Ubuntu
qemu package

apparmor is preventing access to user copied files in /var/lib/libvirt/images/ thus resulting in failure to start vm

Bug #1970940 reported by mai ling
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
qemu (Ubuntu)
New
Undecided
Unassigned

Bug Description

jammy minimal install using desktop iso, at installer choose root on zfs

once installed, at gui disable the buggy wayland since teamviewer doesn't work well with it

then install virt-manager & friends

in virt-manager start the wizard for new machine, select windows 10, create zfs volume for it

virsh edit the vm to add SLIC & friends from /sys/firmware/acpi/tables and <sysinfo> stuff from dmidecode to virtualize the previsously backed up oem bare metal install that came with the machine

power on the vm

result:

apr 29 16:01:31 cglinux audit[543570]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-4c4c4544-0050-5210-8044-b3c04f563533" pid=543570 comm="apparmor_parser"
apr 29 16:01:31 cglinux kernel: audit: type=1400 audit(1651237291.689:137): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-4c4c4544-0050-5210-8044-b3c04f563533" pid=543570 comm="apparmor_parser"
apr 29 16:01:31 cglinux systemd-machined[1678]: New machine qemu-9-win11oem-uefi1.
apr 29 16:01:31 cglinux systemd[1]: Started Virtual Machine qemu-9-win11oem-uefi1.
apr 29 16:01:31 cglinux audit[543597]: AVC apparmor="DENIED" operation="open" profile="libvirt-4c4c4544-0050-5210-8044-b3c04f563533" name="/var/lib/libvirt/images/SLIC" pid=543597 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=64055
apr 29 16:01:31 cglinux kernel: audit: type=1400 audit(1651237291.781:138): apparmor="DENIED" operation="open" profile="libvirt-4c4c4544-0050-5210-8044-b3c04f563533" name="/var/lib/libvirt/images/SLIC" pid=543597 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=64055
apr 29 16:01:31 cglinux kernel: virbr0: port 1(vnet7) entered disabled state
apr 29 16:01:31 cglinux kernel: device vnet7 left promiscuous mode
apr 29 16:01:31 cglinux kernel: virbr0: port 1(vnet7) entered disabled state
apr 29 16:01:31 cglinux NetworkManager[1646]: <info> [1651237291.8225] device (vnet7): state change: activated -> unmanaged (reason 'unmanaged', sys-iface-state: 'removed')
apr 29 16:01:31 cglinux NetworkManager[1646]: <info> [1651237291.8226] device (vnet7): released from master device virbr0
apr 29 16:01:31 cglinux gnome-shell[3733]: Removing a network device that was not added
apr 29 16:01:31 cglinux gnome-shell[3733]: JS ERROR: TypeError: this._devices[section] is undefined
                                           _connectionRemoved@resource:///org/gnome/shell/ui/status/network.js:1996:27
apr 29 16:01:31 cglinux libvirtd[1932]: Unable to read from monitor: Connection reset by peer
apr 29 16:01:31 cglinux systemd[1]: machine-qemu\x2d9\x2dwin11oem\x2duefi1.scope: Deactivated successfully.
apr 29 16:01:31 cglinux libvirtd[1932]: internal error: qemu unexpectedly closed the monitor: qemu-system-x86_64: -acpitable file=/var/lib/libvirt/images/SLIC: can't open file /var/lib/libvirt/images/SLIC: Permission denied
apr 29 16:01:31 cglinux libvirtd[1932]: internal error: process exited while connecting to monitor: qemu-system-x86_64: -acpitable file=/var/lib/libvirt/images/SLIC: can't open file /var/lib/libvirt/images/SLIC: Permission denied
apr 29 16:01:31 cglinux systemd-machined[1678]: Machine qemu-9-win11oem-uefi1 terminated.
apr 29 16:01:31 cglinux audit[543615]: AVC apparmor="STATUS" operation="profile_remove" profile="unconfined" name="libvirt-4c4c4544-0050-5210-8044-b3c04f563533" pid=543615 comm="apparmor_parser"
apr 29 16:01:31 cglinux kernel: audit: type=1400 audit(1651237291.977:139): apparmor="STATUS" operation="profile_remove" profile="unconfined" name="libvirt-4c4c4544-0050-5210-8044-b3c04f563533" pid=543615 comm="apparmor_parser"

tried various chown of files copied in var lib libvirt images from root to my username to libvirt-qemu, no success, until I realized from logs that it's apparmor fault, not file owner.

