Ubuntu
libvirt package

Merge ~paelzer/ubuntu/+source/libvirt:bug-1847361-miss-old-so-on-upgrade-SRU-EOAN into ubuntu/+source/libvirt:ubuntu/eoan-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/libvirt
  3. bug-1847361-miss-old-so-on-upgrade-SRU-EOAN
  4. Merge into ubuntu/eoan-devel
Proposed by Christian Ehrhardt 
Status: Merged
Approved by: Christian Ehrhardt 
Approved revision: 142018f19cb5157306c8c928639d81f7ee4a87c7
Merge reported by: Christian Ehrhardt 
Merged at revision: 142018f19cb5157306c8c928639d81f7ee4a87c7
Proposed branch: ~paelzer/ubuntu/+source/libvirt:bug-1847361-miss-old-so-on-upgrade-SRU-EOAN
Merge into: ubuntu/+source/libvirt:ubuntu/eoan-devel
Diff against target: 74 lines (+52/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu-aa/lp-1847361-load-versioned-module.patch (+44/-0)
Reviewer Review Type Date Requested Status
Rafael David Tinoco (community) Approve
Canonical Server Pending
Review via email: mp+381999@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Marking these WIP until bug 1871830 is finished

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Bug 1871830 fixed and the required change is int he SRUs as well.
I uploaded a new build to the PPA and force pushed these branches.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

SRU Template added, ready for review.

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

+1. Everything looks good.

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thanks, tags pushed and uploaded for SRU review

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index b5e2076..9c57097 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+libvirt (5.4.0-0ubuntu5.3) eoan; urgency=medium
7+
8+ * d/p/ubuntu-aa/lp-1847361-load-versioned-module.patch: allow loading
9+ versioned modules after qemu package upgrades (LP: #1847361)
10+
11+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 09 Apr 2020 08:28:33 +0200
12+
13 libvirt (5.4.0-0ubuntu5.2) eoan; urgency=medium
14
15 * d/p/u/lp-1655111-apparmor-fix-qemu_bridge_helper-for-named-profile.patch:
16diff --git a/debian/patches/series b/debian/patches/series
17index 964fb3c..0534883 100644
18--- a/debian/patches/series
19+++ b/debian/patches/series
20@@ -61,3 +61,4 @@ ubuntu/lp-1828495-qemu-Drop-MSR-features-from-host-model-with-old-QEMU.patch
21 ubuntu/lp-1828495-qemu-Probe-host-CPU-after-capabilities.patch
22 ubuntu/lp-1844455-node_device_conf-Don-t-leak-physical_function.patch
23 ubuntu/lp-1655111-apparmor-fix-qemu_bridge_helper-for-named-profile.patch
24+ubuntu-aa/lp-1847361-load-versioned-module.patch
25diff --git a/debian/patches/ubuntu-aa/lp-1847361-load-versioned-module.patch b/debian/patches/ubuntu-aa/lp-1847361-load-versioned-module.patch
26new file mode 100644
27index 0000000..b1efec9
28--- /dev/null
29+++ b/debian/patches/ubuntu-aa/lp-1847361-load-versioned-module.patch
30@@ -0,0 +1,44 @@
31+Description: allow loading modules from /var/run
32+ apparmor: qemu load old shared objects
33+
34+ On qemu upgrades the old .so files usually are replaced. But on the other
35+ hand since a qemu process represents a guest instance it is usually kept
36+ around.
37+
38+ That makes late addition of dynamic features e.g. 'hot-attach of a ceph
39+ disk' fail by trying to load a new version of e.f. block-rbd.so into an
40+ old still running qemu binary.
41+
42+ Qemu adds a fallback to also load modules from a versioned directory in the
43+ temporary /var/run path. That way qemu is providing a way for packaging
44+ to store modules of an upgraded qemu package as needed until the next reboot.
45+
46+ This change is allowing the qemu process access to these paths.
47+
48+ Background:
49+ This is a continuation of a discussion at KVM Forum 2019 eventually
50+ becoming [1] and recently this change is queued to get into qemu properly [2].
51+
52+ [1]: https://lists.gnu.org/archive/html/qemu-devel/2019-11/msg00005.html
53+ [2]: https://lists.nongnu.org/archive/html/qemu-devel/2020-03/msg03313.html
54+
55+ Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
56+
57+Forwarded: yes, https://www.redhat.com/archives/libvir-list/2020-March/msg00486.html
58+Author: Christian Ehrhardt <christian.ehrhardt@canonical.com>
59+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1847361
60+Last-Update: 2020-03-13
61+--- a/src/security/apparmor/libvirt-qemu
62++++ b/src/security/apparmor/libvirt-qemu
63+@@ -164,6 +164,11 @@
64+ /usr/{lib,lib64}/qemu/*.so mr,
65+ /usr/lib/@{multiarch}/qemu/*.so mr,
66+
67++ # let qemu load old shared objects after upgrades (LP: #1847361)
68++ /{var/,}run/qemu/*/*.so mr,
69++ # but explicitly deny with auditing writing to these files
70++ audit deny /{var/,}run/qemu/*/*.so w,
71++
72+ # swtpm
73+ /{usr/,}bin/swtpm rmix,
74+ /usr/{lib,lib64}/libswtpm_libtpms.so mr,

Subscribers

People subscribed via source and target branches