apparmor disallows qemu+tcp:// connections
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| libvirt (Ubuntu) |
Fix Released
|
Low
|
Jamie Strandboge | ||
| Karmic |
Fix Released
|
Low
|
Jamie Strandboge | ||
| Lucid |
Fix Released
|
Low
|
Jamie Strandboge | ||
Bug Description
TEST CASE;
1. adjust /etc/libvirt/
listen_tls = 0
listen_tcp = 1
2. Restart libvirt in listen mode:
$ sudo /etc/init.
$ sudo libvirtd -d --listen
3. see if it worked:
$ virsh -c qemu+tcp:
Please enter your authentication name:
If you are prompted for authentication in step #3, then everything is fine (can't authenticate because we haven't setup sasl).
Currently get the following output from libvirtd in step #2:
14:48:14.916: warning : qemudStartup:521 : Unable to create cgroup for driver: No such device or address
14:48:15.005: warning : lxcStartup:1460 : Unable to create cgroup for driver: No such device or address
14:48:15.017: error : remoteMakeSocke
And in dmesg:
Oct 27 14:48:15 sec-karmic-amd64 kernel: [60424.438021] type=1503 audit(125665489
Oct 27 14:48:15 sec-karmic-amd64 kernel: [60424.438093] type=1503 audit(125665489
Need to add the following to the profile:
network inet6 stream,
network inet6 dgram,
SRU
Impact: qemu+tcp:// connections no longer work
Bug is addressed in Lucid by adding 'inet dgram6' and 'inet6 stream' to the usr.sbin.libvirtd profile
See description
The regression potential is considered extremely low. It only allows additional access the the profile previously denied.
This bug was fixed in the package libvirt - 0.7.0-1ubuntu14
---------------
libvirt (0.7.0-1ubuntu14) lucid; urgency=low
* debian/
added files (LP: #460271)
* debian/
apparmor denied message when kvm/qemu tries to open a libvirt specified
readonly file (such as a cdrom) with write permissions. libvirt uses the
readonly attribute for the security driver only, and has no way of telling
kvm/qemu that the device should be opened readonly. (LP: #453335)
* debian/
work (LP: #461528)
* debian/
allowing 'inet6 stream' and 'inet6 dgram' (LP: #462000)
-- Jamie Strandboge <email address hidden> 2009年11月09日 17:11:05 -0600
Accepted libvirt into karmic-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https:/
This now works in 0.7.0-1ubuntu13.1.
- output of my upgrade session Edit (6.5 KiB, text/plain)
I had to run '/etc/init.
removed: verification-needed
Bryan, your issue is due to bug #466315, which will be fixed in a future update.
This bug was fixed in the package libvirt - 0.7.0-1ubuntu13.1
---------------
libvirt (0.7.0-1ubuntu13.1) karmic-proposed; urgency=low
* debian/
added files (LP: #460271)
* debian/
apparmor denied message when kvm/qemu tries to open a libvirt specified
readonly file (such as a cdrom) with write permissions. libvirt uses the
readonly attribute for the security driver only, and has no way of telling
kvm/qemu that the device should be opened readonly. (LP: #453335)
* debian/
work (LP: #461528)
* debian/
allowing 'inet6 stream' and 'inet6 dgram' (LP: #462000)
-- Jamie Strandboge <email address hidden> 2009年11月09日 17:12:32 -0600