On 19.05.2015 11:54, intrigeri wrote:
> Hi Stefan,
>
> any news on what follows? Now that Ubuntu 15.04 has been released,
> perhaps you'll be able to allocate some cycles to it? :)
Hm was there not something which I was waiting for feedback from you? Though I
forgot what exactly that was. And after release is before release, the treadmill
never stops... ;-P
Since I lost most context by now, I will try to find my most recent proposal
again and try to get it moved into present state of packages.
-Stefan
>
> intrigeri wrote (11 Feb 2015 14:58:54 GMT) :
>> Hi Stefan and others,
>
>> Stefan Bader wrote (21 Oct 2014 11:50:24 GMT) :
>>> On 20.10.2014 12:48, Stefan Bader wrote:
>>>> On 19.10.2014 17:07, intrigeri wrote:
>>>>> Cool, I've tested this. I've imported these two patches in Debian's
>>>>> 1.2.9-3 quilt series, made the build system use dh-autoreconf (the
>>>>> build system in the tarball wants aclocal 1.13, while Debian sid has
>>>>> 1.14), and added a build-dep on libapparmor-dev to get the needed
>>>>> pkg-config file.
>
>> I've given a try to your last set of patches. Sorry for the delay.
>> Here's what I did:
>
>> 1. Checkout the Vcs-Git libvirt packaging repo for Debian unstable,
>> currently at 1.2.9-9
>> 2. Make the build system use dh-autoreconf as previously
>> 3. Added the build-dep on libapparmor-dev as previously
>> 4. Hacked debian/rules to make examples/apparmor/profile-preprocess
>> (created by your patches) executable before it's executed.
>> This won't be needed anymore once the patches are upstreamed.
>> 5. Build in a clean Debian unstable chroot, which now works.
>> Progress :)
>> 6. Install the resulting binary packages on a sid system with
>> a working libvirt setup.
>> 7. In /etc/libvirt/qemu.conf, set security_driver = "apparmor"
>> 8. Restart libvirtd.
>> 9. Start a VM with virsh or virt-manager
>
>> => here's what I see:
>
>> error: Failed to start domain tails-dev
>> error: internal error: cannot load AppArmor profile 'libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef'
>
>> And the Journal says:
>
>> libvirtd[20351]: internal error: Child process (/usr/lib/libvirt/virt-aa-helper -p 0 -c -u libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef) unexpected exit status 1: virt-aa-helper: error: template does not exist
>> virt-aa-helper: error: could not create profile
>> libvirtd[20351]: internal error: cannot load AppArmor profile 'libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef'
>
>> So I naively tried to do it by hand:
>
>> $ virsh dumpxml tails-dev | sudo /usr/lib/libvirt/virt-aa-helper -p 0 -c -u libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef
>> virt-aa-helper: error: template does not exist
>> virt-aa-helper: error: could not create profile
>
>> I do have a template in place:
>
>> $ cat /etc/apparmor.d/libvirt/TEMPLATE.qemu
>> #
>> # This profile is for the domain whose UUID matches this file.
>> #
>
>> #include <tunables/global>
>
>> profile LIBVIRT_TEMPLATE {
>> #include <abstractions/libvirt-qemu>
>> }
>
>> What other information can I provide, or what else should I test?
>
>> Also note that I had to add the following line to
>> usr.lib.libvirt.virt-aa-helper, in order to silence an AppArmor denial
>> log:
>
>> /etc/libnl-3/classid r,
>
>> Should this be added to the upstream profile, as is or prefixed by
>> "deny"?
>
>> Cheers,
>
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list