Ubuntu
libvirt package

proper code for virt-aa-helper to allow blockcommit rw as needed

Bug #1692441 reported by Christian Ehrhardt 
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Confirmed
Low
Unassigned

Bug Description

From the ML:
virsh blockcommit is invoked this leads to:

1.) qemuDomainBlockCommit ->
2.) qemuDomainDiskChainElementPrepare ->
3.) qemuSecuritySetImageLabel ->
4.) AppArmorSetSecurityImageLabel (triggers profile reload only) ->
5.) virt-aa-helper does the profile reload ->
6.) failure since the image has an explicit deny rule

The path in question tries to fix this at 5.) by not adding a deny write
rule at all but the place to fix this is 4.) since
AppArmorSetSecurityImageLabel does not take the virStorageSourcePtr src
element into account to create a virDomainDefPtr based on def that marks
the image in question as 'rw' but "only" reloads the profile.

Full discussion:
https://www.redhat.com/archives/libvir-list/2017-May/msg00442.html

For now we will keep the delta as-is, but mid term a proper extension to virt-aa-helper would be the right way

Christian Ehrhardt  (paelzer)
Changed in libvirt (Ubuntu):
status: New → Confirmed
tags: added: virt-aa-helper
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Some docs on the gereral use case:
- http://wiki.libvirt.org/page/Live-disk-backup-with-active-blockcommit
- http://wiki.libvirt.org/page/Live-merge-an-entire-disk-image-chain-including-current-active-disk

Steps to reproduce:
# create basic guest
$ apt install uvtool-libvirt
$ uvt-simplestreams-libvirt --verbose sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=xenial
$ uvt-kvm create --password=ubuntu xenial-testblockcommit release=xenial arch=amd64 label=daily

# By default there is (intentionally) not much a qemu process can read/write to
# To make external snapshots you have to either:
# - define some dir for the guest to snapshot to and add it to its apparmor rules
# - create the snapshot upfront qemu-img -c which will generate the rules for the backing chain
# But fortunately uvtool already sets things up just the way we need it.
# By default the root disk is a snapshot to the base cloud-image
# You can check the chain:
$ qemu-img info --backing-chain /var/lib/uvtool/libvirt/images/xenial-testblockcommit.qcow
# The guest lists the snapshot as it's disk
$ virsh domblklist xenial-testblockcommit
Target Source
------------------------------------------------
vda /var/lib/uvtool/libvirt/images/xenial-testblockcommit.qcow

# in /etc/apparmor.d/libvirt/libvirt-<uuid>.files we can see the related rules
# r/w to the current snapshot
"/var/lib/uvtool/libvirt/images/xenial-testblockcommit.qcow" rwk
# but only r to the base image
"/var/lib/uvtool/libvirt/images/x-uvt-b64-Y29tLnVidW50dS5jbG91ZC5kYWlseTpzZXJ2ZXI6MTYuMDQ6YW1kNjQgMjAxNzA5MTk=" rk,
$ virsh blockcommit xenial-testblockcommit vda --active --pivot --verbose
Block commit: [100 %]
Successfully pivoted
root@artful-test:~# virsh domblklist xenial-testblockcommit
Target Source
------------------------------------------------
vda /var/lib/uvtool/libvirt/images/x-uvt-b64-Y29tLnVidW50dS5jbG91ZC5kYWlseTpzZXJ2ZXI6MTYuMDQ6YW1kNjQgMjAxNzA5MTk=

The action added another rule:
"/var/lib/uvtool/libvirt/images/x-uvt-b64-Y29tLnVidW50dS5jbG91ZC5kYWlseTpzZXJ2ZXI6MTYuMDQ6YW1kNjQgMjAxNzA5MTk=" rw,

Since today we have [1] applied this needs to be unapplied to check if this is still an issue to be fixed or if the actual addition of the second rule is new and fixes the issue completely.

Unfortunately something made libvirt an FTBFS that I have to fix first.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

TODO:
1. retry with the related Delta dropped, if it works good, if not we need to find the fix to reload the profile as suggested in the mail thead
2. once that is complete consider creating a separate issue for blkcommits/snapshots like
   virsh snapshot-create-as --domain xenial-testblockcommit snap1 --diskspec vdc,snapshot=external,file=/tmp/xenial-testblockcommit-testdevice-snap1.qcow --disk-only --atomic --no-metadata

Christian Ehrhardt  (paelzer)
tags: added: libvirt-apparmor-dev
Christian Ehrhardt  (paelzer)
Changed in libvirt (Ubuntu):
importance: Undecided → Low
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.