禁用 KVM 的 AppArmor

禁用 KVM 的 AppArmor

我正在尝试使用以下脚本来获取我的 KVM 客户机的外部快照:

DOMAIN=test-snapshots.programster.org
SNAPSHOT_NAME=snap3
STATE_FILE="/media/kvm/test-snapshots/mem-snap.qcow2"
DISK_FILE="/media/kvm/test-snapshots/disk-snap.qcow2"


sudo virsh snapshot-create-as \
--domain $DOMAIN $SNAPSHOT_NAME \
--diskspec vda,file=$DISK_FILE,snapshot=external \
--memspec file=$STATE_FILE,snapshot=external \
--atomic

不幸的是,无论何时执行,它都会产生以下错误输出

错误:内部错误:无法执行 QEMU 命令‘transaction’:无法打开‘/media/kvm/KVM-Command-Generator/vms/test-snapshots.programster.org.img’:无法打开‘/media/kvm/KVM-Command-Generator/vms/test-snapshots.programster.org.img’:权限被拒绝:权限被拒绝

我读过可以使用 aa-complain 解决此问题。我按照步骤获取了 VM 的 ID,即5e1df6be-2cdd-8d7a-a45b-01097c7f44c6

但是,当我运行时:

sudo aa-complain libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6

我收到以下错误:

Can't find libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6 in the system path list. If the name of the application
is correct, please run 'which libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6' as a user with correct PATH
environment set up in order to find the fully-qualified path and
use the full path as parameter.

在尝试执行快照时,我通过检查具有以下条目的系统日志,确保这仍然是一个 apparmor 问题。

Mar  2 02:58:22 kvm kernel: [542687.670005] audit: type=1400 audit(1456887502.702:140): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6" pid=6824 comm="apparmor_parser"
Mar  2 02:58:22 kvm kernel: [542687.675951] audit: type=1400 audit(1456887502.706:141): apparmor="DENIED" operation="open" profile="libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6" name="/media/kvm/KVM-Command-Generator/vms/test-snapshots.programster.org.img" pid=8107 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118
Mar  2 02:58:22 kvm kernel: [542687.675989] audit: type=1400 audit(1456887502.710:142): apparmor="DENIED" operation="open" profile="libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6" name="/media/kvm/KVM-Command-Generator/vms/test-snapshots.programster.org.img" pid=8107 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118
Mar  2 02:58:22 kvm kernel: [542687.676034] audit: type=1400 audit(1456887502.710:143): apparmor="DENIED" operation="open" profile="libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6" name="/media/kvm/KVM-Command-Generator/vms/test-snapshots.programster.org.img" pid=8107 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118
Mar  2 02:58:23 kvm kernel: [542687.969561] audit: type=1400 audit(1456887503.002:144): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6" pid=6841 comm="apparmor_parser"

为了允许 KVM 客户机的外部快照,我需要做什么?这可能类似于调整/禁用 apparmor,或者也许有更好的解决方案?

更多详细信息

操作系统:Ubuntu 14.04

输出uname -a

Linux kvm.programster.org 4.2.0-30-generic #35~14.04.1-Ubuntu SMP Fri Feb 19 14:48:13 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

的输出aa-status为:

