Unable to set AppArmor profile [...] no such file or directory
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Xenial |
Won't Fix
|
Medium
|
Unassigned | ||
Artful |
Fix Released
|
Medium
|
Unassigned | ||
Bionic |
Fix Released
|
Medium
|
Unassigned |
Bug Description
=======
Bugs are not infrequently reported along the lines of
Unable to set Apparmor Profile for [emulator]: No such file or directory
It is frequently (always?) the result of some value (a cdrom or disk file) which has spaces of odd characters which mess up virt-aa-helper or libvirt itself.
We should attempt to detect this early on. Perhaps we can use a qemu hook, or add a check in virt-aa-helper.
=======
/usr/bin/kvm-spice is a soft-link to /usr/bin/kvm
in /etc/apparmor.
This leads rise to the error:
libvirt: error : unable to set AppArmor profile 'libvirt-
when using e.g. OpenStack
$ lsb_release -rd
Description: Ubuntu 14.10
Release: 14.10
$ dpkg -l|grep libvirt-bin
ii libvirt-bin 1.2.8-0ubuntu11 amd64 programs for the libvirt library
Serge Hallyn (serge-hallyn) wrote : | #1 |
Changed in libvirt (Ubuntu): | |
importance: | Undecided → High |
status: | New → Incomplete |
Don Bowman (donbowman) wrote : | #2 |
osadmin-
-rwxr-xr-x 1 root root 52 Jul 30 23:06 /usr/bin/kvm
lrwxrwxrwx 1 root root 3 Oct 16 09:59 /usr/bin/kvm-spice -> kvm
$ sudo apt-file search kvm-spice
qemu-kvm: /usr/bin/kvm-spice
<domain type='kvm' id='12'>
<name>
<uuid>
<metadata>
<nova:instance xmlns:nova="http://
<nova:package version="2014.2"/>
<
<
<nova:flavor name="m1.5G">
<
<nova:owner>
<nova:user uuid="56801ce42
</nova:owner>
<nova:root type="image" uuid="e02bc933-
</nova:
</metadata>
<memory unit='KiB'
<currentMemory unit='KiB'
<vcpu placement='static' cpuset=
<resource>
<partition>
</resource>
<sysinfo type='smbios'>
<system>
<entry name='manufactu
<entry name='product'
<entry name='version'
<entry name='serial'
<entry name='uuid'
</system>
</sysinfo>
<os>
<type arch='x86_64' machine=
<boot dev='hd'/>
<smbios mode='sysinfo'/>
</os>
<features>
<acpi/>
<apic/>
</features>
<cpu mode='host-model'>
<model fallback='allow'/>
<topology sockets='1' cores='1' threads='1'/>
</cpu>
<clock offset='utc'>
<timer name='pit' tickpolicy=
<timer name='rtc' tickpolicy=
<timer name='hpet' present='no'/>
</clock>
<on_poweroff>
<on_reboot>
<on_crash>
<devices>
<emulator>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2' cache='none'/>
<source file='/
<backingStore type='file' index='1'>
<format type='raw'/>
<source file='/
<
<target dev='vda' bus='virtio'/>
<alias name='virtio-
<address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
</disk>
<disk type='file' device='cdrom'>
<driver name='qemu' type='raw' cache='none'/>
<source file='/
<
<target dev='hdd' bus='ide'/>
<readonly/>
<alias name='ide0-1-1'/>
<a...
Changed in libvirt (Ubuntu): | |
status: | Incomplete → New |
Serge Hallyn (serge-hallyn) wrote : | #3 |
Thanks for the information. Sorry, I was misreading the message. The file which does not exist is not kvm-spice, but the libvirt profile.
Could you please reproduce the issue, then show both the xml file for the failing vm and show the result of "ls -l /etc/apparmor.
