Univention Bugzilla – Bug 40318
libvirt: multiple issues (4.0)
Last modified: 2016-05-18 13:27:25 CEST
+++ This bug was initially created as a clone of Bug #40317 +++ The following issue has been identified in libvirt: * ACL bypass using ../ to access beyond storage pool (CVE-2015-5313)
The issue is minor and tagged no-dsa in Debian: <https://security-tracker.debian.org/tracker/CVE-2015-5313> As we need to update libvirt anyway from our own 1.2.7, switch to 1.2.9 from Debian-Wheezy, which is maintained. The CVE was fixed by me for Debian, currently waiting for upload to jessie-proposed-updates. Please note that UCS-3.3 also uses 1.2.9, so the version in 4.0 is actually lower than in 3.3! $ repo_admin.py --cherrypick -r 3.3 --releasedest 4.0 --releasedest errata4.0-4 -p init-system-helpers [16158] libvirt/4.0-0-0-ucs/1.2.9-9~bpo70+1/: patch merged by repo-ng - from 3.3-0-0-ucs/1.2.9-9~bpo70+1 to 4.0-0-0-ucs /1.2.9-9~bpo70+1 [16167] libvirt/4.0-0-0-ucs: Bug #40318 libvirt Package: libvirt Version: 1.2.9-9+deb8u2.137.201603111721 Branch: ucs_4.0-0 Scope: errata4.0-4 r68042 | Bug #40318 libvirt: YAML libvirt.yaml
repo_admin.py --cherrypick -r 4.0 --releasedest 4.0 --dest errata4.0-4 -p libnl Package: libnl Version: 1.1-7.14.201603141220 Branch: ucs_4.0-0 Scope: errata4.0-4 r68063 | Bug #40318 libnl: YAML libnl.yaml
$ repo_admin.py --cherrypick -r 4.0 --releasedest 4.0 --dest errata4.0-4 -p netcf Package: netcf Version: 0.1.9-2.4.201603151045 Branch: ucs_4.0-0 Scope: errata4.0-4 r68088 | Bug #40318 netcf: YAML netcf.yaml
Reopen: The update failed on my test machine, because /var/lib/libvirt/images was mounted from an NFS share. libvirt-daemon-system.postinst tries to configure dpkg-statoverrides for some directories. This fails with: libvirt-daemon-system (1.2.9-9+deb8u2.137.201603111721) wird eingerichtet ... Neue Version der Konfigurationsdatei /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper wird installiert ... Neue Version der Konfigurationsdatei /etc/apparmor.d/abstractions/libvirt-qemu wird installiert ... Neue Version der Konfigurationsdatei /etc/libvirt/qemu.conf.debian wird installiert ... chown: Ändern des Eigentümers von „/var/lib/libvirt/images/“: Die Operation ist nicht erlaubt
(In reply to Erik Damrose from comment #4) > Reopen: The update failed on my test machine, because > /var/lib/libvirt/images was mounted from an NFS share. The Share must be exported with "no_root_squash" (in UMC: "Modify user ID for root user (root squashing)" disabled)! By design libvirtd is running as the privileged user "root" so it can create all the files needed by Qemu/Xen/Hyper-V/LXC/... Files are "chown"ed to libvirt-qemu and opened just before the qemu sub-process is launched. So "root" must work for "/var/lib/libvirt/images/"! A hint should be added to <http://docs.software-univention.de/manual-4.1.html#uvmm::defaultpool> to clarify that "root squasing" *must* *be* *disabled* for libvirtd to work correctly.
(In reply to Philipp Hahn from comment #5) > The Share must be exported with "no_root_squash" (in UMC: "Modify user ID > for root user (root squashing)" disabled)! Ok, there are subsequent errors if root squashing is used, so virtualisation wouldn't even work with 1.2.7 Reopen, after upgrading successfully, the following errors occur. This is with a nfs share with no_root_squash When trying to live migrate from 1.2.9 to 1.2.7: Fehler beim Migrieren der Domäne "efbf9137-677c-43e3-b58f-77b2f58c9c86": internal error: migration was active, but no RAM info was set When live-migrating from libvirt 1.2.7 to 1.2.9, the qcow2 file ownerships is root:root when libvirt 1.2.9 spawns new processes, thus no writes are possible on the new host.
(In reply to Erik Damrose from comment #6) > When trying to live migrate from 1.2.9 to 1.2.7: Fehler beim Migrieren der > Domäne "efbf9137-677c-43e3-b58f-77b2f58c9c86": internal error: migration was > active, but no RAM info was set Live migration also does not work from 1.2.9 to 1.2.9 (same new version). Identical error message
This is caused by our ancient version of qemu-kvm-1.1.2, which does not provide the "ram":{...} data on completion: 2016-05-08 20:52:59.616+0000: 23157: debug : qemuMonitorJSONCommandWithFd:286 : Send command '{"execute":"query-migrate","id":"libvirt-41"}' for write with FD -1 2016-05-08 20:52:59.626+0000: 23152: debug : qemuMonitorJSONIOProcessLine:179 : Line [{"return": {"status": "active", "ram": {"total": 2164654080, "remaining": 22474752, "transferred": 175117413}}, "id": "libvirt-41"}] ... 2016-05-08 20:52:59.676+0000: 23157: debug : qemuMonitorJSONCommandWithFd:286 : Send command '{"execute":"query-migrate","id":"libvirt-42"}' for write with FD -1 2016-05-08 20:52:59.677+0000: 23152: debug : qemuMonitorJSONIOProcessLine:179 : Line [{"return": {"status": "completed"}, "id": "libvirt-42"}] r16476 | Bug #40318 libvirt: qemu-kvm-1.1.2 JSON migration Package: libvirt Version: 1.2.9-9+deb8u2.140.201605091238 Branch: ucs_4.0-0 Scope: errata4.0-4
OK: Patch for live migration applied OK: Functionality OK: r69258 Moved and updated YAML for ucs 4.0-5 Verified
r69347 | Bug #40318 libvirt: Move additional YAML files
<http://errata.software-univention.de/ucs/4.0/420.html> <http://errata.software-univention.de/ucs/4.0/421.html> <http://errata.software-univention.de/ucs/4.0/422.html>