On Tue, Jun 11, 2019 at 14:35:46 +0200, Peter Krempa wrote: > On Fri, May 31, 2019 at 14:03:40 +0200, Marcus Hoffmann wrote: > > Hi Peter, > > > > On 31.05.19 09:57, Peter Krempa wrote: > > > On Thu, May 30, 2019 at 22:12:14 +0200, Marcus Hoffmann wrote: > > >> Hello all, > > > > > > Hi, > > > > > >> > > >> I tried following this guide: > > >> https://wiki.libvirt.org/page/Live-disk-backup-with-active-blockcommit > > >> > > >> Unfortunately when I try to do the final virsh blockcommit step I always > > >> get the following error: > > >> > > >> error: internal error: unable to execute QEMU command 'block-commit': > > >> Could not reopen file: Permission denied > > I managed to reproduce this issue but when using selinux. I'll try to > fix it with selinux and will try to assess whether it has the possiblity > to fix apparmor too. I'll cc you on a patch when I'll be able to fix it. Well, The problem I managed to fix had the same symptoms but probably was not what you see, as you are using libvirt 5.0.0 and I broke the permissions code in libvirt 5.4.0. Unfortunately I can't tell what's wrong from the debug logs you've provided. Is there a possibility to collect anything from apparmor? In selinux world we do collect denials of the security model in a log file which might indicate what's happening. Also I've pushed a patch which adds more logging to the permission-changing code executed while doing blockjobs: commit e6635c626a252669c79a84fe0a2af11a361aa341 (HEAD -> master, origin/master, origin/HEAD) Author: Peter Krempa <pkrempa redhat com> Date: Wed Jun 12 13:49:57 2019 +0200 qemu: domain: Log some useful data in qemuDomainStorageSourceAccessModify Log the flags passed to the function in a exploded state so that it's easily visible what's happening to the image. Signed-off-by: Peter Krempa <pkrempa redhat com> Reviewed-by: Ján Tomko <jtomko redhat com> Unfortunately that commit can't be applied to libvirt 5.0 because it depends on a refactor which I pushed in 5.4 (which also caused the problem I was fixing recently). If you could test the upstream version it would be great. Thanks for reporting the problem and I'd be grateful if you could collect logs from the apparmor security thing.
Description: PGP signature