Issues with Apparmour on Ubuntu 16.04. Permission denied

Question

Issues with Apparmour on Ubuntu 16.04. Permission denied

r7vme opened this issue 8 years ago · 2 comments

Hello, thanks for your work.

I'm trying to create VM with volume and network, but following getting error:

libvirt_domain.domain: Error creating libvirt domain: [Code-1] [Domain-10] internal error: process exited while connecting to monitor: 2017-02-14T00:37:50.691878Z qemu-system-x86_64: -drive file=/var/lib/libvirt/images/rs-vol-0,format=qcow2,if=none,id=drive-virtio-disk0: Could not open '/var/lib/libvirt/images/rs-vol-0': Permission denied

Root cause was in Apparmor:

Feb 14 01:37:50 cz7825 audit[14624]: AVC apparmor="DENIED" operation="open" profile="libvirt-ac2850aa-7938-4e68-bb81-57cfeeba458b" name="/var/libvirt/images/rs-vol-0" pid=14624 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=111 ouid=111
Feb 14 01:37:50 cz7825 audit[14624]: AVC apparmor="DENIED" operation="open" profile="libvirt-ac2850aa-7938-4e68-bb81-57cfeeba458b" name="/var/libvirt/images/rs-vol-0" pid=14624 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111

Libvirt for some reason didn't mention disk files in apparmor configuraion for this VM (Same happens with qemu-monitor device also). Other VMs (not managed by Terraform) work fine and have appropriate permissions in Apparmor. Checked on multiple hosts w/ 16.04.

# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
  "/var/log/libvirt/**/rs-0.log" w,
  "/var/lib/libvirt/qemu/domain-rs-0/monitor.sock" rw,
  "/var/run/libvirt/**/rs-0.pid" rwk,
  "/run/libvirt/**/rs-0.pid" rwk,
  "/var/run/libvirt/**/*.tunnelmigrate.dest.rs-0" rw,
  "/run/libvirt/**/*.tunnelmigrate.dest.rs-0" rw,
  # for qemu guest agent channel
  owner "/var/lib/libvirt/qemu/channel/target/domain-rs-0/**" rw,

Template is following:

provider "libvirt" {
  uri = "qemu+ssh://root@pdt1/system"
}

variable "num_nodes" {
  default = 1 
}

variable "prefix" {
  default = "rs"
}

resource "libvirt_network" "network" {
  name = "${var.prefix}-net"
  domain = "lab"
  mode = "none"
}

resource "libvirt_volume" "volume" {
  name = "${var.prefix}-vol-${count.index}"
  size = "${100 * 1024 * 1024 * 1024}"
  count = "${var.num_nodes}"
}

resource "libvirt_domain" "domain" {
  name = "${var.prefix}-${count.index}"
  vcpu = 1 
  memory = 3072
  disk {
    volume_id = "${element(libvirt_volume.volume.*.id, count.index)}"
  }
  network_interface {
    network_id = "${libvirt_network.network.id}"
  }
  count = "${var.num_nodes}"
}

Version:

Ubuntu 16.04.1
libvirt-bin 1.3.1-1ubuntu10.6
apparmor 2.10.95-0ubuntu2.5
Terraform v0.8.6

Answer 1 · 2017-02-24T08:28:00.000Z

This was already mentioned in docs. Issue can be closed.

22f096d9

Answer 2 · 2019-11-28T22:38:19.000Z

@MalloZup , I noticed that creating a VM with virt-manager works and creating the same VM with terraform fails with the error described here.

virt-manager generates xml like this:

<disk type="file">
  <source file="/var/lib/libvirt/images/img.qcow2"/>
  <target dev="vda" bus="virtio"/>
</disk>

and terraform like this:

<disk type="volume">
  <source pool="poolname" volume="volumename.qcow2"/>
  <target dev="vda" bus="virtio"/>
</disk>

There seems to be a bug in libvirt where it does not generate the correct apparmor profile when using volume, but it's ok when using file.