我正在尝试使用以下脚本拍摄我的 KVM 来宾的外部快照:
DOMAIN=test-snapshots.programster.org
SNAPSHOT_NAME=snap3
STATE_FILE="/media/kvm/test-snapshots/mem-snap.qcow2"
DISK_FILE="/media/kvm/test-snapshots/disk-snap.qcow2"
sudo virsh snapshot-create-as \
--domain $DOMAIN $SNAPSHOT_NAME \
--diskspec vda,file=$DISK_FILE,snapshot=external \
--memspec file=$STATE_FILE,snapshot=external \
--atomic
不幸的是,无论何时执行,它都会产生以下错误输出
错误:内部错误:无法执行 QEMU 命令“事务”:无法打开“/media/kvm/KVM-Command-Generator/vms/test-snapshots.programster.org.img”:无法打开“/media/kvm” /KVM-Command-Generator/vms/test-snapshots.programster.org.img':权限被拒绝:权限被拒绝
我读到这可以通过使用 aa-complain 来解决。我按照步骤获取了 VM 的 ID,即5e1df6be-2cdd-8d7a-a45b-01097c7f44c6
.
但是,当我运行时:
sudo aa-complain libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6
我收到以下错误:
Can't find libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6 in the system path list. If the name of the application
is correct, please run 'which libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6' as a user with correct PATH
environment set up in order to find the fully-qualified path and
use the full path as parameter.
我确保通过在尝试执行快照时检查具有以下条目的系统日志来仔细检查它仍然是一个 apparmor 问题。
Mar 2 02:58:22 kvm kernel: [542687.670005] audit: type=1400 audit(1456887502.702:140): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6" pid=6824 comm="apparmor_parser"
Mar 2 02:58:22 kvm kernel: [542687.675951] audit: type=1400 audit(1456887502.706:141): apparmor="DENIED" operation="open" profile="libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6" name="/media/kvm/KVM-Command-Generator/vms/test-snapshots.programster.org.img" pid=8107 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118
Mar 2 02:58:22 kvm kernel: [542687.675989] audit: type=1400 audit(1456887502.710:142): apparmor="DENIED" operation="open" profile="libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6" name="/media/kvm/KVM-Command-Generator/vms/test-snapshots.programster.org.img" pid=8107 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118
Mar 2 02:58:22 kvm kernel: [542687.676034] audit: type=1400 audit(1456887502.710:143): apparmor="DENIED" operation="open" profile="libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6" name="/media/kvm/KVM-Command-Generator/vms/test-snapshots.programster.org.img" pid=8107 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118
Mar 2 02:58:23 kvm kernel: [542687.969561] audit: type=1400 audit(1456887503.002:144): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6" pid=6841 comm="apparmor_parser"
为了允许 KVM 来宾的外部快照,我需要做什么?这可能类似于调整/禁用 apparmor,或者可能有更好的解决方案?
额外细节
操作系统:Ubuntu 14.04
的输出uname -a
Linux kvm.programster.org 4.2.0-30-generic #35~14.04.1-Ubuntu SMP Fri Feb 19 14:48:13 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
的输出aa-status
是:
apparmor module is loaded.
35 profiles are loaded.
34 profiles are in enforce mode.
/sbin/dhclient
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-previewer//sanitized_helper
/usr/bin/evince-thumbnailer
/usr/bin/evince-thumbnailer//sanitized_helper
/usr/bin/evince//sanitized_helper
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/lib/libvirt/virt-aa-helper
/usr/lib/lightdm/lightdm-guest-session
/usr/lib/lightdm/lightdm-guest-session//chromium
/usr/lib/telepathy/mission-control-5
/usr/lib/telepathy/telepathy-*
/usr/lib/telepathy/telepathy-*//pxgsettings
/usr/lib/telepathy/telepathy-*//sanitized_helper
/usr/lib/telepathy/telepathy-ofono
/usr/sbin/cups-browsed
/usr/sbin/cupsd
/usr/sbin/tcpdump
libvirt-0146f0b4-3117-bfae-8142-7fd2680f0e02
libvirt-1418991d-64ec-9a1f-f9b0-f4c95285c0fa
libvirt-1ce386c6-c44a-054c-199a-0c44726fe973
libvirt-271e5909-afe4-57e2-6013-587071919685
libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6
libvirt-701ad939-e103-d41d-e7f1-71f368218604
libvirt-8a05e9ca-1918-7ec7-37b7-48b7c7e03a6d
libvirt-a0a8fa52-f59e-2d7f-06d3-7e5080369f1b
libvirt-be861e30-baf5-9c34-75d6-0142e10cf000
libvirt-bef3d687-5f3b-217f-29d7-795aaed8a865
libvirt-c2c962ef-4864-fd32-37d0-3ec0fa773a30
libvirt-e299551e-d503-7a47-5696-8f28f5c0754d
libvirt-f8ed2b66-c957-d104-262b-ac3aa63b237f
1 profiles are in complain mode.
/usr/sbin/libvirtd
17 processes have profiles defined.
16 processes are in enforce mode.
/usr/lib/telepathy/mission-control-5 (3368)
/usr/sbin/cups-browsed (1179)
/usr/sbin/cupsd (18585)
/usr/sbin/cupsd (18588)
libvirt-0146f0b4-3117-bfae-8142-7fd2680f0e02 (2741)
libvirt-1418991d-64ec-9a1f-f9b0-f4c95285c0fa (2803)
libvirt-1ce386c6-c44a-054c-199a-0c44726fe973 (2867)
libvirt-271e5909-afe4-57e2-6013-587071919685 (2470)
libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6 (8107)
libvirt-701ad939-e103-d41d-e7f1-71f368218604 (2564)
libvirt-8a05e9ca-1918-7ec7-37b7-48b7c7e03a6d (2666)
libvirt-a0a8fa52-f59e-2d7f-06d3-7e5080369f1b (2705)
libvirt-be861e30-baf5-9c34-75d6-0142e10cf000 (2607)
libvirt-bef3d687-5f3b-217f-29d7-795aaed8a865 (2834)
libvirt-c2c962ef-4864-fd32-37d0-3ec0fa773a30 (2095)
libvirt-f8ed2b66-c957-d104-262b-ac3aa63b237f (2772)
1 processes are in complain mode.
/usr/sbin/libvirtd (1562)
0 processes are unconfined but have a profile defined.
libvirt 来宾的 apparmor 配置文件是动态创建的。如果要将额外文件添加到允许列表中,请将所需文件添加到以下文件的末尾:
/etc/apparmor.d/abstractions/libvirt-qemu
在查看了所有信息后,您似乎走在了正确的道路上。问题是aa-complain命令需要完整路径。
解决方案是运行以下指定 VM 的完整路径的命令:
sudo aa-complain /etc/apparmor.d/libvirt/libvirt-5e1df6be-2cdd-8d7a-a45b-01097c7f44c6
在您的情况下,AppArmor 似乎限制了 libvirtd 太多。如果您有 profile
/etc/apparmor.d/usr.sbin.libvirtd
,您可以通过以下方式禁用它:您需要重新启动才能使其生效。
这发生在我工作的 kvm 主机从伸展升级到破坏者之后。图像文件本身是可读的,投诉是关于 qcow2-backing 文件的。我在 /etc/apparmor.d/libvirt/TEMPLATE.qemu 中添加了“文件”(就像在 lxc 模板中一样)。在那之后,一切似乎都运行良好。