Created attachment 1609257 [details] Domain file Description of problem: Creating a domain with multiple disks and trying to take an disk-only snapshot with external disk overlay fails with the error "Could not create file: Permission denied" Version-Release number of selected component (if applicable): Tested on 4.0.0, 5.0.0 and master (648c11c04cf1d45f37f4662ffb7952611ddb458c) How reproducible: Create a new domain for qemu with 2 disk connected. (dumpxml of my domain as attachemnt) Steps to Reproduce: 1. snapshot-create-as --domain ubuntu18.04 --disk-only --atomic --diskspec vda,file=/var/lib/libvirt/images/ubuntu18.04-overlay.qcow2,snapshot=external --diskspec vdb,file=/var/lib/libvirt/images/ubuntu18.04-1-overlay.qcow2,snapshot=external Actual results: error: internal error: unable to execute QEMU command 'transaction': Could not create file: Permission denied Expected results: Domain snapshot 1567058757 created Additional info: When manually adding the path to vda overlay file in /etc/apparmor.d/libvirt/libvirt-a955728a-ac8f-4fcb-8bea-3e12fca826a7 as: "/var/lib/libvirt/images/ubuntu18.04-overlay.qcow2" rwk, It works to take snapshot for both disk. So it looks like the apparmor is only updated with the last disk
FYI - I was debugging this in the context of Ubuntu bug https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1845506 I think I found the root cause (see recent updates there) The summary for now is: - one of the labeling calls does not use append=true - thereby the apparmor rules get re-rendered from XML throwing away former appended paths - the snapshot case here represents two calls and the second throws away the content of the former one If from here all goes well will submit patches some-when this week.
FYI a fix to this is on the mailing list since a few days with no response yet: https://www.redhat.com/archives/libvir-list/2019-October/msg01002.html Worth a FYI ping here anyway, and maybe it is seen by that. P.S. With the massive glib changes ongoing we might need slight adaptions depending on the order they and, but that seems to be search/replace and should be ok.
FYI - changes in upstream git now commit d53f4d02d032ec14391b5052ec165105dfc338b5 Author: Christian Ehrhardt <christian.ehrhardt> Date: Wed Oct 16 09:35:27 2019 +0200 apparmor: let AppArmorSetSecurityImageLabel append rules (and some related cleanups before that)