Do not configure selinux/apparmor when setup cloudstack agent

[weizhouapache]

Description

This PR disables security configurations during CloudStack agent setup:

• On Ubuntu, it disables AppArmor restrictions for libvirt
• On EL-based systems, it sets SELinux to permissive mode

However, users have different security and hardening requirements, and these decisions should not be enforced by the agent setup. For example:

• Some environments may require SELinux/AppArmor to remain in enforcing mode for stronger security hardening, and the system should still support such configurations.

• Some users may prefer to explicitly configure the libvirt security driver in /etc/libvirt/qemu.conf, replacing security_driver="none" with:

security_driver="selinux"
security_driver="apparmor"

Note that this configuration may not be compatible with certain VM or volume features and could require additional changes. If so, those cases are outside the scope of this PR and can be addressed in future improvements.

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• Build/CI
• Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

How did you try to break this feature and the system with this change?

[weizhouapache]

@blueorangutan package

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 18.10%. Comparing base (c0ce5b4) to head (9c0854e).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##               main   #13281   +/-   ##
=========================================
  Coverage     18.10%   18.10%           
- Complexity    16749    16752    +3     
=========================================
  Files          6037     6037           
  Lines        542796   542796           
  Branches      66456    66456           
=========================================
+ Hits          98268    98291   +23     
+ Misses       433492   433460   -32     
- Partials      11036    11045    +9     

Flag	Coverage Δ
uitests	3.51% <ø> (ø)
unittests	19.27% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[weizhouapache]

@blueorangutan package

[Copilot]

Pull request overview

This PR stops CloudStack KVM agent setup from actively disabling host security policy mechanisms during setup, leaving SELinux/AppArmor posture to operators.

Changes:

• Makes AppArmor and SELinux setup configuration methods return without modifying host policy.
• Removes the legacy setup_agent.sh script that also forced SELinux permissive mode.
• Removes stale Java comments referencing the deleted setup script.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
python/lib/cloudutils/serviceConfig.py	No-ops AppArmor/SELinux configuration during agent setup.
scripts/vm/hypervisor/kvm/setup_agent.sh	Deletes obsolete KVM agent setup helper script.
server/src/main/java/com/cloud/hypervisor/kvm/discoverer/LibvirtServerDiscoverer.java	Removes stale commented reference to setup_agent.sh.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[weizhouapache]

@blueorangutan package

[weizhouapache]

@DaanHoogland
yes, they are dead code.
I am running some tests, they will be removed after verification

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 18086

[blueorangutan]

[SF] Trillian Build Failed (tid-16221)

[blueorangutan]

[SF] Trillian Build Failed (tid-16225)

[weizhouapache]

with the changes

ubuntu 24

root@pr13281-t16222-kvm-ubuntu24-kvm1:~# aa-status 
apparmor module is loaded.
113 profiles are loaded.
113 profiles are in enforce mode.
   /usr/bin/man
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/sbin/chronyd
   1password
   Discord
   MongoDB Compass
   QtWebEngineProcess
   balena-etcher
   brave
   buildah
   cam
   ch-checkns
   ch-run
   chrome
   crun
   devhelp
   element-desktop
   epiphany
   evolution
   firefox
   flatpak
   foliate
   geary
   github-desktop
   goldendict
   ipa_verify
   kchmviewer
   keybase
   lc-compliance
   libcamerify
   libvirtd
   libvirtd//qemu_bridge_helper
   linux-sandbox
   loupe
   lsb_release
   lxc-attach
   lxc-create
   lxc-destroy
   lxc-execute
   lxc-stop
   lxc-unshare
   lxc-usernsexec
   man_filter
   man_groff
   mmdebstrap
   msedge
   notepadqq
   nvidia_modprobe
   nvidia_modprobe//kmod
   obsidian
   opam
   opera
   pageedit
   plasmashell
   plasmashell//QtWebEngineProcess
   podman
   polypane
   privacybrowser
   qcam
   qmapshack
   qutebrowser
   rootlesskit
   rpm
   rssguard
   rsyslogd
   runc
   sbuild
   sbuild-abort
   sbuild-adduser
   sbuild-apt
   sbuild-checkpackages
   sbuild-clean
   sbuild-createchroot
   sbuild-destroychroot
   sbuild-distupgrade
   sbuild-hold
   sbuild-shell
   sbuild-unhold
   sbuild-update
   sbuild-upgrade
   scide
   signal-desktop
   slack
   slirp4netns
   steam
   stress-ng
   surfshark
   swtpm
   systemd-coredump
   tcpdump
   thunderbird
   toybox
   transmission-cli
   transmission-daemon
   transmission-gtk
   transmission-qt
   trinity
   tup
   tuxedo-control-center
   ubuntu_pro_apt_news
   unix-chkpwd
   unprivileged_userns
   userbindmount
   uwsgi-core
   vdens
   virt-aa-helper
   virtiofsd
   vivaldi-bin
   vpnns
   vscode
   wike
   wpcom
0 profiles are in complain mode.
0 profiles are in prompt mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
4 processes have profiles defined.
4 processes are in enforce mode.
   /usr/sbin/chronyd (949) 
   /usr/sbin/chronyd (957) 
   /usr/sbin/libvirtd (13184) libvirtd
   /usr/sbin/rsyslogd (927) rsyslogd
0 processes are in complain mode.
0 processes are in prompt mode.
0 processes are in kill mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.

