Ubuntu
libvirt package

libvirt doesn't include *.vnc files with apparmor profiles

Bug #1069534 reported by Theo Cabrerizo Diem on 2012-10-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	libvirt (Ubuntu)	Fix Released	Medium	Serge Hallyn

Bug Description

When creating machines using virt-install using the --vnc option, it misses the following line into the /etc/apparmor.d/libvirt/libvirt-xxxmachineuuid.files :

"/var/lib/libvirt/**/vm-fqdn.vnc" rw,

The files are auto-generated from a template, but adding the mentioned line manually solved the issue.

Not sure why but the VM did start without any manual intervention when I've created it for the first time with virt-install, but did not start after a reboot (exiting with permission denied in a bind call to the mentioned vnc socket file).

Thanks

root@Homeserver:/etc/libvirt# lsb_release -rd
Description: Ubuntu 12.04.1 LTS
Release: 12.04

root@Homeserver:/etc/libvirt# apt-cache policy libvirt-bin
libvirt-bin:
  Installed: 0.9.8-2ubuntu17.4
  Candidate: 0.9.8-2ubuntu17.4
  Version table:
*** 0.9.8-2ubuntu17.4 0
        500 http://de.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     0.9.8-2ubuntu17 0
        500 http://de.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

Related branches

lp:ubuntu/raring-proposed/libvirt

lp:ubuntu/raring/libvirt

Revision history for this message

Serge Hallyn (serge-hallyn) wrote on 2012-10-22:

Thanks for reproring this bug.

Could you please give the full exact vmbuildder command you are using? I'll try to reproduce.

Changed in libvirt (Ubuntu):
importance:	Undecided → Medium
status:	New → Incomplete

Revision history for this message

Theo Cabrerizo Diem (tcdiem) wrote on 2012-10-23:

virsh dumpxml Edit (2.1 KiB, text/xml)

The command line used was :

virt-install -n laranja.fritz.box -r 512 --os-variant=ubuntuprecise --disk /home/vms/disk_laranja_root.img,device=disk,bus=virtio,size=8,sparse=true,format=raw -w bridge=vms,model=virtio --graphics vnc,listen=0.0.0.0,password=qwerty --location=http://de.archive.ubuntu.com/ubuntu/dists/precise/main/installer-amd64/

Attached also the result of 'virsh dumpxml laranja.fritz.box'

Serge Hallyn (serge-hallyn) on 2012-10-23

Changed in libvirt (Ubuntu):
status:	Incomplete → New

Revision history for this message

Serge Hallyn (serge-hallyn) wrote on 2012-10-23:

Thanks for that info.

Your dumpxml output shows

but when I reproduce your command exactly I get the normal

Do you know how you ended up with the vnc socket defined?

If it was done by hand, then I'd prefer to say that you should also add the socket file to the apparmor profile by hand. If it was done automatically, then either the new rule should be added as you suggested, or the external tool (if one was used) should perhaps add it to the domain's /etc/apparmor.d/libvirt/libvirt-<uuid>.files file.

Changed in libvirt (Ubuntu):
status:	New → Incomplete

Revision history for this message

Theo Cabrerizo Diem (tcdiem) wrote on 2012-10-23:

I will try to investigate what happened that the socket path was used instead of listen (maybe in one of the debugging attempts, I did not supply the listen parameter ?). I'm sorry to not be able to provide an immediate answer on this one since I can't reach my test system at the moment since I'm currently on a different network.

But AFAIK the /etc/apparmor.d/libvirt/libvirt-<uuid>.files is autogenerated. IMHO if its possible to have a socket option it should parse and add the file to the appropriate profile. Adding it by hand gets overwritten once you stop and start the VM.

Revision history for this message

Theo Cabrerizo Diem (tcdiem) wrote on 2012-11-01:

After checking again, the XML file (/etc/libvirt/qemu/laranja.fritz.box.xml) contains (snipped):
    <graphics type='vnc' port='-1' autoport='yes' listen='0.0.0.0' passwd='qwerty'>
      <listen type='address' address='0.0.0.0'/>
    </graphics>

a virsh dumpxml produces after the vm is started (snipped):
    <graphics type='vnc' socket='/var/lib/libvirt/qemu/laranja.fritz.box.vnc'>
      <listen type='address' address='0.0.0.0'/>
    </graphics>

Serge Hallyn (serge-hallyn) on 2012-11-14

Changed in libvirt (Ubuntu):
status:	Incomplete → Triaged

Revision history for this message

Serge Hallyn (serge-hallyn) wrote on 2012-11-14:

Per irc discussion, this should be done with a domain-specific rule added through virt-aa-helper.

Serge Hallyn (serge-hallyn) on 2012-11-30

Changed in libvirt (Ubuntu):
assignee:	nobody → Serge Hallyn (serge-hallyn)
status:	Triaged → In Progress

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-12-13:

This bug was fixed in the package libvirt - 1.0.0-0ubuntu4

---------------
libvirt (1.0.0-0ubuntu4) raring; urgency=low

  * debian/patches/apparmor-allow-hugepages: update apparmor policies to
    allow use of hugepages. (LP: #646468)
  * debian/patches/vnc-socket.patch: If a vnc socket is in use, add it's
    path to the apparmor policy. (LP: #1069534)
-- Serge Hallyn <email address hidden> Wed, 05 Dec 2012 16:43:04 -0600