Merge ~lvoytek/ubuntu/+source/swtpm:aa-allow-libvirt-pid-access into ubuntu/+source/swtpm:ubuntu/devel
Proposed by
Lena Voytek
Status: | Merged | ||||
---|---|---|---|---|---|
Approved by: | git-ubuntu bot | ||||
Approved revision: | not available | ||||
Merged at revision: | aca173688bf8445b1713ed75486dbbb170234fb9 | ||||
Proposed branch: | ~lvoytek/ubuntu/+source/swtpm:aa-allow-libvirt-pid-access | ||||
Merge into: | ubuntu/+source/swtpm:ubuntu/devel | ||||
Diff against target: |
28 lines (+8/-1) 2 files modified
debian/changelog (+7/-0) debian/usr.bin.swtpm (+1/-1) |
||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
git-ubuntu bot | Approve | ||
Andreas Hasenack | Approve | ||
Canonical Server Reporter | Pending | ||
Review via email: mp+432149@code.launchpad.net |
Description of the change
PPA: https:/
Testing
# sudo apt update && sudo apt dist-upgrade -y
# sudo apt install virt-manager swtpm
Add PPA here to fix -> sudo add-apt-repository ppa:lvoytek/
Create a vm in virt-manager and on the last page
> Select "Customize configuration before install"
> Click Finish
> Click Add Hardware
> Select TPM with Model "TIS" and version 2.0
> Click "Begin Installation"
To post a comment you must log in.
We don't need a windows vm to reproduce the problem, any linux vm with tpm 2.0 added will work. Without the apparmor change, the same DENIED will appear in the logs and virt-manager will fail to start the VM, so I think the test case can be simplified to something like "launch ubuntu vm, add tpm 2.0 device".
While checking this, I noticed that it looks like swtpm (or libvirt) is leaking pid files in /run/libvirt/ qemu/swtpm: qemu/swtpm/ 22H2-swtpm. pid 22H2-swtpm. pid 22H2-swtpm. pid 22H2-swtpm. pid 22H2-swtpm. pid 22H2-swtpm. pid
# ls -la /run/libvirt/
total 24
drwxrwx--- 2 libvirt-qemu swtpm 160 Oct 24 19:20 .
drwxr-xr-x 5 root root 180 Oct 24 19:28 ..
-rw-r--r-- 1 root root 7 Oct 24 18:45 2-win11_
-rw-r--r-- 1 root root 7 Oct 24 18:56 3-win11_
-rw-r--r-- 1 root root 7 Oct 24 18:59 4-win11_
-rw-r--r-- 1 root root 7 Oct 24 19:01 5-win11_
-rw-r--r-- 1 root root 7 Oct 24 19:18 6-win11_
-rw-r--r-- 1 root root 7 Oct 24 19:20 7-win11_
Everytime I stop and start a VM with a tpm 2.0 device, I new pid file gets created, and when that vm is stopped, the pid file is not removed. I'm ready to file a separate bug for this, but maybe we could take a quick look to see why this is happening. I wanted to try some strace/opensnoop to see if someone is even trying to remove those pid files (and perhaps failing due to "reasons").
Note that the directory permissions libvirt-qemu:swtpm 775 would allow the swtpm user to remove the pid file, even though it's owned by root.