apparmor module is loaded.
35 profiles are loaded.
34 profiles are in enforce mode.
   /sbin/dhclient
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince-thumbnailer//sanitized_helper
   /usr/bin/evince//sanitized_helper
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/cups/backend/cups-pdf
   /usr/lib/libvirt/virt-aa-helper
   /usr/lib/lightdm/lightdm-guest-session
   /usr/lib/lightdm/lightdm-guest-session//chromium
   /usr/lib/telepathy/mission-control-5
   /usr/lib/telepathy/telepathy-*
   /usr/lib/telepathy/telepathy-*//pxgsettings
   /usr/lib/telepathy/telepathy-*//sanitized_helper
   /usr/lib/telepathy/telepathy-ofono
   /usr/sbin/cups-browsed
   /usr/sbin/cupsd
   /usr/sbin/tcpdump
   libvirt-0146f0b4-3117-bfae-8142-7fd2680f0e02
   libvirt-1418991d-64ec-9a1f-f9b0-f4c95285c0fa
   libvirt-1ce386c6-c44a-054c-199a-0c44726fe973
   libvirt-271e5909-afe4-57e2-6013-587071919685
   libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6
   libvirt-701ad939-e103-d41d-e7f1-71f368218604
   libvirt-8a05e9ca-1918-7ec7-37b7-48b7c7e03a6d
   libvirt-a0a8fa52-f59e-2d7f-06d3-7e5080369f1b
   libvirt-be861e30-baf5-9c34-75d6-0142e10cf000
   libvirt-bef3d687-5f3b-217f-29d7-795aaed8a865
   libvirt-c2c962ef-4864-fd32-37d0-3ec0fa773a30
   libvirt-e299551e-d503-7a47-5696-8f28f5c0754d
   libvirt-f8ed2b66-c957-d104-262b-ac3aa63b237f
1 profiles are in complain mode.
   /usr/sbin/libvirtd
17 processes have profiles defined.
16 processes are in enforce mode.
   /usr/lib/telepathy/mission-control-5 (3368) 
   /usr/sbin/cups-browsed (1179) 
   /usr/sbin/cupsd (18585) 
   /usr/sbin/cupsd (18588) 
   libvirt-0146f0b4-3117-bfae-8142-7fd2680f0e02 (2741) 
   libvirt-1418991d-64ec-9a1f-f9b0-f4c95285c0fa (2803) 
   libvirt-1ce386c6-c44a-054c-199a-0c44726fe973 (2867) 
   libvirt-271e5909-afe4-57e2-6013-587071919685 (2470) 
   libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6 (8107) 
   libvirt-701ad939-e103-d41d-e7f1-71f368218604 (2564) 
   libvirt-8a05e9ca-1918-7ec7-37b7-48b7c7e03a6d (2666) 
   libvirt-a0a8fa52-f59e-2d7f-06d3-7e5080369f1b (2705) 
   libvirt-be861e30-baf5-9c34-75d6-0142e10cf000 (2607) 
   libvirt-bef3d687-5f3b-217f-29d7-795aaed8a865 (2834) 
   libvirt-c2c962ef-4864-fd32-37d0-3ec0fa773a30 (2095) 
   libvirt-f8ed2b66-c957-d104-262b-ac3aa63b237f (2772) 
1 processes are in complain mode.
   /usr/sbin/libvirtd (1562) 
0 processes are unconfined but have a profile defined.

答案1

libvirt 客户端的 apparmor 配置文件是动态创建的。如果要将额外文件添加到允许列表中,请将所需文件添加到以下文件的末尾:

/etc/apparmor.d/abstractions/libvirt-qemu

  /var/lib/libvirt/images/*.ign r,

答案2

回顾所有信息后,你似乎走在正确的道路上。问题是投诉命令需要完整路径。

解决方案是运行以​​下命令,指定虚拟机的完整路径:

sudo aa-complain /etc/apparmor.d/libvirt/libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6

答案3

看来,对于你的情况,AppArmor 对 libvirtd 的限制太多了。如果你有一个配置文件/etc/apparmor.d/usr.sbin.libvirtd,你可以禁用按照以下方式:

sudo ln -s /etc/apparmor.d/usr.sbin.libvirtd /etc/apparmor.d/disable/usr.sbin.libvirtd

您需要重新启动才能使该设置生效。

答案4

在将一个正常运行的 kvm 主机从 stretch 升级到 buster 后,我遇到了这种情况。映像文件本身是可读的,投诉是关于 qcow2-backing 文件的。我将“文件”添加到 /etc/apparmor.d/libvirt/TEMPLATE.qemu(就像在 lxc 模板中一样)。之后一切似乎都运行正常。

相关内容