Ubuntu
libvirt package

Merge ~paelzer/ubuntu/+source/libvirt:lp-1871354-libpmem-1869796-systemd into ubuntu/+source/libvirt:ubuntu/focal-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/libvirt
  3. lp-1871354-libpmem-1869796-systemd
  4. Merge into ubuntu/focal-devel
Proposed by Christian Ehrhardt 
Status: Merged
Approved by: Christian Ehrhardt 
Approved revision: 03e01bea8ec61786ac1eef3cd827d12b1e06ef59
Merge reported by: Christian Ehrhardt 
Merged at revision: 03e01bea8ec61786ac1eef3cd827d12b1e06ef59
Proposed branch: ~paelzer/ubuntu/+source/libvirt:lp-1871354-libpmem-1869796-systemd
Merge into: ubuntu/+source/libvirt:ubuntu/focal-devel
Diff against target: 125 lines (+97/-0)
4 files modified
debian/changelog (+10/-0)
debian/patches/series (+2/-0)
debian/patches/ubuntu-aa/lp-1871354-apparmor-avoid-denials-on-libpmem-initialization.patch (+47/-0)
debian/patches/ubuntu/CVE-CVE-2020-10701-api-disallow-virDomainAgentSetResponseTimeout-on-rea.patch (+38/-0)
Reviewer Review Type Date Requested Status
Rafael David Tinoco (community) Approve
Canonical Server packageset reviewers Pending
Canonical Server Pending
Review via email: mp+382309@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

PPA: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4020

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

All tests are good except one:

    4.3.6 (12:45:18): Check guest that stayed up during upgrade
    4.3.7 (12:45:19): Check if guest kvm-testguest-focal-2 on testkvm-focal-noupd is alive => Failed detail=guest that stayed no more alive after upgrade

Maybe the service fixes are not workign the same way in Ubuntu like they did in Debian.
Checking in detail tomorrow.

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

# checklist for fixes
----------------------------

 [.] changelog entry correct, targeted to correct codename
 [.] update-maintainer has been run previously
 ----
 [.] changes forwarded upstream/debian (if appropriate)
 [.] patches match what was proposed upstream
 ----
 [.] patches correctly included in debian/patches/series?
 [.] patches have correct DEP3 metadata
 ----
 [-] verified dpkg-buildpackage -S and -b
 [-] autopkgtest against PPA or built package passes
 ----
 [-] testcase provided
 [-] was able to reproduce
 [-] fix solved provided testcase

----------------------------
 [.] = ok
 [x] = not ok
 [?] = question
 [!] = note
 [-] = n/a

I'm +1 with all the patches.

The stabilization looks good for me (related to services and sockets restart).

CVEs are always good... and apparmor fixes make sense.

Good to go.

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

The test that failed is the one that checks if guests stay up during upgrade.
Chances are that the changes to libvirt-guests service trigger this.

Upgrade the following one by one:
libvirt-clients/focal 6.0.0-0ubuntu7~ppa1 s390x [upgradable from: 6.0.0-0ubuntu6]
libvirt-daemon-driver-qemu/focal 6.0.0-0ubuntu7~ppa1 s390x [upgradable from: 6.0.0-0ubuntu6]
libvirt-daemon-driver-storage-rbd/focal 6.0.0-0ubuntu7~ppa1 s390x [upgradable from: 6.0.0-0ubuntu6]
libvirt-daemon-system-systemd/focal 6.0.0-0ubuntu7~ppa1 s390x [upgradable from: 6.0.0-0ubuntu6]
libvirt-daemon-system/focal 6.0.0-0ubuntu7~ppa1 s390x [upgradable from: 6.0.0-0ubuntu6]
libvirt-daemon/focal 6.0.0-0ubuntu7~ppa1 s390x [upgradable from: 6.0.0-0ubuntu6]
libvirt0/focal 6.0.0-0ubuntu7~ppa1 s390x [upgradable from: 6.0.0-0ubuntu6]
qemu-block-extra/focal 1:4.2-3ubuntu5~ppa1 s390x [upgradable from: 1:4.2-3ubuntu4]
qemu-kvm/focal 1:4.2-3ubuntu5~ppa1 s390x [upgradable from: 1:4.2-3ubuntu4]
qemu-system-common/focal 1:4.2-3ubuntu5~ppa1 s390x [upgradable from: 1:4.2-3ubuntu4]
qemu-system-data/focal 1:4.2-3ubuntu5~ppa1 all [upgradable from: 1:4.2-3ubuntu4]
qemu-system-s390x/focal 1:4.2-3ubuntu5~ppa1 s390x [upgradable from: 1:4.2-3ubuntu4]
qemu-utils/focal 1:4.2-3ubuntu5~ppa1 s390x [upgradable from: 1:4.2-3ubuntu4]

