Ubuntu
libvirt package

virt-manager fails to show virtual console: internal error: unable to execute QEMU command 'getfd': No file descriptor supplied via SCM_RIGHTS

Bug #1747442 reported by Jean-Baptiste Lallement
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Fix Released
Medium
Christian Ehrhardt 

Bug Description

Ubuntu Desktop Bionic up to date

Viewing the console of a running VM fails with:
internal error: unable to execute QEMU command 'getfd': No file descriptor supplied via SCM_RIGHTS (similar to bug 1668681)

This apparmor denial is displayed in syslog

1645: error : qemuMonitorJSONCheckError:392 : internal error: unable to execute QEMU command 'getfd': No file descriptor supplied via SCM_RIGHTS
févr. 05 15:43:29 herm kernel: audit: type=1400 audit(1517841809.633:190): apparmor="DENIED" operation="file_receive" profile="/usr/sbin/libvirtd" pid=3306 comm="qemu-system-x86" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="libvirt-a5c0d9b3-5d7e-48b0-b26a-583527d85112"

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: libvirt0 4.0.0-1ubuntu1
ProcVersionSignature: Ubuntu 4.13.0-32.35-generic 4.13.13
Uname: Linux 4.13.0-32-generic x86_64
ApportVersion: 2.20.8-0ubuntu8
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Mon Feb 5 15:36:37 2018
InstallationDate: Installed on 2013-09-03 (1615 days ago)
InstallationMedia: Ubuntu 13.10 "Saucy Salamander" - Alpha amd64 (20130902)
ProcEnviron:
 TERM=screen-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=fr_FR.UTF-8
 SHELL=/bin/bash
SourcePackage: libvirt
UpgradeStatus: Upgraded to bionic on 2018-01-26 (9 days ago)

See original description
Revision history for this message
Jean-Baptiste Lallement (jibel) wrote :
Jean-Baptiste Lallement (jibel)
description: updated
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi Jean-Baptiste,
this looks like a known issue to me.
We have the following rules (the former since artful, the latter since bionic)

# allow connect with openGraphicsFD to work
unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
# Since libvirt 4.0 we also need the reverse direction (LP: #1741617)
unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]
# unconfined also required if guests run without security module
unix (send, receive) type=stream addr=none peer=(label=unconfined),

Your Deny looks like:
profile="/usr/sbin/libvirtd" family="unix" stream send receive addr=none peer="libvirt-a5c0d9b3-5d7e-48b0-b26a-583527d85112"

Ok, I see the issue.
We tested and added manually to /etc/apparmor.d/usr.sbin.libvirtd but then matched the changes with the former ones.
While doing so they went by accident into the wrong file (libvirt-qemu).

Thanks for the bug, will be handled in a follow on upload.

Changed in libvirt (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → ChristianEhrhardt (paelzer)
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

The fix is committed now but we collect a few more before an update.
Let me know if this is more urgent than I assume.

Until then please add the rule I listed above to /etc/apparmor.d/usr.sbin.libvirtd and restart libvirtd, then you'll be good.

Changed in libvirt (Ubuntu):
status: Triaged → Fix Committed
Jean-Baptiste Lallement (jibel)
description: updated
Revision history for this message
Jean-Baptiste Lallement (jibel) wrote :

Thanks Christian for your prompt reply. I confirm that adding the rules to /etc/apparmor.d/usr.sbin.libvirtd fixed the issue.

Christian Ehrhardt  (paelzer)
tags: added: libvirt-18.04
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

FYI: Test build available at [1] in a ppa - grouped with another fix that will be uploaded.

[1]: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3122

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

LGTM in regression checks, uploading ...

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 4.0.0-1ubuntu2

---------------
libvirt (4.0.0-1ubuntu2) bionic; urgency=medium

  * d/p/ubuntu-aa/0025-apparmor-fix-newer-virt-manager-1.4.0.patch: refreshed
    as libvirt 4.0 needs a reversed rule for openGraphicsFD (LP: #1747442)
    - refreshed 0032 and 0040 to match the new context.
  * d/p/ubuntu/virt-aa-helper-Set-the-supported-features.patch: allow parsing
    of memory slots and other extended features without breaking
    virt-aa-helper (LP: #1746431).

 -- Christian Ehrhardt <email address hidden> Fri, 02 Feb 2018 07:31:17 +0100

Changed in libvirt (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.