root@pr13281-t16222-kvm-ubuntu24-kvm1:~# grep ^security /etc/libvirt/qemu.conf 
security_driver="none"

debian12

root@pr13281-t16223-kvm-debian12-kvm1:~# aa-status 
apparmor module is loaded.
15 profiles are loaded.
15 profiles are in enforce mode.
   /usr/bin/man
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/chronyd
   /{,usr/}sbin/dhclient
   libvirtd
   libvirtd//qemu_bridge_helper
   lsb_release
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   tcpdump
   virt-aa-helper
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
3 processes have profiles defined.
3 processes are in enforce mode.
   /usr/sbin/chronyd (1818) 
   /usr/sbin/chronyd (1819) 
   /usr/sbin/libvirtd (44766) libvirtd
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.

root@pr13281-t16223-kvm-debian12-kvm1:~# grep ^security /etc/libvirt/qemu.conf 
security_driver="none"

oraclelinux 8

[root@pr13281-t16220-kvm-ol8-kvm1 ~]# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31

[root@pr13281-t16220-kvm-ol8-kvm1 ~]# grep ^security /etc/libvirt/qemu.conf 
security_driver="none"

suse15

pr13281-t16224-kvm-suse15-kvm1:~ # aa-status 
apparmor module is loaded.
64 profiles are loaded.
64 profiles are in enforce mode.
   /usr/bin/lessopen.sh
   apache2
   apache2//DEFAULT_URI
   apache2//HANDLING_UNTRUSTED_INPUT
   apache2//phpsysinfo
   avahi-daemon
   dnsmasq
   dnsmasq//libvirt_leaseshelper
   dovecot
   dovecot-anvil
   dovecot-auth
   dovecot-config
   dovecot-deliver
   dovecot-dict
   dovecot-director
   dovecot-doveadm-server
   dovecot-dovecot-auth
   dovecot-dovecot-lda
   dovecot-dovecot-lda//sendmail
   dovecot-imap
   dovecot-imap-login
   dovecot-lmtp
   dovecot-log
   dovecot-managesieve
   dovecot-managesieve-login
   dovecot-pop3
   dovecot-pop3-login
   dovecot-replicator
   dovecot-script-login
   dovecot-ssl-params
   dovecot-stats
   identd
   klogd
   libvirtd
   libvirtd//qemu_bridge_helper
   lsb_release
   mdnsd
   nmbd
   nscd
   ntpd
   nvidia_modprobe
   nvidia_modprobe//kmod
   php-fpm
   ping
   samba-bgqd
   samba-dcerpcd
   samba-rpcd
   samba-rpcd-classic
   samba-rpcd-spoolss
   smbd
   smbldap-useradd
   smbldap-useradd///etc/init.d/nscd
   syslog-ng
   syslogd
   traceroute
   unix-chkpwd
   virt-aa-helper
   virtqemud
   virtqemud//qemu_bridge_helper
   virtxend
   winbindd
   zgrep
   zgrep//helper
   zgrep//sed
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
2 processes have profiles defined.
2 processes are in enforce mode.
   /usr/sbin/libvirtd (8137) libvirtd
   /usr/sbin/nscd (862) nscd
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.

