[Kimchi-devel] [PATCH] Github issue #306: Creating a guest OS whose name contain spaces causes it to fail.

Otavio Rodolfo Piske angusyoung at gmail.com
Mon Jan 27 11:57:44 UTC 2014


While I couldn't test on newer Ubuntu versions due to lack a spare box, I
think I found a solution / work-around to this: disabling virt-aa-helper.
Before I start, here's some background information about it, taken from the
AppArmor documentation:

"When a VM is started, libvirtd decides whether to ask virt-aa-helper to
create a new profile or modify an existing one. If no profile exists,
libvirtd asks virt-aa-helper to generate the new base profile, in this case
/etc/apparmor.d/libvirt/libvirt-a22e3930-d87a-584e-22b2-1d8950212bac, which
it does based on /etc/apparmor.d/libvirt/TEMPLATE. Notice, the new profile
has a profile name that is based on the guest’s UUID. Once the base profile
is created, virt-aa-helper works the same for create and modify:
virt-aa-helper will determine what files are required for the guest to run
(eg kernel, initrd, disk, serial, etc), updates
/etc/apparmor.d/libvirt/libvirt-a22e3930-d87a-584e-22b2-1d8950212bac.files,
then loads the profile into the kernel."


Disabling it is pretty simple: you just have to set the security driver in
/etc/libvirtd/qemu.conf to "none". Like this:
security_driver = "none"


After that, restart libvirt:
/etc/init.d/libvirt-bin restart

Now it starts without calling virt-aa-helper:

virsh # start 'ubuntu_12_04 with spaces'
Domain ubuntu_12_04 with spaces started

You may want to add that information to the documentation about this ...
With a note that this may decrease the system's security.


On Thu, Jan 23, 2014 at 11:00 PM, Otavio Rodolfo Piske <angusyoung at gmail.com
> wrote:

