Ubuntu
libvirt package

Merge ~paelzer/ubuntu/+source/libvirt:lp-1890858-fix-connectivity-FOCAL into ubuntu/+source/libvirt:ubuntu/focal-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/libvirt
  3. lp-1890858-fix-connectivity-FOCAL
  4. Merge into ubuntu/focal-devel
Proposed by Christian Ehrhardt 
Status: Merged
Approved by: Christian Ehrhardt 
Approved revision: dc34361772c316d8c94c3cb9de94011eaf9f5491
Merge reported by: Christian Ehrhardt 
Merged at revision: dc34361772c316d8c94c3cb9de94011eaf9f5491
Proposed branch: ~paelzer/ubuntu/+source/libvirt:lp-1890858-fix-connectivity-FOCAL
Merge into: ubuntu/+source/libvirt:ubuntu/focal-devel
Diff against target: 52 lines (+30/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu-aa/lp-1890858-unix-socket.patch (+22/-0)
Reviewer Review Type Date Requested Status
Robie Basak sru Approve
Canonical Server Pending
git-ubuntu developers Pending
Review via email: mp+404124@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

PPA: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4582
SRU Bug: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Held back for the new insights into systemd's involvement into this.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Ok, new input resolved - I update this MP to contain the new better rule.

P.S. the central rule might later (independent) be added in abstractions/nameservices but this is independent to this fix as e.g. libvirt would not immediately benefit from the abstraction fix anyway (and it would open up much more than wanted).

Revision history for this message
Robie Basak (racb) wrote :

Perfect, and great job in working the bug as well as finding the solution!

review: Approve (sru)
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thank you!

To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/libvirt
 * [new tag] upload/6.0.0-0ubuntu8.10 -> upload/6.0.0-0ubuntu8.10

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading libvirt_6.0.0-0ubuntu8.10.dsc: done.
  Uploading libvirt_6.0.0-0ubuntu8.10.debian.tar.xz: done.
  Uploading libvirt_6.0.0-0ubuntu8.10_source.buildinfo: done.
  Uploading libvirt_6.0.0-0ubuntu8.10_source.changes: done.
Successfully uploaded packages.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

This migrated

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index fa7efba..d201ca8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
1libvirt (6.0.0-0ubuntu8.10) focal; urgency=medium
2
3 * d/p/ubuntu-aa/lp-1890858-unix-socket.patch: avoid issues of some users
4 to connect to libvirtd (LP: #1890858)
5
6 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 14 Jun 2021 14:36:04 +0200
7
1libvirt (6.0.0-0ubuntu8.9) focal; urgency=medium8libvirt (6.0.0-0ubuntu8.9) focal; urgency=medium
29
3 * d/p/u/lp-1921754*: add EPYC-Rome-v2 as v1 missed IBRS and thereby fails10 * d/p/u/lp-1921754*: add EPYC-Rome-v2 as v1 missed IBRS and thereby fails
diff --git a/debian/patches/series b/debian/patches/series
index 33f754c..d4e8461 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -155,3 +155,4 @@ ubuntu/lp-1922907-cputest-Add-data-for-Intel-R-Xeon-R-Platinum-9242-CP.patch
155ubuntu/lp-1922907-cputest-Add-data-for-Intel-R-Xeon-R-Gold-6130-CPU.patch155ubuntu/lp-1922907-cputest-Add-data-for-Intel-R-Xeon-R-Gold-6130-CPU.patch
156ubuntu/lp-1922907-cpu_map-Distinguish-Cascadelake-Server-from-Skylake-.patch156ubuntu/lp-1922907-cpu_map-Distinguish-Cascadelake-Server-from-Skylake-.patch
157ubuntu/lp-1922907-cleanup-test-data.patch157ubuntu/lp-1922907-cleanup-test-data.patch
158ubuntu-aa/lp-1890858-unix-socket.patch
diff --git a/debian/patches/ubuntu-aa/lp-1890858-unix-socket.patch b/debian/patches/ubuntu-aa/lp-1890858-unix-socket.patch
158new file mode 100644159new file mode 100644
index 0000000..6622e34
--- /dev/null
+++ b/debian/patches/ubuntu-aa/lp-1890858-unix-socket.patch
@@ -0,0 +1,22 @@
1Description: allow network unix dgram for NSS UID resolution
2 Certain conditions - aong others non local users - can in Focal
3 trigger libvirt to call for NSS resolving usernames.
4 That is done through a unix socket bind/call which is denied
5 by apparmor. In some cases that is crashing libvirtd and in others
6 it "only" denies the user from using libvirtd.
7Forwarded: no
8X-Not-Forwarded-Reason: not a problem for latter libvirt versions - Ubuntu Focal only
9Author: Christian Ehrhardt <christian.ehrhardt@canonical.com>
10Bug-Ubuntu: https://bugs.launchpad.net/bugs/1890858
11Last-Update: 2021-06-14
12--- a/src/security/apparmor/usr.sbin.libvirtd
13+++ b/src/security/apparmor/usr.sbin.libvirtd
14@@ -46,6 +46,8 @@ profile libvirtd /usr/sbin/libvirtd flag
15 network netlink raw,
16 network packet dgram,
17 network packet raw,
18+ # For UID resolution in Focal (LP: #1890858)
19+ unix (bind) type=dgram addr=@userdb-*,
20
21 # for --p2p migrations
22 unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),

Subscribers

People subscribed via source and target branches