Ubuntu
libvirt package

vhost-scsi triggers virt-aa-helper error

Bug #1829223 reported by Christian Ehrhardt 
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Forked from bug 1815910 as it is a different kind of problem and also a different fix.

FYI: this works just fine when defined at the time the guest starts.
libvirt mediates the access and passes an FD that at the time qemu can open and use.
Only later on when hot-plugging this occurs.

#1 prepare a scsi device to pass
$ sudo modprobe vhost-scsi
$ sudo targetcli backstores/block create name=disk1 dev=/dev/disk/by-path/ccw-0.0.e000-fc-0x50050763060b16b6-lun-0x4024400a00000000
$ sudo targetcli vhost/ create 50014059de6fba4f
$ sudo targetcli vhost/naa.50014059de6fba4f/tpg1/luns create /backstores/block/disk1

#2 describe the device to attach for libvirt
$ cat vhost-scsi.xml
    <hostdev mode='subsystem' type='scsi_host' managed='no'>
      <source protocol='vhost' wwpn='naa.50014059de6fba4f'/>
    </hostdev>

#3 do the hotplug
$ virsh attach-device disco-vhost vhost-scsi.xml
error: Failed to attach device from vhost-scsi.xml
error: internal error: cannot update AppArmor profile 'libvirt-9518e35c-c5ab-4d14-9204-003923544936'

When debugging this we see as expected triggers an error in virt-aa-helper:
/usr/lib/libvirt/virt-aa-helper -r -u libvirt-9518e35c-c5ab-4d14-9204-003923544936 -F /sys/kernel/config/target/vhost//naa.50014059de6fba4f
unexpected exit status 1
  virt-aa-helper: error: /sys/kernel/config/target/vhost//naa.50014059de6fba4f
  virt-aa-helper: error: skipped restricted file
  virt-aa-helper: error: invalid VM definition

Christian Ehrhardt  (paelzer)
Changed in libvirt (Ubuntu):
status: New → Triaged
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Since "the dawn of ages" a.k.a commit 51a4814f "Imported Upstream version 0.7.2" virt-aa-helper filters some paths [1].

/sys is one of them.

There is the feature to override certain sub-paths which is almost as old [2]:

We will have to register "/sys/kernel/config/target/vhost" there as well.

[1]: https://libvirt.org/git/?p=libvirt.git;a=blob;f=src/security/virt-aa-helper.c;hb=bbaecd6a8f15345bc822ab4b79eb0955986bb2fd#l467
[2]: https://libvirt.org/git/?p=libvirt.git;a=commit;h=1efb6236744632c579049ee610dc1c8a42b3ee3d

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I have a preliminary patch to test building in PPA:
https://launchpad.net/~paelzer/+archive/ubuntu/bug-1829223-vhost-scsi

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I have a fix that allows the /sys path to be added.
But then we face (the expected bug) that follows bug 1815910

  error: internal error: unable to execute QEMU command 'getfd': No file descriptor supplied via SCM_RIGHTS

Due to:
  /dev/vhost-scsi

I'll add vhost-scsi to the 1815910 fix and submit this patch here upstream.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Submitted at:
https://www.redhat.com/archives/libvir-list/2019-May/thread.html

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Patch upstream accepted, bundling with the coming libvirt upload which was focused on these vhost fixes anyway.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Tested with 5.0.0-1ubuntu4~ppa1 from PPA now all three vhost hotplug types work.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 5.0.0-1ubuntu4

---------------
libvirt (5.0.0-1ubuntu4) eoan; urgency=medium

  * d/p/ubuntu/lp-1825195-*.patch: fix issues with old guests that defined
    the never functional osxsave and ospke features (LP: #1825195).
  * d/p/series: reorder ubuntu Delta
  * d/p/ubuntu-aa/lp-1815910-allow-vhost-net.patch: avoid apparmor issues
    with vhost-net/vhost-vsock/vhost-scsi hotplug (LP: #1815910)
  * d/p/ubuntu-aa/lp-1829223-virt-aa-helper-allow-vhost-scsi.patch fix
    vhost-scsi hotplug in virt-aa-helper (LP: #1829223)

libvirt (5.0.0-1ubuntu3) eoan; urgency=medium

  * SECURITY UPDATE: Add support for md-clear functionality
    - debian/patches/ubuntu/md-clear.patch: Define md-clear CPUID bit in
      src/cpu_map/x86_features.xml.
    - CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091

 -- Christian Ehrhardt <email address hidden> Thu, 16 May 2019 10:42:09 +0200

Changed in libvirt (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.