Bug 1746684 - Creating disk-only snapshot on domain with more then one disk failes with permission denied
Summary: Creating disk-only snapshot on domain with more then one disk failes with per...
Alias: None
Product: Virtualization Tools
Classification: Community
Component: libvirt
Version: unspecified
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Libvirt Maintainers
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2019-08-29 06:22 UTC by Lars Dunemark
Modified: 2019-11-21 08:09 UTC (History)
4 users (show)

Fixed In Version: libvirt-5.10.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-11-21 08:09:28 UTC

Attachments (Terms of Use)
Domain file (5.61 KB, text/plain)
2019-08-29 06:22 UTC, Lars Dunemark
no flags Details

Description Lars Dunemark 2019-08-29 06:22:52 UTC
Created attachment 1609257 [details]
Domain file

Description of problem:
Creating a domain with multiple disks and trying to take an disk-only snapshot with external disk overlay fails with the error "Could not create file: Permission denied"

Version-Release number of selected component (if applicable):
Tested on 4.0.0, 5.0.0 and master (648c11c04cf1d45f37f4662ffb7952611ddb458c)

How reproducible:
Create a new domain for qemu with 2 disk connected. (dumpxml of my domain as attachemnt)

Steps to Reproduce:
1. snapshot-create-as --domain ubuntu18.04 --disk-only --atomic --diskspec vda,file=/var/lib/libvirt/images/ubuntu18.04-overlay.qcow2,snapshot=external --diskspec vdb,file=/var/lib/libvirt/images/ubuntu18.04-1-overlay.qcow2,snapshot=external

Actual results:
error: internal error: unable to execute QEMU command 'transaction': Could not create file: Permission denied

Expected results:
Domain snapshot 1567058757 created

Additional info:
When manually adding the path to vda overlay file in /etc/apparmor.d/libvirt/libvirt-a955728a-ac8f-4fcb-8bea-3e12fca826a7 as:
  "/var/lib/libvirt/images/ubuntu18.04-overlay.qcow2" rwk,

It works to take snapshot for both disk. So it looks like the apparmor is only updated with the last disk

Comment 1 Christian Ehrhardt 2019-10-15 14:34:39 UTC
FYI - I was debugging this in the context of Ubuntu bug https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1845506
I think I found the root cause (see recent updates there)

The summary for now is:
- one of the labeling calls does not use append=true
- thereby the apparmor rules get re-rendered from XML throwing away former appended paths
- the snapshot case here represents two calls and the second throws away the content of the former one

If from here all goes well will submit patches some-when this week.

Comment 2 Christian Ehrhardt 2019-10-24 07:38:04 UTC
FYI a fix to this is on the mailing list since a few days with no response yet:

Worth a FYI ping here anyway, and maybe it is seen by that.

P.S. With the massive glib changes ongoing we might need slight adaptions depending on the order they and, but that seems to be search/replace and should be ok.

Comment 3 Christian Ehrhardt 2019-11-21 07:38:25 UTC
FYI - changes in upstream git now

commit d53f4d02d032ec14391b5052ec165105dfc338b5
Author: Christian Ehrhardt <christian.ehrhardt>
Date:   Wed Oct 16 09:35:27 2019 +0200

    apparmor: let AppArmorSetSecurityImageLabel append rules

(and some related cleanups before that)

Note You need to log in before you can comment on or make changes to this bug.