Fatal编程技术网
  • qemu/
  • Qemu virt-aa-helper不';t在AppArmor生成的规则中为存储池添加路径

Qemu virt-aa-helper不';t在AppArmor生成的规则中为存储池添加路径

Qemu virt-aa-helper不';t在AppArmor生成的规则中为存储池添加路径,qemu,libvirt,apparmor,virsh,Qemu,Libvirt,Apparmor,Virsh,我在新的Ubuntu20.04主机(libvirtd(libvirt)6.0.0)上有一个新的虚拟机,由于AppArmor拒绝对虚拟机磁盘的读取访问而无法启动。磁盘的定义如下: <disk type='volume' device='disk'> <driver name='qemu' type='qcow2'/> <source pool='default' volume='awesome.qcow2'/> <target dev='vda

我在新的Ubuntu20.04主机(libvirtd(libvirt)6.0.0)上有一个新的虚拟机,由于AppArmor拒绝对虚拟机磁盘的读取访问而无法启动。磁盘的定义如下:

<disk type='volume' device='disk'>
  <driver name='qemu' type='qcow2'/>
  <source pool='default' volume='awesome.qcow2'/>
  <target dev='vda' bus='virtio'/>
  <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
</disk>
<disk type='file' device='cdrom'>
  <driver name='qemu' type='raw'/>
  <source file='/var/lib/libvirt/images/ubuntu-20.04.1-live-server-amd64.iso'/>
  <target dev='hda' bus='sata'/>
  <readonly/>
  <address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>
权限是正确的,我已通过禁用AppArmor对其进行了验证,内核日志中还打印了以下内容:

[10757.098291] audit: type=1400 audit(1599423932.042:131): apparmor="DENIED" operation="open" profile="libvirt-b68582b8-0f35-4298-afd8-45c89ff3cbaa" name="/var/lib/libvirt/images/awesome.qcow2" pid=8654 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=64055
查看由
/etc/apparmor.d/libvirt/
中的
virt aa helper
生成的配置文件(当VM启动时),我可以看到以下内容:

# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
  "/var/log/libvirt/**/playground.log" w,
  "/var/lib/libvirt/qemu/domain-playground/monitor.sock" rw,
  "/var/lib/libvirt/qemu/domain-17-playground/*" rw,
  "/run/libvirt/**/playground.pid" rwk,
  "/run/libvirt/**/*.tunnelmigrate.dest.playground" rw,
  "/var/lib/libvirt/images/ubuntu-20.04.1-live-server-amd64.iso" rk,
  "/dev/vhost-net" rw,
  "/var/lib/libvirt/qemu/domain-17-playground/{,**}" rwk,
  "/var/lib/libvirt/qemu/channel/target/domain-17-playground/{,**}" rwk,
  "/var/lib/libvirt/qemu/domain-17-playground/master-key.aes" rwk,
  "/dev/net/tun" rwk,
由于某些原因,磁盘路径丢失,而ISO被正确添加。我可以在
/etc/apparmor.d/usr.lib.libvirt.virt aa helper
中看到默认池的路径:

[...]
@{HOME}/ r,
@{HOME}/** r,
/var/lib/libvirt/images/ r,
/var/lib/libvirt/images/** r,
# nova base images (LP: #907269)
/var/lib/nova/images/** r,
[...]
我怀疑卷中应该有磁盘文件的条目。为什么不添加它?

这似乎是Ubuntu中libvirt包中的一个确认错误:

[...]
@{HOME}/ r,
@{HOME}/** r,
/var/lib/libvirt/images/ r,
/var/lib/libvirt/images/** r,
# nova base images (LP: #907269)
/var/lib/nova/images/** r,
[...]