[libvirt-users] Using qemu active blockcommit results in 'Permission denied' error

Peter Krempa pkrempa at redhat.com
Thu Jun 13 08:08:46 UTC 2019

On Tue, Jun 11, 2019 at 14:35:46 +0200, Peter Krempa wrote:
> On Fri, May 31, 2019 at 14:03:40 +0200, Marcus Hoffmann wrote:
> > Hi Peter,
> > 
> > On 31.05.19 09:57, Peter Krempa wrote:
> > > On Thu, May 30, 2019 at 22:12:14 +0200, Marcus Hoffmann wrote:
> > >> Hello all,
> > > 
> > > Hi,
> > > 
> > >>
> > >> I tried following this guide:
> > >> https://wiki.libvirt.org/page/Live-disk-backup-with-active-blockcommit
> > >>
> > >> Unfortunately when I try to do the final virsh blockcommit step I always
> > >> get the following error:
> > >>
> > >> error: internal error: unable to execute QEMU command 'block-commit':
> > >> Could not reopen file: Permission denied
> I managed to reproduce this issue but when using selinux. I'll try to
> fix it with selinux and will try to assess whether it has the possiblity
> to fix apparmor too. I'll cc you on a patch when I'll be able to fix it.


The problem I managed to fix had the same symptoms but probably was not
what you see, as you are using libvirt 5.0.0 and I broke the permissions
code in libvirt 5.4.0.

Unfortunately I can't tell what's wrong from the debug logs you've
provided. Is there a possibility to collect anything from apparmor? In
selinux world we do collect denials of the security model in a log file
which might indicate what's happening.

Also I've pushed a patch which adds more logging to the
permission-changing code executed while doing blockjobs:

commit e6635c626a252669c79a84fe0a2af11a361aa341 (HEAD -> master, origin/master, origin/HEAD)
Author: Peter Krempa <pkrempa at redhat.com>
Date:   Wed Jun 12 13:49:57 2019 +0200

    qemu: domain: Log some useful data in qemuDomainStorageSourceAccessModify
    Log the flags passed to the function in a exploded state so that it's
    easily visible what's happening to the image.
    Signed-off-by: Peter Krempa <pkrempa at redhat.com>
    Reviewed-by: Ján Tomko <jtomko at redhat.com>

Unfortunately that commit can't be applied to libvirt 5.0 because it
depends on a refactor which I pushed in 5.4 (which also caused the
problem I was fixing recently). If you could test the upstream version
it would be great.

Thanks for reporting the problem and I'd be grateful if you could
collect logs from the apparmor security thing.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20190613/d772a802/attachment.sig>

More information about the libvirt-users mailing list