wrote :

The package was removed due to its SRU bug(s) not being verified in a timely fashion.

Changed in libvirt (Ubuntu Wily):
status: Fix Committed → Won't Fix
tags: removed: removal-candidate verification-needed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.