>
> On Thu, Jan 23, 2014 at 10:40 PM, Aline Manera <alinefm at linux.vnet.ibm.com
> > wrote:
>
>>  On 01/23/2014 08:57 PM, Otavio Rodolfo Piske wrote:
>>
>>  I see your point. I did a quick research and it seems to be a
>> limitation on virt-aa-helper:
>>
>> root at orpiske:/etc/libvirt/qemu# cat ubuntu_12_04\ with\ spaces.xml |
>> /usr/lib/libvirt/virt-aa-helper -d -p 0 -r -u
>> libvirt-61d77fad-bb1f-49fa-93e1-2b70a5cb8f4c ; echo $?
>> virt-aa-helper: error: bad name
>> virt-aa-helper: error: could not get VM definition
>> 1
>>
>> Whereas, this works:
>>
>> root at orpiske:/etc/libvirt/qemu# cat ubuntu_12_04.xml |
>> /usr/lib/libvirt/virt-aa-helper -d -p 0 -r -u
>> libvirt-d020c07a-b8d5-40f3-b02b-3df5ed6d06b3 ; echo $?
>> virt-aa-helper:
>> /etc/apparmor.d/libvirt/libvirt-d020c07a-b8d5-40f3-b02b-3df5ed6d06b3.files
>> virt-aa-helper:
>>   "/var/log/libvirt/**/ubuntu_12_04.log" w,
>>   "/var/lib/libvirt/**/ubuntu_12_04.monitor" rw,
>>   "/var/run/libvirt/**/ubuntu_12_04.pid" rwk,
>>   "/run/libvirt/**/ubuntu_12_04.pid" rwk,
>>   "/var/run/libvirt/**/*.tunnelmigrate.dest.ubuntu_12_04" rw,
>>   "/run/libvirt/**/*.tunnelmigrate.dest.ubuntu_12_04" rw,
>>   "/var/lib/libvirt/images/d020c07a-b8d5-40f3-b02b-3df5ed6d06b3-0.img" rw,
>>   "/home/orpiske/vms/isos/ubuntu-12.04.3-desktop-i386.iso" r,
>>   # don't audit writes to readonly files
>>   deny "/home/orpiske/vms/isos/ubuntu-12.04.3-desktop-i386.iso" w,
>>
>> 0
>>
>>  I decided to dig further and I took a look at virt-aa-helper source
>> code and it does, indeed, check if the name does not contain spaces (as
>> well as one of /, [, ] and *). Because of that, it seems that it's unable
>> to load/recreate (?) the profile.
>>
>>
>> Do you mean libvirt blocks domain name with those characters?
>>
>
> More specifically: I mean that virt-aa-helper does.
>
>
>
>>
>> As Cristian mentioned, it seems to be a Ubuntu only problem.
>>
>
> I couldn't check on other distros, as I only have Ubuntu at hand, but I
> believe this might be the case.
>
>
>>
>> Which Ubuntu version are you using?
>> What is the libvirt version?
>>
>
> I am running Ubuntu 12.10 with libvirt 0.9.13:
>
> # orpiske at orpiske in ~/code/foss/libvirt [20:44:08]
>
> $ libvirtd --version
> libvirtd (libvirt) 0.9.13
>
> I am using Ubuntu's libvirtd. This might explain why it works on your
> system and not on mine. For instance, this is what happens when I try to do
> the same here:
>
> virsh # start 'ubuntu_12_04 with spaces'
> error: Failed to start domain ubuntu_12_04 with spaces
> error: internal error cannot load AppArmor profile
> 'libvirt-d020c07a-b8d5-40f3-b02b-3df5ed6d06b3'
>
> So, my understanding is that this is specific to Ubuntu with the system's
> default libvirt. I'll try to setup another system using a newer Ubuntu
> version, using the system's default libvirt and check what happens.
>
>
>
>>
>> I find this problem on Ubuntu 12.10 and libvirt 0.9.13
>>
>> alinefm at alinefm:~/libvirt$ libvirtd --version
>> libvirtd (libvirt) 0.9.13
>>
>> But I've just checked the latest libvirt (from source code) on same
>> Ubuntu node and I was able to create and start a domain (which name
>> contains spaces)
>> The current upstream version is 1.2.1
>>
>> alinefm at alinefm:~/libvirt$ sudo ./daemon/libvirtd -d
>> alinefm at alinefm:~/libvirt$ sudo tools/virsh -c qemu:///system
>> Welcome to lt-virsh, the virtualization interactive terminal.
>>
>> Type:  'help' for help with commands
>>        'quit' to quit
>>
>> virsh # list --all
>>  Id    Name                           State
>> ----------------------------------------------------
>>  -     fedora18-iso-stream            shut off
>>  -     Fedora19                       shut off
>>  -     openSUSE-13-1                  shut off
>>  -     RHEL6.5                        shut off
>>  -     Ubuntu13-10                    shut off
>>  -     with spaces                    shut off
>>
>> virsh # start 'with spaces'
>> Domain with spaces started
>>
>> virsh # destroy 'with spaces'
>> Domain with spaces destroyed
>>
>>
>>
>>
>>
>>  Does it make sense to you? And, if yes, what would you suggest as an
>> appropriate work-around in this case?
>>
>>
>> On Thu, Jan 23, 2014 at 5:48 PM, Aline Manera <alinefm at linux.vnet.ibm.com
>> > wrote:
>>
>>> On 01/22/2014 07:19 PM, Crístian Viana wrote:
>>>
>>>> As I added to the GitHub issue page (
>>>> https://github.com/kimchi-project/kimchi/issues/306#issuecomment-33068988),
>>>> I don't think having a space in a VM's name is a problem. I am able to
>>>> create a VM named "hello world" using Kimchi and virsh.
>>>>
>>>> We should not add a limitation like this one to Kimchi (i.e.
>>>> restricting the VM name) if there's not a real reason to.
>>>>
>>>
>>>  Agree.
>>>
>>> Seems this problem is on a deeper layer.
>>> In a quick search on the internet I found a lot of forums related to
>>> "libvirtError: internal error cannot load AppArmor profile"
>>> We need to investigate more to find the root cause.
>>>
>>>
>>>> Am 22-01-2014 19:01, schrieb Otavio R. Piske:
>>>>
>>>>> From: "Otavio R. Piske" <angusyoung at gmail.com>
>>>>>
>>>>> Kimchi fails to start the guest OS if the user names it with spaces.
>>>>> As pointed in the issue #306, other VM management interfaces prevent the
>>>>> user from creating a guest OS if the name contain invalid characters.
>>>>>
>>>>> This patch adds a validation logic that prevents the user from naming
>>>>> a Guest OS with anything other than alphanumeric chars, '-', '.' or '_'.
>>>>>
>>>>> Signed-off-by: Otavio R. Piske <angusyoung at gmail.com>
>>>>>
>>>>
>>>>  _______________________________________________
>>>> Kimchi-devel mailing list
>>>> Kimchi-devel at ovirt.org
>>>> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>>>>
>>>>
>>>
>>
>>
>> --
>> Otavio R. Piske
>> http://orpiske.net
>>
>>
>>
>
>
> --
> Otavio R. Piske
> http://orpiske.net
>



-- 
Otavio R. Piske
http://orpiske.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/kimchi-devel/attachments/20140127/ace70786/attachment.html>


More information about the Kimchi-devel mailing list