one icon indicating copy to clipboard operation
one copied to clipboard
verified publisher icon OpenNebula

AppArmor profile blocks vnic attach

Open gbonfiglio opened this issue 1 year ago • 0 comments

Description virtios vnic attachments are failing on Debian12 with the following:

Fri Aug 16 06:35:11 2024 [Z0][VM][I]: New LCM state is HOTPLUG_NIC
Fri Aug 16 06:35:11 2024 [Z0][VMM][I]: ExitCode: 0
Fri Aug 16 06:35:11 2024 [Z0][VMM][I]: Successfully execute network driver operation: pre.
Fri Aug 16 06:35:12 2024 [Z0][VMM][I]: Command execution fail (exit code: 1): cat << 'EOT' | /var/tmp/one/vmm/kvm/attach_nic '43700f75-1667-4985-9fc4-5ad2499f2196' '02:00:5e:8e:f1:eb' 'vmain' '-' 'fw' 'one-177-0' 177 za
Fri Aug 16 06:35:12 2024 [Z0][VMM][I]: Could not attach NIC to 43700f75-1667-4985-9fc4-5ad2499f2196: error: Failed to attach device from /dev/fd/63
Fri Aug 16 06:35:12 2024 [Z0][VMM][I]: error: internal error: unable to execute QEMU command 'getfd': No file descriptor supplied via SCM_RIGHTS
Fri Aug 16 06:35:12 2024 [Z0][VMM][I]: ExitCode: 1
Fri Aug 16 06:35:12 2024 [Z0][VMM][I]: Failed to execute virtualization driver operation: attach_nic.
Fri Aug 16 06:35:12 2024 [Z0][VMM][E]: ATTACHNIC: Could not attach NIC to 43700f75-1667-4985-9fc4-5ad2499f2196: error: Failed to attach device from /dev/fd/63 error: internal error: unable to execute QEMU command 'getfd': No file descriptor supplied via SCM_RIGHTS ExitCode: 1

To Reproduce Just attach a vnic on 6.8.0-1 on Debian 11.

Expected behavior The vnic attaches without issues.

Details

  • Affected Component: one
  • Hypervisor: kvm
  • Version: 6.8.0-1

Additional context This seems to be due to OpenNebula not correctly adding "/dev/vhost-net" rw to the VM's AppArmor's profile.

This is an old VM where attachments work:

root@za:/var/log# grep net /etc/apparmor.d/libvirt/libvirt-028c4cb7-0f90-4c20-b6e0-59e039a0718b.files
  "/dev/vhost-net" rw,
  "/dev/net/tun" rwk,

This is a newly created VM where they don't:

root@za:/var/log# grep net /etc/apparmor.d/libvirt/libvirt-43700f75-1667-4985-9fc4-5ad2499f2196.files
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,

Progress Status

  • [ ] Code committed
  • [ ] Testing - QA
  • [ ] Documentation (Release notes - resolved issues, compatibility, known issues)

gbonfiglio avatar Aug 16 '24 06:08 gbonfiglio