one icon indicating copy to clipboard operation
one copied to clipboard
verified publisher icon OpenNebula

Increment snapshots backups doesn't work on Debian 12

Open xorel opened this issue 1 year ago • 1 comments

Description When creating 3rd VM backup (incremental, snapshot) on hypervisor running Debian12, libvirt 9.0.0-4 it fails with an error

error: internal error: unable to execute QEMU command 'block-commit': Could not open '/var/lib/one//datastores/0/43/disk.0.snap/0': Permission denied

The problem is caused by the apparmor. After creating 3rd backup (snapshot) the 0 and 1 are supposed to be merged back to single using virsh blockcommit which fails with the error above.

The reason for the failure seems to be those lines below in the VM profile:

/etc/apparmor.d/libvirt# cat libvirt-4b295e9b-169e-4a8c-aa1a-3e5a22891d0c.files 
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
  "/var/log/libvirt/**/one-43.log" w,
  "/var/lib/libvirt/qemu/domain-one-43/monitor.sock" rw,
  "/var/lib/libvirt/qemu/domain-11-one-43/*" rw,
  "/run/libvirt/**/one-43.pid" rwk,
  "/run/libvirt/**/*.tunnelmigrate.dest.one-43" rw,
  "/var/lib/one/datastores/0/43/disk.0.snap/2" rwk,
  "/var/lib/one/datastores/0/43/disk.0.snap/0" rk,                     <<<<<<<<< 
  # don't audit writes to readonly files
  deny "/var/lib/one/datastores/0/43/disk.0.snap/0" w,                 <<<<<<<<<
  "/var/lib/one/datastores/0/43/disk.1" rk,
  # don't audit writes to readonly files
  deny "/var/lib/one/datastores/0/43/disk.1" w,
  "/var/lib/libvirt/qemu/channel/target/domain-11-one-43/org.qemu.guest_agent.0" rw,
  "/dev/vhost-net" rw,
  "/var/lib/one/datastores/0/43/disk.0.snap/3" rwk,
  "/var/lib/one/datastores/0/43/disk.0.snap/0" rwk,
  "/var/lib/one/datastores/0/43/disk.0.snap/0" rwk,

It's not clear why the disk /0 only has read access, but this effectively breaks the blockcommit.

the rw is explicitly defined

/etc/apparmor.d/abstractions/libvirt-qemu
... 
  /srv/** rwk,
  /var/lib/one/datastores/** rwk,

Details

  • Affected Component: qcow2 snapshot incremental backups
  • Hypervisor: kvm/qemu
  • Version: Debian12, libvirt 9.0.0-4

Progress Status

  • [ ] Code committed
  • [ ] Testing - QA
  • [ ] Documentation (Release notes - resolved issues, compatibility, known issues)

xorel avatar Apr 16 '24 12:04 xorel

Libvirt bug https://gitlab.com/libvirt/libvirt/-/issues/622

xorel avatar Apr 22 '24 12:04 xorel