The guest now looks like:
$ virsh domblklist eoan --details
Type Device Target Source
--------------------------------------------------------------------------
file disk vda /var/lib/uvtool/libvirt/images/eoan.qcow
file disk vdb /var/lib/uvtool/libvirt/images/eoan-ds.qcow
file disk vdc /var/lib/uvtool/libvirt/images/eoan-disk1.qcow
file disk vdd /var/lib/uvtool/libvirt/images/eoan-disk2.qcow
Snapshot of single disk works:
$ virsh snapshot-create-as --domain eoan --disk-only --atomic --diskspec vda,snapshot=no --diskspec vdb,snapshot=no --diskspec vdc,file=/var/lib/libvirt/images/eoan-disk1.snapshot1.qcow,snapshot=external --diskspec vdd,snapshot=no
The apparmor profile got the snapshot added as expected:
cat /etc/apparmor.d/libvirt/libvirt-72b929d2-389d-4c60-9f3b-4c3a8a98b4b0.files
...
"/var/lib/libvirt/images/eoan-disk1.snapshot1.qcow" rwk,
Snapshot of multiple disks fails:
virsh snapshot-create-as --domain eoan --disk-only --atomic --diskspec vda,snapshot=no --diskspec vdb,snapshot=no --diskspec vdc,file=/var/lib/libvirt/images/eoan-disk1.snapshot1.qcow,snapshot=external --diskspec vdd,file=/var/lib/libvirt/images/eoan-disk2.snapshot1.qcow,snapshot=external
error: internal error: unable to execute QEMU command 'transaction': Could not create file: Permission denied
None of the two paths got added to the apparmor profile.
Alongside that we see the expected apparmor denials.
apparmor="DENIED" operation="open" profile="libvirt-72b929d2-389d-4c60-9f3b-4c3a8a98b4b0" name="/var/lib/libvirt/images/eoan-disk2.snapshot1.qcow" pid=23603 comm="qemu-system-x86" requested_mask="wrc" denied_mask="wrc" fsuid=64055 ouid=64055
This proves the report.
I'll be out for a while after today, but I agree that we need to sort out what is missing in this case.
In the single snapshot case I've seen virt-aa-helper called to add a line, needs debugging where this fails with more than one snapshot target.
Until then one might as workaround try to snapshot each of the disks one by one (therefore only medium).
From the description of Dominque this seemed a common case, so I tried with just qcow files and got it confirmed.
# Create basic guest (already has two disks) ms-libvirt --verbose sync --source http:// cloud-images. ubuntu. com/daily arch=amd64 label=daily release=eoan
uvt-simplestrea
uvt-kvm create --password ubuntu eoan arch=amd64 release=eoan label=daily
# Add further disks for the test: uvtool/ libvirt/ images/ eoan-disk1. qcow 1G uvtool/ libvirt/ images/ eoan-disk2. qcow 1G var/lib/ uvtool/ libvirt/ images/ eoan-disk1. qcow'/> var/lib/ uvtool/ libvirt/ images/ eoan-disk2. qcow'/>
sudo qemu-img create -f qcow2 /var/lib/
sudo qemu-img create -f qcow2 /var/lib/
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/
<target dev='vdc' bus='virtio'/>
</disk>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/
<target dev='vdd' bus='virtio'/>
</disk>
The guest now looks like: ------- ------- ------- ------- ------- ------- ------- ------- ------- ---- uvtool/ libvirt/ images/ eoan.qcow uvtool/ libvirt/ images/ eoan-ds. qcow uvtool/ libvirt/ images/ eoan-disk1. qcow uvtool/ libvirt/ images/ eoan-disk2. qcow
$ virsh domblklist eoan --details
Type Device Target Source
-------
file disk vda /var/lib/
file disk vdb /var/lib/
file disk vdc /var/lib/
file disk vdd /var/lib/
Snapshot of single disk works: /var/lib/ libvirt/ images/ eoan-disk1. snapshot1. qcow,snapshot= external --diskspec vdd,snapshot=no
$ virsh snapshot-create-as --domain eoan --disk-only --atomic --diskspec vda,snapshot=no --diskspec vdb,snapshot=no --diskspec vdc,file=
The apparmor profile got the snapshot added as expected: d/libvirt/ libvirt- 72b929d2- 389d-4c60- 9f3b-4c3a8a98b4 b0.files lib/libvirt/ images/ eoan-disk1. snapshot1. qcow" rwk,
cat /etc/apparmor.
...
"/var/
Snapshot of multiple disks fails: /var/lib/ libvirt/ images/ eoan-disk1. snapshot1. qcow,snapshot= external --diskspec vdd,file= /var/lib/ libvirt/ images/ eoan-disk2. snapshot1. qcow,snapshot= external
virsh snapshot-create-as --domain eoan --disk-only --atomic --diskspec vda,snapshot=no --diskspec vdb,snapshot=no --diskspec vdc,file=
error: internal error: unable to execute QEMU command 'transaction': Could not create file: Permission denied
None of the two paths got added to the apparmor profile.
Alongside that we see the expected apparmor denials. "libvirt- 72b929d2- 389d-4c60- 9f3b-4c3a8a98b4 b0" name="/ var/lib/ libvirt/ images/ eoan-disk2. snapshot1. qcow" pid=23603 comm="qemu- system- x86" requested_ mask="wrc" denied_mask="wrc" fsuid=64055 ouid=64055
apparmor="DENIED" operation="open" profile=
This proves the report.
I'll be out for a while after today, but I agree that we need to sort out what is missing in this case.
In the single snapshot case I've seen virt-aa-helper called to add a line, needs debugging where this fails with more than one snapshot target.
Until then one might as workaround try to snapshot each of the disks one by one (therefore only medium).