I: # apt install qemu-kvm qemu-block-extra qemu-system-common qemu-system-data qemu-system-s390x qemu-utils
=> no change (as expected)

II: libvirt-clients libvirt-daemon libvirt-daemon-driver-qemu libvirt-daemon-driver-storage-rbd libvirt-daemon-system libvirt0

up until this step nothing happened:
Setting up libvirt0:s390x (6.0.0-0ubuntu7~ppa1) ...
Setting up libvirt-clients (6.0.0-0ubuntu7~ppa1) ...
Setting up libvirt-daemon-driver-qemu (6.0.0-0ubuntu7~ppa1) ...
Setting up libvirt-daemon (6.0.0-0ubuntu7~ppa1) ...
Setting up libvirt-daemon-driver-storage-rbd (6.0.0-0ubuntu7~ppa1) ...
Setting up libvirt-daemon-system (6.0.0-0ubuntu7~ppa1) ...

And then as assumed the services restart in a bad way.
Plenty of socket restart related errors (more than before).
Restarting libvirt-guests.sh bringing down the guests.

Ok assumption confirmed.
Lets remove that from the proposed change.
bug 1869796 is non critical and low prio anyway.
Better do this slowly and thoroughly in 20.10 then.

Will retest with the rest of the changes once rebuilt.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Tests good now:
prep (x86_64) : Pass 20 F/S/N 0/0/0 - RC 0 (14 min 52815 lin)
migrate (x86_64) : Pass 288 F/S/N 0/0/0 - RC 0 (61 min 214364 lin)
cross (x86_64) : Pass 24 F/S/N 0/1/3 - RC 0 (50 min 47742 lin)
misc (x86_64) : Pass 73 F/S/N 0/0/0 - RC 0 (31 min 41276 lin)

prep (s390x) : Pass 20 F/S/N 0/0/0 - RC 0 (11 min 44238 lin)
migrate (s390x) : Pass 268 F/S/N 0/5/0 - RC 0 (86 min 160565 lin)
cross (s390x) : Pass 30 F/S/N 0/1/2 - RC 0 (60 min 47716 lin)
misc (s390x) : Pass 67 F/S/N 0/0/0 - RC 0 (38 min 32915 lin)

Although one last minute fix slipped in for bug 1872107 and I'll retest.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