Don Bowman (donbowman) wrote : | #4 |
The ls has:
total 192
-rw-r--r-- 1 root root 265 Sep 15 18:46 libvirt-
-rw-r--r-- 1 root root 1140 Oct 28 03:09 libvirt-
-rw-r--r-- 1 root root 265 Oct 14 04:07 libvirt-
-rw-r--r-- 1 root root 1077 Oct 28 03:09 libvirt-
-rw-r--r-- 1 root root 265 Oct 23 13:40 libvirt-
-rw-r--r-- 1 root root 1077 Oct 28 03:08 libvirt-
-rw-r--r-- 1 root root 265 Oct 23 13:40 libvirt-
-rw-r--r-- 1 root root 1098 Oct 28 03:08 libvirt-
-rw-r--r-- 1 root root 265 Oct 14 04:07 libvirt-
-rw-r--r-- 1 root root 1161 Oct 28 03:09 libvirt-
-rw-r--r-- 1 root root 265 Sep 15 18:59 libvirt-
-rw-r--r-- 1 root root 1077 Oct 29 21:44 libvirt-
-rw-r--r-- 1 root root 265 Sep 15 18:46 libvirt-
-rw-r--r-- 1 root root 1077 Oct 28 03:09 libvirt-
-rw-r--r-- 1 root root 265 Oct 23 13:40 libvirt-
-rw-r--r-- 1 root root 1098 Oct 28 03:08 libvirt-
-rw-r--r-- 1 root root 265 Sep 15 18:46 libvirt-
-rw-r--r-- 1 root root 1098 Oct 28 03:08 libvirt-
-rw-r--r-- 1 root root 265 Oct 29 20:44 libvirt-
-rw-r--r-- 1 root root 1098 Oct 29 20:44 libvirt-
-rw-r--r-- 1 root root 265 Oct 14 04:06 libvirt-
-rw-r--r-- 1 root root 1140 Oct 28 03:09 libvirt-
-rw-r--r-- 1 root root 265 Oct 29 16:14 libvirt-
-rw-r--r-- 1 root root 1140 Oct 29 16:14 libvirt-
-rw-r--r-- 1 root root 265 Oct 28 20:32 libvirt-
-rw-r--r-- 1 root root 1098 Oct 28 20:32 libvirt-
-rw-r--r-- 1 root root 265 Oct 23 13:40 libvirt-
-rw-r--r-- 1 root root 1161 Oct 28 03:08 libvirt-
-rw-r--r-- 1 root root 265 Oct 29 09:59 libvirt-
-rw-r--r-- 1 root root 1161 Oct 29 09:59 libvirt-
-rw-r--r-- 1 root root 265 Sep 15 18:46 libvirt-
-rw-r--r-- 1 root root 1098 Oct 28 03:08 libvirt-
-rw-r--r-- 1 root root 265 Oct 14 04:06 libvirt-
-rw-r--r-- 1 root root 1077 Oct 28 03:09 libvirt-
-rw-r--r-- 1 root root 265 Oct 23 13:41 libvirt-
-rw-r--r-- 1 root root 1098 Oct 28 03:08 libvirt-
Serge Hallyn (serge-hallyn) wrote : | #5 |
Thanks for the information.
Oddly, for the example in comment #4, the apparmor policy *is* in fact in the listing of /etc/apparmor.
Are you certain that instance also failed to boot?
I fear the log information will be overwhelming, but i think we'll need full libvirt debug output. Please edit /etc/libvirt/
log_level = 1
then "sudo stop libvirt-bin; sudo start libvirt-bin"
and start the vm, then attach the file /var/log/
Changed in libvirt (Ubuntu): | |
status: | New → Incomplete |
Don Bowman (donbowman) wrote : | #6 |
sigh, the kvm-spice entry in apparmor.d/libivrt is my workaround. i added it manually and forget to mention that when attaching above.
w/o that entry, openstack will not start an instance.
with it, it is fine.
Serge Hallyn (serge-hallyn) wrote : | #7 |
No, I believe that is spurious. According to the message in the Description, I believe that the failure happens when the apparmor profile fails to be generated on the compute node. I believe that if adding kvm-spice sometimes seemed to fix it, that was an accident.
To check whether I'm right, can you take a vm which does work, remove the kvm-spice line, and check that it now indeed fails to start?
Launchpad Janitor (janitor) wrote : | #8 |
[Expired for libvirt (Ubuntu) because there has been no activity for 60 days.]
Changed in libvirt (Ubuntu): | |
status: | Incomplete → Expired |
Artyum (arwi) wrote : | #9 |
I have the same poblem. It occures while I try to install Windows 2012 Server R2. When the ISO is loaded into IDE CDROM the vm can't start. When I remove the ISO image from CDROM, I instantly get SeaBIOS.. no botable device.
Here is log from /var/log/
2015-01-24 18:31:36.241+0000: 30485: error : virCommandHands
2015-01-24 18:31:36.241+0000: 30485: error : qemuProcessRead
VM was created with virt-manager.
<domain type='kvm'>
<name>
<uuid>
<memory unit='KiB'
<currentMemory unit='KiB'
<vcpu placement=
<os>
<type arch='x86_64' machine=
</os>
<features>
<acpi/>
<apic/>
<pae/>
</features>
<cpu mode='custom' match='exact'>
<model fallback=
</cpu>
<clock offset='utc'>
<timer name='rtc' tickpolicy=
<timer name='pit' tickpolicy=
<timer name='hpet' present='no'/>
</clock>
<on_poweroff>
<on_reboot>
<on_crash>
<pm>
<suspend-to-mem enabled='no'/>
<suspend-
</pm>
<devices>
<emulator>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/
<target dev='hda' bus='ide'/>
<boot order='2'/>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>
<disk type='block' device='cdrom'>
<driver name='qemu' type='raw'/>
<target dev='hdb' bus='ide'/>
<readonly/>
<boot order='1'/>
<address type='drive' controller='0' bus='0' target='0' unit='1'/>
</disk>
<controller type='usb' index='0' model='ich9-ehci1'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x7'/>
</controller>
<controller type='usb' index='0' model='ich9-uhci1'>
<master startport='0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0' multifunction=
</controller>
<controller type='usb' index='0' model='ich9-uhci2'>
<master startport='2'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x1'/>
</controller>
<controller type='usb' index='0' model='ich9-uhci3'>
<master startport='4'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x2'/>
</controller>
<controller type='pci' index='0' model='pci-root'/>
<controller type='ide' index='0'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
</controller>
<interface type='bridge'>
<mac address=
<source bridge='br0'/>
<model type='rtl8139'/>
<address type='pci' domain...
Artyum (arwi) wrote : | #10 |
for further investigation
Changed in libvirt (Ubuntu): | |
status: | Expired → Incomplete |
Serge Hallyn (serge-hallyn) wrote : | #11 |
@arwi,
does /usr/bin/kvm-spice exist on your host?
Artyum (arwi) wrote : | #12 |
yes
# ls -l /usr/bin/kvm-spice
lrwxrwxrwx 1 root root 3 gru 16 15:27 /usr/bin/kvm-spice -> kvm
# ls -l /usr/bin/kvm
-rwxr-xr-x 1 root root 52 lut 4 2014 /usr/bin/kvm
Serge Hallyn (serge-hallyn) wrote : | #13 |
Sorry, that all looks fine, I simply see no reason for what is going on. To get some more log info from libvirt, could you please do:
sudo stop libvirt-bin
sudo rm /var/lib/
echo "log_level = 1" | sudo tee -a /etc/libvirt/
sudo start libvirt-bin
Then reproduce this issue and attach the resulting /var/log/
Changed in libvirt (Ubuntu): | |
status: | Incomplete → New |
status: | New → Incomplete |
Artyum (arwi) wrote : | #14 |
qemu/$(vm).log
2015-02-01 10:03:05.429+0000: starting up
LC_ALL=C PATH=/usr/
libvirt: error : unable to set AppArmor profile 'libvirt-
2015-02-01 10:03:05.453+0000: shutting down
libvirtd.log
2015-02-01 10:03:05.453+0000: 7035: error : virCommandHands
2015-02-01 10:03:05.453+0000: 7035: error : qemuProcessRead
Artyum (arwi) wrote : | #15 |
I found the solution. The problem "No such file or directory" wasn't related to kvm-spice.
I've checked /etc/apparmor.
Changed in libvirt (Ubuntu): | |
status: | Incomplete → Confirmed |
importance: | High → Low |
summary: |
- libvirt-qemu apparmor profile missing kvm-spice + Poor error reporting when cd file not found. |
Xiang Hui (xianghui) wrote : Re: Poor error reporting when cd file not found. | #16 |
Hi,
I have met exactly the same issue on Ubuntu vivid with OpenStack vms,
Failed message:
"unable to set AppArmor profile 'libvirt-
But actually the profile exists:
$ ll /etc/apparmor.
libvirt-
$ ls -l /usr/bin/kvm-spice
lrwxrwxrwx 1 root root 3 Sep 24 20:25 /usr/bin/kvm-spice -> kvm
$ ls -l /usr/bin/kvm
-rwxr-xr-x 1 root root 811 Oct 15 23:03 /usr/bin/kvm
I am not understanding what does 'It folder name contained chars: "- = { }". After changing the folder name to "Windows Server 2012 R2", the vm started.' mean how it work out the problem.
My vm is a cirros, it seems unrelated.
There are also other people hit this problem, but they figure it out temporarily either by disable apparmor or by purge apparmor, please take a look and point me a right solution, thanks a lot.
summary: |
- Poor error reporting when cd file not found. + Unable to set AppArmor profile for /usr/bin/kvm-spice |
Serge Hallyn (serge-hallyn) wrote : Re: Unable to set AppArmor profile for /usr/bin/kvm-spice | #17 |
Hi, are you on a systemd host? If so you try starting the vm, then immediately show the output of
sudo journalctl -u libvirt-bin
(If not systemd, then show end of /var/log/
also attach /var/log/
Xiang Hui (xianghui) wrote : | #18 |
- kvm-spice-error.tar.gz Edit (960.1 KiB, application/x-tar)
Hi Serge,
Thanks for taking a look, I got it work around by set 'security_
Same error:
2015-10-23 15:40:41.821 DEBUG nova.compute.utils [req-f039b3d1-
from (pid=12748) notify_
2015-10-23 15:40:41.822 DEBUG nova.compute.
2015-10-23 15:40:41.432 TRACE nova.compute.
-> But actually exists libvirt-
$ sudo ls /etc/apparmor.
libvirt-
Also I debug on the kvm-spice, it's suspicious got wrong at the last line:
exec /usr/bin/
which finally translater into:
exec /usr/bin/
-> Just guess kvm-spice doesn't have the perssion to access /var/lib/
$ sudo ls -l /var/lib/
total 16
drwxr-xr-x 3 root root 4096 Oct 10 09:55 channel
drwxr-xr-x 2 root root 4096 Oct 9 17:13 dump
srwxrwxr-x 1 libvirt-qemu kvm 0 Oct 22 18:22 instance-
srwxrwxr-x 1 libvirt-qemu kvm 0 Oct 22 21:24 instance-
drwxr-xr-x 2 libvirt-qemu kvm 4096 Oct 9 17:13 save
drwxr-xr-x 2 libvirt-qemu kvm 4096 Oct 9 17:13 snapshot
For the successfully spawned vms work around by setting security_driver to None, there are instance-
libvirt.log and failed vm qemu.log are attached.
Thank you!
Serge Hallyn (serge-hallyn) wrote : | #19 |
Hi,
so I'm getting the feeling that we ought to turn this bug into one for enhancing the transparancy of errors. Too many errors are mis-reported by this line.
For your particular case, could we try an experiment? Please install strace on the compute host, and edit /usr/bin/kvm-spice to read:
#!/bin/sh
exec strace -f -o/run/
Make sure the directory exists,
sudo mkdir -p /run/hugepages/
Then try running the vm, then attach /run/hugepages/
(I'm abusing the hugepages directory to make sure apparmor does not prevent strace from writing to it)
Serge Hallyn (serge-hallyn) wrote : | #20 |
@xianghui,
will you be able to provide the information requested in comment #19?
Xiang Hui (xianghui) wrote : | #21 |
@Serge
Sorry, I was travelling for OpenStack summit last week, testing now and I will open a new bug by following your instruction to make it more clear.
Xiang Hui (xianghui) wrote : | #22 |
@Serge
I have opened a new bug https:/
Serge Hallyn (serge-hallyn) wrote : | #23 |
Thanks for that. I'm going to retitle this bug for the general topic of properly reporting spaces in valius.
summary: |
- Unable to set AppArmor profile for /usr/bin/kvm-spice + Unable to set AppArmor profile [...] no such file or directory |
Changed in libvirt (Ubuntu): | |
importance: | Low → High |
description: | updated |
description: | updated |
Prateek khushalani (prateek-khushalani) wrote : | #24 |
Just to add I think I know a solution to this problem:-
1. The libvirt files created under /etc/apparmor.
2. If the directory of the ISO specified has spaces it will fail.
Workaround-
1. Change the name of the file to a very simple one( windows.iso, ubuntu.iso)
2. Make sure the path of the iso contains no directory name with spaces.
3. It works :)
Jean-Pierre van Riel (jpvr) wrote : | #25 |
I'm running libvirt-bin 1.3.1-1ubuntu10.6 and still getting this error. And it is not related to a space with the directory of a .iso file or something.
This is really bizarre. Like other's, those files do exist have other (world) read access set, so no clue what code is asserting that don't exist (when they do). From virt-manager's perspective, the error in the libvirtd daemon process is not visible...
I found reverting changes in `/etc/apparmor/
As per a prior comment above, a related bug is how cumbersome apparmor error handling is. For example, nothing in libvirt nor apparmor had any indicator that something `TEMPLATE.qemu` was putting it off. It even actually generated the per domain apparmor files (as other have observed)
untoreh (untoreh) wrote : | #26 |
this issue still persists. As suggested giving a simple name to the .iso path worked around it.
Christian Ehrhardt (paelzer) wrote : | #27 |
Hi,
sorry for chiming in so late, but I haven't seen this issue before - the last update changed that.
Special chars as reported in comment #26 and comment #15 are an issue, but most of them are fixed or at a better error message now.
First of all since Ubuntu 17.10 (~=UCA-Pike) all files in generated rules are in quotes which formerly they were not - that allows for some chars like spaces.
Further some other chars are just plain forbidden and would break the rule - these are mostly apparmor wilcards so these are now rejected since v3.10.0 by a150b86c instead of later failing when loading the profile.
That said it is hard for me to track details of the old issue, but with a recent Ubuntu this should be all fixed.
With space a rule will now look as:
"/var/
and work just fine.
But the actual issue - at least with tolerable special chars is fixed in the latter releases. And the apparmor wildcards do not randomly fail, or work or be a security issue - instead they always fail now.
I have to admit the message is still the old misleading one in the remaining failing cases.
I spawned bug 1767934 for this - but at low prio.
Per above I'd set the bug fix releases at least for the latter releases.
Given the long time this bug slumbers before a person is hit by it again and the fact that a simple file rename gets you around makes me not think of SRUs for this atm.
So I'll set won't fix for pre-Artful, but hey - discussions welcome.
Changed in libvirt (Ubuntu): | |
status: | Confirmed → Fix Released |
Changed in libvirt (Ubuntu Artful): | |
status: | New → Fix Released |
Changed in libvirt (Ubuntu Xenial): | |
status: | New → Won't Fix |
Changed in libvirt (Ubuntu Bionic): | |
importance: | High → Medium |
Changed in libvirt (Ubuntu Artful): | |
importance: | Undecided → Medium |
Changed in libvirt (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Pascal A. (pascalav) wrote : | #28 |
I reproduce the same on 18.04 LTS:
Log when starting a KVM VM with 'virt-manager':
--
Error starting domain: internal error: Process exited prior to exec: libvirt: error : unable to set AppArmor profile 'libvirt-
Traceback (most recent call last):
File "/usr/share/
callback(
File "/usr/share/
callback(*args, **kwargs)
File "/usr/share/
ret = fn(self, *args, **kwargs)
File "/usr/share/
self.
File "/usr/lib/
if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirtError: internal error: Process exited prior to exec: libvirt: error : unable to set AppArmor profile 'libvirt-
--
But the AppArmor profiles exist:
--
$ sudo ls -lah /etc/apparmor.
-rw-r--r-- 1 root root 293 août 16 23:04 /etc/apparmor.
-rw-r--r-- 1 root root 1,8K août 16 23:05 /etc/apparmor.
$
--
I checked paths the VM relies on (CD-ROM ISOs absolute paths) and they contain no whitespaces.