pr13281-t16224-kvm-suse15-kvm1:~ # grep ^security /etc/libvirt/qemu.conf 
security_driver="none"

oraclelinux 9

[root@pr13281-t16227-kvm-ol9-kvm1 ~]# grep ^security /etc/libvirt/qemu.conf 
security_driver="none"
[root@pr13281-t16227-kvm-ol9-kvm1 ~]# 
[root@pr13281-t16227-kvm-ol9-kvm1 ~]# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
[root@pr13281-t16227-kvm-ol9-kvm1 ~]# 

[weizhouapache]

@blueorangutan package

[blueorangutan]

@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 18093

[blueorangutan]

[SF] Trillian test result (tid-16220)
Environment: kvm-ol8 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 26503 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr13281-t16220-kvm-ol8.zip
Smoke tests completed. 110 look OK, 2 have errors, 39 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_01_primary_storage_nfs	Error	0.25	test_primary_storage.py
ContextSuite context=TestStorageTags>:setup	Error	0.41	test_primary_storage.py
test_01_primary_storage_scope_change	Error	0.15	test_primary_storage_scope.py
all_test_routers_iptables_default_policy	Skipped	---	test_routers_iptables_default_policy.py
all_test_routers_network_ops	Skipped	---	test_routers_network_ops.py
all_test_routers	Skipped	---	test_routers.py
all_test_scale_vm	Skipped	---	test_scale_vm.py
all_test_secondary_storage	Skipped	---	test_secondary_storage.py
all_test_service_offerings	Skipped	---	test_service_offerings.py
all_test_set_sourcenat	Skipped	---	test_set_sourcenat.py
all_test_sharedfs_lifecycle	Skipped	---	test_sharedfs_lifecycle.py
all_test_snapshots	Skipped	---	test_snapshots.py
all_test_ssl_offloading	Skipped	---	test_ssl_offloading.py
all_test_ssvm	Skipped	---	test_ssvm.py
all_test_staticroles	Skipped	---	test_staticroles.py
all_test_storage_policy	Skipped	---	test_storage_policy.py
all_test_systemvm_userdata	Skipped	---	test_systemvm_userdata.py
all_test_templates	Skipped	---	test_templates.py
all_test_update_security_group	Skipped	---	test_update_security_group.py
all_test_usage_events	Skipped	---	test_usage_events.py
all_test_usage	Skipped	---	test_usage.py
all_test_vm_autoscaling	Skipped	---	test_vm_autoscaling.py
all_test_vm_deployment_planner	Skipped	---	test_vm_deployment_planner.py
all_test_vm_life_cycle	Skipped	---	test_vm_life_cycle.py
all_test_vm_lifecycle_unmanage_import	Skipped	---	test_vm_lifecycle_unmanage_import.py
all_test_vm_lifecycle_unmanage_kvm_import	Skipped	---	test_vm_lifecycle_unmanage_kvm_import.py
all_test_vm_lifecycle_with_snapshot_or_volume	Skipped	---	test_vm_lifecycle_with_snapshot_or_volume.py
all_test_vm_schedule	Skipped	---	test_vm_schedule.py
all_test_vm_snapshot_kvm	Skipped	---	test_vm_snapshot_kvm.py
all_test_vm_snapshots	Skipped	---	test_vm_snapshots.py
all_test_vm_strict_host_tags	Skipped	---	test_vm_strict_host_tags.py
all_test_vnf_templates	Skipped	---	test_vnf_templates.py
all_test_volumes	Skipped	---	test_volumes.py
all_test_vpc_conserve_mode	Skipped	---	test_vpc_conserve_mode.py
all_test_vpc_ipv6	Skipped	---	test_vpc_ipv6.py
all_test_vpc_redundant	Skipped	---	test_vpc_redundant.py
all_test_vpc_router_nics	Skipped	---	test_vpc_router_nics.py
all_test_vpc_vpn	Skipped	---	test_vpc_vpn.py
all_test_webhook_delivery	Skipped	---	test_webhook_delivery.py
all_test_webhook_lifecycle	Skipped	---	test_webhook_lifecycle.py
all_test_host_maintenance	Skipped	---	test_host_maintenance.py
all_test_hostha_kvm	Skipped	---	test_hostha_kvm.py