accepted in focal

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 2be6236..8aae264 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,13 @@
6+libvirt (6.0.0-0ubuntu7) focal; urgency=medium
7+
8+ * d/p/ubuntu-aa/lp-1871354*: fix apparmor denials on libpmem init
9+ (LP: #1871354)
10+ * d/p/ubuntu/CVE-CVE-2020-10701-api-disallow-virDomainAgentSetResponseTimeout
11+ -on-rea.patch: avoid DOS through read only connections
12+ CVE-2020-10701
13+
14+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 15 Apr 2020 12:29:12 +0200
15+
16 libvirt (6.0.0-0ubuntu6) focal; urgency=medium
17
18 * d/p/ubuntu/lp-1867460-*: fix domcapabilities before capabilities
19diff --git a/debian/patches/series b/debian/patches/series
20index 867b899..3f54079 100644
21--- a/debian/patches/series
22+++ b/debian/patches/series
23@@ -78,3 +78,5 @@ ubuntu/lp-1853200-cpu_map-Add-decode-element-to-x86-CPU-model-definiti.patch
24 ubuntu/lp-1853200-cpu_x86-Honor-CPU-models-decode-element.patch
25 ubuntu/lp-1853200-cpu_map-Don-t-use-new-noTSX-models-for-host-model-CP.patch
26 ubuntu/lp-1868528-util-virhostcpu-Fail-when-fetching-CPU-Stats-for-inv.patch
27+ubuntu-aa/lp-1871354-apparmor-avoid-denials-on-libpmem-initialization.patch
28+ubuntu/CVE-CVE-2020-10701-api-disallow-virDomainAgentSetResponseTimeout-on-rea.patch
29diff --git a/debian/patches/ubuntu-aa/lp-1871354-apparmor-avoid-denials-on-libpmem-initialization.patch b/debian/patches/ubuntu-aa/lp-1871354-apparmor-avoid-denials-on-libpmem-initialization.patch
30new file mode 100644
31index 0000000..0ebeb8e
32--- /dev/null
33+++ b/debian/patches/ubuntu-aa/lp-1871354-apparmor-avoid-denials-on-libpmem-initialization.patch
34@@ -0,0 +1,47 @@
35+From 8f61fd6bf2dc7e1107e010fdc14bab9ecfde43af Mon Sep 17 00:00:00 2001
36+From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
37+Date: Wed, 8 Apr 2020 16:47:58 +0200
38+Subject: [PATCH] apparmor: avoid denials on libpmem initialization
39+
40+With libpmem support compiled into qemu it will trigger the following
41+denials on every startup.
42+ apparmor="DENIED" operation="open" name="/"
43+ apparmor="DENIED" operation="open" name="/sys/bus/nd/devices/"
44+
45+This is due to [1] that tries to auto-detect if the platform supports
46+auto flush for all region.
47+
48+Once we know all the paths that are potentially needed if this feature
49+is really used we can add them conditionally in virt-aa-helper and labelling
50+calls in case </pmem> is enabled.
51+
52+But until then the change here silences the denial warnings seen above.
53+
54+[1]: https://github.com/pmem/pmdk/blob/master/src/libpmem2/auto_flush_linux.c#L131
55+
56+Bug: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1871354
57+
58+Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
59+Acked-by: Jamie Strandboge <jamie@canonical.com>
60+
61+Origin: backport, https://libvirt.org/git/?p=libvirt.git;a=commit;h=8f61fd6b
62+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1871354
63+Last-Update: 2020-04-15
64+
65+---
66+ src/security/apparmor/libvirt-qemu | 5 +++++
67+ 1 file changed, 5 insertions(+)
68+
69+--- a/src/security/apparmor/libvirt-qemu
70++++ b/src/security/apparmor/libvirt-qemu
71+@@ -259,5 +259,10 @@
72+ /etc/gss/mech.d/ r,
73+ /etc/gss/mech.d/* r,
74+
75++ # required by libpmem init to fts_open()/fts_read() the symlinks in
76++ # /sys/bus/nd/devices
77++ / r, # harmless on any lsb compliant system
78++ /sys/bus/nd/devices/{,**/} r,
79++
80+ # Site-specific additions and overrides. See local/README for details.
81+ #include <local/abstractions/libvirt-qemu>
82diff --git a/debian/patches/ubuntu/CVE-CVE-2020-10701-api-disallow-virDomainAgentSetResponseTimeout-on-rea.patch b/debian/patches/ubuntu/CVE-CVE-2020-10701-api-disallow-virDomainAgentSetResponseTimeout-on-rea.patch
83new file mode 100644
84index 0000000..39b2024
85--- /dev/null
86+++ b/debian/patches/ubuntu/CVE-CVE-2020-10701-api-disallow-virDomainAgentSetResponseTimeout-on-rea.patch
87@@ -0,0 +1,38 @@
88+From 4cc90c2e62df653e909ad31fd810224bf8bcf913 Mon Sep 17 00:00:00 2001
89+From: Jonathon Jongsma <jjongsma@redhat.com>
90+Date: Fri, 20 Mar 2020 09:43:13 -0500
91+Subject: [PATCH] api: disallow virDomainAgentSetResponseTimeout() on read-only
92+ connections
93+
94+This function changes the amount of time that libvirt waits for a
95+response from the guest agent for all guest agent commands. Since this
96+is a configuration change, it should not be allowed on read-only
97+connections.
98+
99+Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
100+Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
101+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
102+
103+Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=4cc90c2e62df653e909ad31fd810224bf8bcf913
104+Last-Update: 2020-04-15
105+
106+---
107+ src/libvirt-domain.c | 2 ++
108+ 1 file changed, 2 insertions(+)
109+
110+diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
111+index 65813b68cc..a12809c2d5 100644
112+--- a/src/libvirt-domain.c
113++++ b/src/libvirt-domain.c
114+@@ -12576,6 +12576,8 @@ virDomainAgentSetResponseTimeout(virDomainPtr domain,
115+ virCheckDomainReturn(domain, -1);
116+ conn = domain->conn;
117+
118++ virCheckReadOnlyGoto(conn->flags, error);
119++
120+ if (conn->driver->domainAgentSetResponseTimeout) {
121+ if (conn->driver->domainAgentSetResponseTimeout(domain, timeout, flags) < 0)
122+ goto error;
123+--
124+2.26.0
125+

Subscribers

People subscribed via source and target branches