New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using disk type file instead of type volume would fix apparmor permissions #126
Comments
Using file type definition for disks allows virt-aa-helper to identify the backing file correctly from the generated XML and add the necessary permissions to permit qemu to be able to access the storage disk provided it is located within a storage pool. Ensure that reading of existing tfstate using pool/volume definition remains working for upgrade compatibility by checking first if `File` is a non-zero string. Fixes dmacvicar#126
Using file type definition for disks allows virt-aa-helper to identify the backing file correctly from the generated XML and add the necessary permissions to permit qemu to be able to access the storage disk provided it is located within a storage pool. Ensure that reading of existing tfstate using pool/volume definition remains working for upgrade compatibility by checking first if `File` is a non-zero string. Fixes dmacvicar#126
Please re-open as this has re-appeared after 77982e7 |
In my case, contrary to https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1343245, an app-armor rule seems to be created:
However the volumes are created as root:
With the following config:
|
I tried with: service apparmor stop
service apparmor teardown but got the same:
|
@blaggacao I think it might be more useful to see the domain XML from |
Indeed: <domain type='kvm'>
<name>k8s0</name>
<uuid>86b4d04b-d060-4ebd-aec2-a2fba32116f5</uuid>
<memory unit='KiB'>4194304</memory>
<currentMemory unit='KiB'>4194304</currentMemory>
<vcpu placement='static'>1</vcpu>
<os>
<type arch='x86_64' machine='pc-i440fx-bionic'>hvm</type>
<boot dev='hd'/>
</os>
<features>
<acpi/>
<apic/>
<pae/>
</features>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<devices>
<emulator>/usr/bin/kvm-spice</emulator>
<disk type='volume' device='disk'>
<driver name='qemu' type='qcow2'/>
<source pool='default' volume='k8s0.qcow2'/>
<target dev='vda' bus='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
</disk>
<disk type='file' device='cdrom'>
<driver name='qemu' type='raw'/>
<source file='/var/lib/libvirt/images/commoninit.iso'/>
<target dev='hda' bus='ide'/>
<readonly/>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>
<controller type='usb' index='0' model='piix3-uhci'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
</controller>
<controller type='pci' index='0' model='pci-root'/>
<controller type='ide' index='0'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
</controller>
<controller type='virtio-serial' index='0'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
</controller>
<interface type='network'>
<mac address='52:54:00:82:59:16'/>
<source network='vm_network'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
<serial type='pty'>
<target type='isa-serial' port='0'>
<model name='isa-serial'/>
</target>
</serial>
<console type='pty'>
<target type='serial' port='0'/>
</console>
<console type='pty'>
<target type='virtio' port='1'/>
</console>
<channel type='pty'>
<target type='virtio' name='org.qemu.guest_agent.0'/>
<address type='virtio-serial' controller='0' bus='0' port='1'/>
</channel>
<input type='mouse' bus='ps2'/>
<input type='keyboard' bus='ps2'/>
<graphics type='spice' autoport='yes' listen='127.0.0.1'>
<listen type='address' address='127.0.0.1'/>
</graphics>
<video>
<model type='cirrus' vram='16384' heads='1' primary='yes'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</video>
<memballoon model='virtio'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
</memballoon>
<rng model='virtio'>
<backend model='random'>/dev/urandom</backend>
<address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
</rng>
</devices>
</domain> |
I'm going to have to look through the code, but I was sure this was supposed to add disks using the file type rather than the volume type which would result in the additional helper utils around libvirt doing the right thing |
So looks like the regression is from #380, specifically commit accb12b switched back to using volumes in preference to files which does not work with apparmor, then subsequently #489 simply moves the code around around between files. @dmacvicar looks like you changed the code around to switch back to prefering volumes rather than files? Should this be switched back as I don't see the libvirt helper utils for apparmor supporting? One solution might be to leave everything else using volume id's but change terraform-provider-libvirt/libvirt/domain.go Lines 426 to 476 in ee4094d
|
I explained in #567
accb12b is not a regression. We want our users to be able to attach disks present in different types of volume pools. Using filenames makes the assumption that the file is a qcow2 backed by a directory pool, which is not the case. If the user creates a volume using whatever backing storage, we want the terraform provider to be independent of that choice, and refer to the volume by its top abstraction, which is the (pool, name) pair. You are asking to remove that abstraction, because a very specific tool was implemented incorrectly, making assumptions about implementation. For example, if you create a pool of type "Physical disk", the volume xml would look like this: <volume type='block'>