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: qemu-system-x86 1:6.2+dfsg-2ubuntu6
ProcVersionSignature: Ubuntu 5.15.0-27.28-generic 5.15.30
Uname: Linux 5.15.0-27-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu82
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Fri Apr 29 16:10:20 2022
InstallationDate: Installed on 2022-04-28 (1 days ago)
InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Release amd64 (20220419)
KvmCmdLine: COMMAND STAT EUID RUID PID PPID %CPU COMMAND
Lsusb:
 Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
 Bus 001 Device 003: ID 413c:2113 Dell Computer Corp. KB216 Wired Keyboard
 Bus 001 Device 002: ID 413c:301a Dell Computer Corp. Dell MS116 Optical Mouse
 Bus 001 Device 004: ID 0b05:17d1 ASUSTek Computer, Inc. AC51 802.11a/b/g/n/ac Wireless Adapter [Mediatek MT7610U]
 Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
MachineType: Dell Inc. OptiPlex 3070
ProcKernelCmdLine: BOOT_IMAGE=/BOOT/ubuntu_706ywm@/vmlinuz-5.15.0-27-generic root=ZFS=rpool/ROOT/ubuntu_706ywm ro quiet splash vt.handoff=1
SourcePackage: qemu
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 09/27/2021
dmi.bios.release: 1.10
dmi.bios.vendor: Dell Inc.
dmi.bios.version: 1.10.0
dmi.board.name: 07WP95
dmi.board.vendor: Dell Inc.
dmi.board.version: A02
dmi.chassis.type: 3
dmi.chassis.vendor: Dell Inc.
dmi.modalias: dmi:bvnDellInc.:bvr1.10.0:bd09/27/2021:br1.10:svnDellInc.:pnOptiPlex3070:pvr:rvnDellInc.:rn07WP95:rvrA02:cvnDellInc.:ct3:cvr:sku0930:
dmi.product.family: OptiPlex
dmi.product.name: OptiPlex 3070
dmi.product.sku: 0930
dmi.sys.vendor: Dell Inc.

Revision history for this message
mai ling (ml35) wrote :
Revision history for this message
mai ling (ml35) wrote :
Download full text (8.8 KiB)

virsh dumpxml win11oem-uefi1

<domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
  <name>win11oem-uefi1</name>
  <uuid>4c4c4544-0050-5210-8044-b3c04f563533</uuid>
  <metadata>
    <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
      <libosinfo:os id="http://microsoft.com/win/10"/>
    </libosinfo:libosinfo>
  </metadata>
  <memory unit='KiB'>12582912</memory>
  <currentMemory unit='KiB'>8388608</currentMemory>
  <memoryBacking>
    <source type='memfd'/>
    <access mode='shared'/>
  </memoryBacking>
  <vcpu placement='static'>4</vcpu>
  <sysinfo type='smbios'>
    <bios>
      <entry name='vendor'>Dell Inc.</entry>
      <entry name='version'>1.10.0</entry>
      <entry name='date'>09/27/2021</entry>
      <entry name='release'>1.10.0</entry>
    </bios>
    <system>
      <entry name='manufacturer'>Dell Inc.</entry>
      <entry name='product'>OptiPlex 3070</entry>
      <entry name='serial'>xxxxxx</entry>
      <entry name='uuid'>xxxxxxxxxxxxxxxxxxx</entry>
      <entry name='sku'>xxxx</entry>
      <entry name='family'>OptiPlex</entry>
    </system>
    <baseBoard>
      <entry name='manufacturer'>Dell Inc.</entry>
      <entry name='product'>xxxxx</entry>
      <entry name='version'>xxxx</entry>
      <entry name='serial'>xxxxxxxxxxx/</entry>
    </baseBoard>
    <chassis>
      <entry name='manufacturer'>Dell Inc.</entry>
      <entry name='serial'>xxxxxx</entry>
      <entry name='sku'>Desktop</entry>
    </chassis>
  </sysinfo>
  <os>
    <type arch='x86_64' machine='pc-q35-6.2'>hvm</type>
    <loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE_4M.ms.fd</loader>
    <nvram>/var/lib/libvirt/qemu/nvram/win11oem-uefi_VARS.fd</nvram>
    <boot dev='hd'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <hyperv mode='custom'>
      <relaxed state='on'/>
      <vapic state='on'/>
      <spinlocks state='on' retries='8191'/>
    </hyperv>
    <vmport state='off'/>
  </features>
  <cpu mode='host-passthrough' check='none' migratable='on'>
    <topology sockets='1' dies='1' cores='4' threads='1'/>
  </cpu>
  <clock offset='localtime'>
    <timer name='rtc' tickpolicy='catchup'/>
    <timer name='pit' tickpolicy='delay'/>
    <timer name='hpet' present='no'/>
    <timer name='hypervclock' present='yes'/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <pm>
    <suspend-to-mem enabled='no'/>
    <suspend-to-disk enabled='no'/>
  </pm>
  <devices>
    <emulator>/usr/bin/qemu-system-x86_64</emulator>
    <disk type='block' device='disk'>
      <driver name='qemu' type='raw' cache='none' io='native' discard='unmap'/>
      <source dev='/dev/zvol/rpool/win11oem'/>
      <target dev='sda' bus='scsi'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>
    <controller type='usb' index='0' model='qemu-xhci' ports='15'>
      <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
    </controller>
    <controller type='pci' index='0' model='pcie-root'/>
    <controller type='pci' index='1' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <targ...

Read more...

Revision history for this message
mai ling (ml35) wrote :

your ubuntu-bug tool is broken, doesn't upload full dmesg.
it should use journalctl -kb, not dmesg.

full journal -kb attached, that's probably what you wanted instead of https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1970940/+attachment/5585109/+files/CurrentDmesg.txt

Revision history for this message
mai ling (ml35) wrote :

hw-probe of the machine https://linux-hardware.org/?probe=8dd4d42608

Revision history for this message
mai ling (ml35) wrote :

manually launching qemu DOES work... but not through libvirt. please identify the correct package whose this bug should belong to. not sure if is qemu-system-86

$ ps axfww|grep SLIC
 566799 pts/0 Sl+ 0:04 | | \_ qemu-system-x86_64 -acpitable file=/var/lib/libvirt/images/SLIC

Revision history for this message
mai ling (ml35) wrote :

moving the files to a newly defined storage doesn't work either, getting the same apparmor DENIED. the var-lib-libvirt-images is just the default pool but renamed

$ virsh pool-list
 Name State Autostart
----------------------------------------------
 pool active yes
 pool-1 active yes
 var-lib-libvirt-images active yes

$ virsh pool-dumpxml pool-1
<pool type='dir'>
  <name>pool-1</name>
  <uuid>5f8c0ccb-0603-4d13-925b-6e864ede72d9</uuid>
  <capacity unit='bytes'>206982873088</capacity>
  <allocation unit='bytes'>1356070912</allocation>
  <available unit='bytes'>205626802176</available>
  <source>
  </source>
  <target>
    <path>/home/user/Desktop</path>
    <permissions>
      <mode>0755</mode>
      <owner>1000</owner>
      <group>1000</group>
    </permissions>
  </target>
</pool>

$ ls -la ~/Desktop/SLIC
-rw-r--r-- 1 root root 374 apr 29 16:54 /home/user/Desktop/SLIC

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thanks for taking the time to report a bug and help improving Ubuntu.

I will try to reproduce it locally first, and will get back when I have more info.

Thanks.

tags: added: server-triage-discuss
Sergio Durigan Junior (sergiodj)
tags: removed: server-triage-discuss
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.