Ubuntu
libvirt package

Broken in Jammy until we can depend on swtpm-tools

Bug #1951975 reported by Christian Ehrhardt 
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Fix Released
Undecided
Christian Ehrhardt 

Bug Description

While fixing bug 1948880 this created a harder dependency on swtpm than intended.
We can't yet depend on swtpm-tools (waiting for the MIR in 1948748).
But due to that on a Jammy install without swtpm libvirt will end up not starting.

That is due to the user swtpm being missing without the package swtpm-tools.
And without that the service fails like:

$ systemctl status libvirtd
× libvirtd.service - Virtualization daemon
     Loaded: loaded (/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled)
     Active: failed (Result: start-limit-hit) since Tue 2021-11-23 14:21:58 UTC; 21min ago
TriggeredBy: × libvirtd-ro.socket
             × libvirtd.socket
             × libvirtd-admin.socket
       Docs: man:libvirtd(8)
             https://libvirt.org
    Process: 25147 ExecStart=/usr/sbin/libvirtd $libvirtd_opts (code=exited, status=0/SUCCESS)
   Main PID: 25147 (code=exited, status=0/SUCCESS)
      Tasks: 2 (limit: 32768)
     Memory: 7.4M
        CPU: 319ms
     CGroup: /system.slice/libvirtd.service
             ├─24164 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
             └─24165 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper

Nov 23 14:21:58 testkvm-jammy-from libvirtd[25147]: Initialization of QEMU state driver failed: invalid argument: Failed to parse user 'swtpm'
Nov 23 14:21:58 testkvm-jammy-from libvirtd[25147]: Driver state initialization failed
Nov 23 14:21:58 testkvm-jammy-from systemd[1]: libvirtd.service: Deactivated successfully.
Nov 23 14:21:58 testkvm-jammy-from systemd[1]: libvirtd.service: Unit process 24164 (dnsmasq) remains running after unit stopped.
Nov 23 14:21:58 testkvm-jammy-from systemd[1]: libvirtd.service: Unit process 24165 (dnsmasq) remains running after unit stopped.
Nov 23 14:21:58 testkvm-jammy-from systemd[1]: libvirtd.service: Start request repeated too quickly.
Nov 23 14:21:58 testkvm-jammy-from systemd[1]: libvirtd.service: Failed with result 'start-limit-hit'.
Nov 23 14:21:58 testkvm-jammy-from systemd[1]: libvirtd.service: Unit process 24164 (dnsmasq) remains running after unit stopped.
Nov 23 14:21:58 testkvm-jammy-from systemd[1]: libvirtd.service: Unit process 24165 (dnsmasq) remains running after unit stopped.
Nov 23 14:21:58 testkvm-jammy-from systemd[1]: Failed to start Virtualization daemon.

That breaks usage until swtpm-tools (or actually that user) is ready.
Then it would restart and/or install/upgrade fine.

The right solution options are:
- correctly express a Depends (not even a Recommends) as we depend on that user to be present
- create the user swtpm if not created by swtpm or anything else

The former would prevent removing swtpm for anyone that does not want to use it.

The latter would kind of mess with a user from two packages.
But the latter would have the benefit of not entangling the packages too hard and to have a chance to complete before the swtpm MIR is done (which can take a while).

The option of a changing default depending on swtpm to be around on install is even worse and not worth to consider further IMHO.

None seems perfect, I need to get a few opinions on this to avoid reverting/changing this a few more times.

Tags: server-next

Related branches

~paelzer/ubuntu/+source/libvirt:merge-libvirt-9.0-lunar
Miriam España Acebal (community): Needs Information
Canonical Server Reporter: Pending requested
git-ubuntu import: Pending requested
Diff: 10088 lines (+9197/-44)
36 files modified
debian/changelog (+7963/-4)
debian/control (+6/-5)
debian/libvirt-clients.install (+1/-0)
debian/libvirt-clients.lintian-overrides (+1/-0)
debian/libvirt-daemon-system.dirs (+2/-0)
debian/libvirt-daemon-system.install (+1/-0)
debian/libvirt-daemon-system.libvirt-guests.default (+2/-2)
debian/libvirt-daemon-system.postinst (+136/-0)
debian/libvirt-daemon-system.postrm (+24/-1)
debian/libvirt-daemon.README.Debian (+82/-22)
debian/libvirt-daemon.apport (+22/-0)
debian/libvirt-daemon.dnsmasq (+2/-0)
debian/libvirt-daemon.install (+1/-0)
debian/libvirt-uri.sh (+27/-0)
debian/patches/series (+19/-0)
debian/patches/ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch (+37/-0)
debian/patches/ubuntu-aa/0029-appmor-libvirt-qemu-Add-9p-support.patch (+34/-0)
debian/patches/ubuntu-aa/0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch (+43/-0)
debian/patches/ubuntu-aa/0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch (+34/-0)
debian/patches/ubuntu-aa/0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch (+41/-0)
debian/patches/ubuntu-aa/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch (+33/-0)
debian/patches/ubuntu-aa/lp-1815910-allow-vhost-hotplug.patch (+57/-0)
debian/patches/ubuntu/Allow-libvirt-group-to-access-the-socket.patch (+50/-0)
debian/patches/ubuntu/daemon-augeas-fix-expected.patch (+21/-0)
debian/patches/ubuntu/dnsmasq-as-priv-user (+300/-0)
debian/patches/ubuntu/lp-1861125-ubuntu-models.patch (+21/-0)
debian/patches/ubuntu/ovmf_paths.patch (+60/-0)
debian/patches/ubuntu/set-default-machine-to-ubuntu.patch (+45/-0)
debian/patches/ubuntu/swtpm-by-swtpm-user.patch (+40/-0)
debian/patches/ubuntu/ubuntu_machine_type.patch (+14/-0)
debian/patches/ubuntu/wait-for-qemu-kvm.patch (+23/-0)
debian/rules (+15/-2)
debian/tests/control (+3/-2)
debian/tests/smoke-lxc (+30/-4)
debian/tests/smoke-qemu-session (+5/-0)
debian/tests/smoke-qemu-session.xml (+2/-2)
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

@vorlon - I subscribed you as you have worked on swtpm, would you be ok that I create the user in libvirt if it is missing? Are there better options I miss like moving the user to another package completely?

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Gladly this is broken "only" in -proposed which might explain why there have been no complains.
That is the one reason why it was good that so many entangled transitions have held it back.

Revision history for this message
Steve Langasek (vorlon) wrote : Re: [Bug 1951975] Re: Broken in Jammy until we can depend on swtpm-tools

On Tue, Nov 23, 2021 at 02:52:54PM -0000, Christian Ehrhardt  wrote:
> @vorlon - I subscribed you as you have worked on swtpm, would you be ok
> that I create the user in libvirt if it is missing? Are there better
> options I miss like moving the user to another package completely?

Having both packages create the user as needed is IMHO completely
reasonable.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thank you Steve, uploaded that to Jammy now to un-break the version in -proposed.

Changed in libvirt (Ubuntu):
status: New → Fix Committed
tags: added: server-next
Changed in libvirt (Ubuntu):
assignee: nobody → Christian Ehrhardt  (paelzer)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 7.6.0-0ubuntu3

---------------
libvirt (7.6.0-0ubuntu3) jammy; urgency=medium

  * d/libvirt-daemon-system.postinst: create user/group swtpm if not present
    due to swtpm-tools (LP: #1951975)

 -- Christian Ehrhardt <email address hidden> Wed, 24 Nov 2021 07:50:53 +0100

Changed in libvirt (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.