Tell me if the virt-manager VM XML file is needed for troubleshooting.
A troubleshooting sequence I tried, with no positive result:
1/ Deeply-deleting '*ibvir*' in '/etc/apparmor.d'
2/ Reinstalling the 'libvirt-bin' and its dependencies (incl. 'libvirt-
2.b/ Did 1/ and 2/ for the 'qemu-kvm' and 'virt-manager' packages also
3/ Reloaded the 'apparmor' systemd daemon
4/ Rebooted machine
5/ Reloaded daemons ('daemon-reload'), the 'libvirtd' and 'qemu-kvm' systemd daemons
6/ Retried to start the VM
Could a dependency package be the cause of it?
Pascal A. (pascalav) wrote : | #29 |
I forgot to mention the VM never triggered AppArmor errors with 16.04.x LTS. I never checked if AppArmor was really running by the way (this is not a production host, only a developer machine).
Pascal A. (pascalav) wrote : | #30 |
(sorry for spamming multiple-posts)
When the error occurs, 'dmesg' outputs:
--
[ 1835.178954] audit: type=1400 audit(153445516
--
Christian Ehrhardt (paelzer) wrote : | #31 |
Hi,
the "file not found" is a red herring - in 99% of the cases it is something in the actual generated profile that is broken.
Maybe newer libvirt generates a rule now for you (which it didn't before) and the config for that element contains something (e.g. a bad name) that makes it break.
To debug we'd need the /etc/apparmor.
I think with [1] you can even modify the profile (mostly in the one with .files) and reload until you found which rule is breaking it.
I'd assume something like:
$ sudo apparmor_parser -r /etc/apparmor.
AppArmor parser error for /etc/apparmor.
Iterate:
vim /etc/apparmor.
# adapt rules
sudo apparmor_parser -r /etc/apparmor.
# until this works
[1]: https:/
Pascal A. (pascalav) wrote : | #32 |
Hi Christian,
This is a false-positive reopening of this issue indeed. Still, it may contain useful bits.
The error occurrence I forwarded is now solved, thanks to what you advised on a side-subject at https:/
When producing stacktrace in here ( https:/
--
{dev,run}/shm/ rw,
{dev,run}/shm/* rw,
--
This was a mistake to add those rules, since I should have edited the existing ones (that you stated at https:/
In the end, I kinda duplicated the '{dev,run}/shm' rules when producing the error. With the following diff + a reload of the AppArmor profile, the error vanished:
--
$ sudo diff /etc/apparmor.
56c56,57
< /{dev,run}/shm r,
---
> /{dev,run}/shm rw,
> /{dev,run}/shm/* rw,
--
What I did was just moving the 2 lines initially appended to the files, in order to overwrite the existing rules.
A few asserts when the error was produced:
- None of 'sudo systemctl reload apparmor', 'sudo systemctl restart apparmor' or 'sudo systemctl status apparmor' (in sequence) returned or shew an error
Christian Ehrhardt (paelzer) wrote : | #33 |
Yeah it is always good to have such insights here to be found by search engines for the next who hits it.
Glad that my recommendations helped.
James Gibson (hawruh) wrote : | #34 |
I had this issue and what I did to solve it was:
Deleted relevant files in /etc/apparmor.
1. sudo rm /etc/apparmor.
2. sudo rm /etc/apparmor.
3. Restart machine
And then it worked
Christian Ehrhardt (paelzer) wrote : Re: [Bug 1384532] Re: Unable to set AppArmor profile [...] no such file or directory | #35 |
> 1. sudo rm /etc/apparmor.
> 2. sudo rm /etc/apparmor.
> 3. Restart machine
#1 and #2 are regenerated new on every VM start.
So could it be that it was just 3 for you?
Jason Fisher (digitalsanity) wrote : | #36 |
I also fixed a similar issue that complained about AppArmor and qemu-system-x86_64 by deleting the /etc/apparmor.
I did not need to restart and was able to start the VM immediately.
Thanks for reporting this bug. I can't reproduce it on my laptop. Could you please provide the full .xml for a failing VM?
Please also show the results (on the compute node) of:
ls -l /usr/bin/kvm*