search

OpenNebula / one

The open source Cloud & Edge Computing Platform bringing real freedom to your Enterprise Cloud 🚀
http://opennebula.io
Apache License 2.0
1.26k stars 485 forks source link

Increment snapshots backups doesn't work on Debian 12 #6565

Open xorel opened 7 months ago

xorel commented 7 months ago

Description When creating 3rd VM backup (incremental, snapshot) on hypervisor running Debian12, libvirt 9.0.0-4 it fails with an error

error: internal error: unable to execute QEMU command 'block-commit': Could not open '/var/lib/one//datastores/0/43/disk.0.snap/0': Permission denied

The problem is caused by the apparmor. After creating 3rd backup (snapshot) the 0 and 1 are supposed to be merged back to single using virsh blockcommit which fails with the error above.

The reason for the failure seems to be those lines below in the VM profile:

/etc/apparmor.d/libvirt# cat libvirt-4b295e9b-169e-4a8c-aa1a-3e5a22891d0c.files 
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
  "/var/log/libvirt/**/one-43.log" w,
  "/var/lib/libvirt/qemu/domain-one-43/monitor.sock" rw,
  "/var/lib/libvirt/qemu/domain-11-one-43/*" rw,
  "/run/libvirt/**/one-43.pid" rwk,
  "/run/libvirt/**/*.tunnelmigrate.dest.one-43" rw,
  "/var/lib/one/datastores/0/43/disk.0.snap/2" rwk,
  "/var/lib/one/datastores/0/43/disk.0.snap/0" rk,                     <<<<<<<<< 
  # don't audit writes to readonly files
  deny "/var/lib/one/datastores/0/43/disk.0.snap/0" w,                 <<<<<<<<<
  "/var/lib/one/datastores/0/43/disk.1" rk,
  # don't audit writes to readonly files
  deny "/var/lib/one/datastores/0/43/disk.1" w,
  "/var/lib/libvirt/qemu/channel/target/domain-11-one-43/org.qemu.guest_agent.0" rw,
  "/dev/vhost-net" rw,
  "/var/lib/one/datastores/0/43/disk.0.snap/3" rwk,
  "/var/lib/one/datastores/0/43/disk.0.snap/0" rwk,
  "/var/lib/one/datastores/0/43/disk.0.snap/0" rwk,

It's not clear why the disk /0 only has read access, but this effectively breaks the blockcommit.

the rw is explicitly defined

/etc/apparmor.d/abstractions/libvirt-qemu
... 
  /srv/** rwk,
  /var/lib/one/datastores/** rwk,

Details

Progress Status

xorel commented 7 months ago

Libvirt bug https://gitlab.com/libvirt/libvirt/-/issues/622