我正在尝试使用以下脚本来获取我的 KVM 客户机的外部快照:
DOMAIN=test-snapshots.programster.org
SNAPSHOT_NAME=snap3
STATE_FILE="/media/kvm/test-snapshots/mem-snap.qcow2"
DISK_FILE="/media/kvm/test-snapshots/disk-snap.qcow2"
sudo virsh snapshot-create-as \
--domain $DOMAIN $SNAPSHOT_NAME \
--diskspec vda,file=$DISK_FILE,snapshot=external \
--memspec file=$STATE_FILE,snapshot=external \
--atomic
不幸的是,无论何时执行,它都会产生以下错误输出
错误:内部错误:无法执行 QEMU 命令‘transaction’:无法打开‘/media/kvm/KVM-Command-Generator/vms/test-snapshots.programster.org.img’:无法打开‘/media/kvm/KVM-Command-Generator/vms/test-snapshots.programster.org.img’:权限被拒绝:权限被拒绝
我读过可以使用 aa-complain 解决此问题。我按照步骤获取了 VM 的 ID,即5e1df6be-2cdd-8d7a-a45b-01097c7f44c6。
但是,当我运行时:
sudo aa-complain libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6
我收到以下错误:
Can't find libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6 in the system path list. If the name of the application
is correct, please run 'which libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6' as a user with correct PATH
environment set up in order to find the fully-qualified path and
use the full path as parameter.
在尝试执行快照时,我通过检查具有以下条目的系统日志,确保这仍然是一个 apparmor 问题。
Mar 2 02:58:22 kvm kernel: [542687.670005] audit: type=1400 audit(1456887502.702:140): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6" pid=6824 comm="apparmor_parser"
Mar 2 02:58:22 kvm kernel: [542687.675951] audit: type=1400 audit(1456887502.706:141): apparmor="DENIED" operation="open" profile="libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6" name="/media/kvm/KVM-Command-Generator/vms/test-snapshots.programster.org.img" pid=8107 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118
Mar 2 02:58:22 kvm kernel: [542687.675989] audit: type=1400 audit(1456887502.710:142): apparmor="DENIED" operation="open" profile="libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6" name="/media/kvm/KVM-Command-Generator/vms/test-snapshots.programster.org.img" pid=8107 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118
Mar 2 02:58:22 kvm kernel: [542687.676034] audit: type=1400 audit(1456887502.710:143): apparmor="DENIED" operation="open" profile="libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6" name="/media/kvm/KVM-Command-Generator/vms/test-snapshots.programster.org.img" pid=8107 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118
Mar 2 02:58:23 kvm kernel: [542687.969561] audit: type=1400 audit(1456887503.002:144): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6" pid=6841 comm="apparmor_parser"
为了允许 KVM 客户机的外部快照,我需要做什么?这可能类似于调整/禁用 apparmor,或者也许有更好的解决方案?
更多详细信息
操作系统:Ubuntu 14.04
输出uname -a
Linux kvm.programster.org 4.2.0-30-generic #35~14.04.1-Ubuntu SMP Fri Feb 19 14:48:13 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
的输出aa-status为:
apparmor module is loaded.
35 profiles are loaded.
34 profiles are in enforce mode.
/sbin/dhclient
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-previewer//sanitized_helper
/usr/bin/evince-thumbnailer
/usr/bin/evince-thumbnailer//sanitized_helper
/usr/bin/evince//sanitized_helper
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/lib/libvirt/virt-aa-helper
/usr/lib/lightdm/lightdm-guest-session
/usr/lib/lightdm/lightdm-guest-session//chromium
/usr/lib/telepathy/mission-control-5
/usr/lib/telepathy/telepathy-*
/usr/lib/telepathy/telepathy-*//pxgsettings
/usr/lib/telepathy/telepathy-*//sanitized_helper
/usr/lib/telepathy/telepathy-ofono
/usr/sbin/cups-browsed
/usr/sbin/cupsd
/usr/sbin/tcpdump
libvirt-0146f0b4-3117-bfae-8142-7fd2680f0e02
libvirt-1418991d-64ec-9a1f-f9b0-f4c95285c0fa
libvirt-1ce386c6-c44a-054c-199a-0c44726fe973
libvirt-271e5909-afe4-57e2-6013-587071919685
libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6
libvirt-701ad939-e103-d41d-e7f1-71f368218604
libvirt-8a05e9ca-1918-7ec7-37b7-48b7c7e03a6d
libvirt-a0a8fa52-f59e-2d7f-06d3-7e5080369f1b
libvirt-be861e30-baf5-9c34-75d6-0142e10cf000
libvirt-bef3d687-5f3b-217f-29d7-795aaed8a865
libvirt-c2c962ef-4864-fd32-37d0-3ec0fa773a30
libvirt-e299551e-d503-7a47-5696-8f28f5c0754d
libvirt-f8ed2b66-c957-d104-262b-ac3aa63b237f
1 profiles are in complain mode.
/usr/sbin/libvirtd
17 processes have profiles defined.
16 processes are in enforce mode.
/usr/lib/telepathy/mission-control-5 (3368)
/usr/sbin/cups-browsed (1179)
/usr/sbin/cupsd (18585)
/usr/sbin/cupsd (18588)
libvirt-0146f0b4-3117-bfae-8142-7fd2680f0e02 (2741)
libvirt-1418991d-64ec-9a1f-f9b0-f4c95285c0fa (2803)
libvirt-1ce386c6-c44a-054c-199a-0c44726fe973 (2867)
libvirt-271e5909-afe4-57e2-6013-587071919685 (2470)
libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6 (8107)
libvirt-701ad939-e103-d41d-e7f1-71f368218604 (2564)
libvirt-8a05e9ca-1918-7ec7-37b7-48b7c7e03a6d (2666)
libvirt-a0a8fa52-f59e-2d7f-06d3-7e5080369f1b (2705)
libvirt-be861e30-baf5-9c34-75d6-0142e10cf000 (2607)
libvirt-bef3d687-5f3b-217f-29d7-795aaed8a865 (2834)
libvirt-c2c962ef-4864-fd32-37d0-3ec0fa773a30 (2095)
libvirt-f8ed2b66-c957-d104-262b-ac3aa63b237f (2772)
1 processes are in complain mode.
/usr/sbin/libvirtd (1562)
0 processes are unconfined but have a profile defined.
答案1
libvirt 客户端的 apparmor 配置文件是动态创建的。如果要将额外文件添加到允许列表中,请将所需文件添加到以下文件的末尾:
/etc/apparmor.d/abstractions/libvirt-qemu
/var/lib/libvirt/images/*.ign r,
答案2
回顾所有信息后,你似乎走在正确的道路上。问题是投诉命令需要完整路径。
解决方案是运行以下命令,指定虚拟机的完整路径:
sudo aa-complain /etc/apparmor.d/libvirt/libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6
答案3
看来,对于你的情况,AppArmor 对 libvirtd 的限制太多了。如果你有一个配置文件/etc/apparmor.d/usr.sbin.libvirtd,你可以禁用按照以下方式:
sudo ln -s /etc/apparmor.d/usr.sbin.libvirtd /etc/apparmor.d/disable/usr.sbin.libvirtd
您需要重新启动才能使该设置生效。
答案4
在将一个正常运行的 kvm 主机从 stretch 升级到 buster 后,我遇到了这种情况。映像文件本身是可读的,投诉是关于 qcow2-backing 文件的。我将“文件”添加到 /etc/apparmor.d/libvirt/TEMPLATE.qemu(就像在 lxc 模板中一样)。之后一切似乎都运行正常。