<name>loop0p1</name>
<key>/dev/loop0p1</key>
<source>
<device path='/dev/loop0'>
<extent start='32256' end='542868480'/>
</device>
</source>
<capacity unit='bytes'>542836224</capacity>
<allocation unit='bytes'>542836224</allocation>
<physical unit='bytes'>542836224</physical>
<target>
<path>/dev/loop0p1</path>
<format type='none'/>
<permissions>
<mode>0660</mode>
<owner>0</owner>
<group>486</group>
</permissions>
<timestamps>
<atime>1554648074.662222336</atime>
<mtime>1554648074.662222336</mtime>
<ctime>1554648074.662222336</ctime>
</timestamps>
</target>
</volume> So I believe Applying the workaround you suggest, would prevent people from using a eg. physical disk based pool. |
Given how linux works in representing everything as I file, I was expecting that ultimately all volumes would represetable as files so it would be good to be clear on exactly where this breaks down as opposed to what doesn't work with this first pass. It would seem given that the current behaviour forces a requirement to use root for anyone using ubuntu, resulting in a non trivial security impact, if there is no way to translate all volume representations to a file representation, then it seems like a user controlled option to enable this behaviour where needed with a warning message about the limitations and to highlight it is a requirement due to how virt-aa-helper works, would be a reasonable compromise to help as many users as possible. Thoughts? |
Most volumes are indeed mapped to a file/path. It is just that The current behavior does not force anything. I believe My suspicion would be https://gitlab.com/libvirt/libvirt/blob/52970dec5b4d0fd1a9baa593b46a33bd7eeaf6b8/src/security/virt-aa-helper.c#L965 for (i = 0; i < ctl->def->ndisks; i++) {
virDomainDiskDefPtr disk = ctl->def->disks[i];
if (!virDomainDiskGetSource(disk))
continue;
/* XXX - if we knew the qemu user:group here we could send it in
* so that the open could be re-tried as that user:group.
*/
if (!disk->src->backingStore) {
bool probe = ctl->allowDiskFormatProbing;
virStorageFileGetMetadata(disk->src, -1, -1, probe, false);
}
/* XXX passing ignoreOpenFailure = true to get back to the behavior
* from before using virDomainDiskDefForeachPath. actually we should
* be passing ignoreOpenFailure = false and handle open errors more
* careful than just ignoring them.
*/
if (virDomainDiskDefForeachPath(disk, true, add_file_path, &buf) < 0)
goto cleanup;
} It basically reads the source element of each disk and assumes (probably from the early libvirt days) that there is a path element. I'd guess that function is designed in the times disk was directly tied to files. @cbosdo may have some wisdom for us. |
This seems to be stale. I'm guessing it's not relevant anymore or not affecting enough people? If so, please do close it. |
This is unfortunately still relevant :/ I'm having this problem on Debian bullseye. |
Version Reports:
Distro version of host:
Ubuntu 16.04
Terraform Version Report
Terraform v0.8.8
Libvirt version
1.3.1
terraform-provider-libvirt plugin version (git-hash)
Description of Issue/Question
Use of disk type volume in the domain XML definition prevents virt-aa-helper from being able to determine the correct file path that should be added to the auto generated apparmor profile. This leads to the requirement to disable apparmor for libvirt which is not always possible in every environment (e.g. no sudo access).
Consequently you'll receive the following message when trying to boot without first setting
security = "none"
in /etc/libvirt/qemu.conf:Looking at the domain XML generated and comparing it to a known working vagrant VM that was working with apparmour enabled highlighted the following differences about the disk definition:
terraform libvirt provider generated disk XML from domain
vagrant libvirt provider generated disk XML from domain
Using this information then lead to the following issue:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1343245
While it might be possible for future releases on ubuntu to include a version of virt-aa-helper that will know to look at the volume and pool information in order to resolve the disk image path and add that to the apparmor rules, it seems like it might be useful for this provider to switch the XML generated for the disks used to use a format that is better understood by virt-aa-helper and thus remove the need to disable security on qemu when using.
Additional Infos:
Apparmor was enabled in order to debug why the provider didn't work with it, when the vagrant-libvirt provider works.
The text was updated successfully, but these errors were encountered: