Focal:
- apparmor 2.13.3-7ubuntu5.1
- kernel 5.4.0-109-generic
- libvirt:
a) base 6.0.0-0ubuntu8.16
b) server-backport 8.0.0-1ubuntu7.2~backport20.04.202210042317~ubuntu20.04.1
c) UCA Yoga 8.0.0-1ubuntu7.1~cloud0
With none did a restart trigger an issue as reported.
libvirtd is reported to be in enforce mode by aa-status
Something must be different on the affected systems, any idea what it might be?
But also bpf is not present in that file for any of those versions.
For me this is always empty:
$ grep bpf /etc/apparmor.d/usr.sbin.libvirtd
Since it is a conffile it might not be updated on upgrades, so I have checked that.
Server backports was fine as expected.
Yoga is indeed still having bpf when purging and re-installing (to force the default conffile in the pachage).
And then I can see it:
Oct 05 16:27:58 f apparmor.systemd[48796]: AppArmor parser error for /etc/apparmor.d/usr.sbin.libvirtd in /etc/apparmor.d/usr.sbin.libvirtd at line 29: Invalid capability bpf.
Oct 05 16:27:58 f apparmor.systemd[48720]: Error: At least one profile failed to load
Oct 05 16:27:58 f systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Oct 05 16:27:58 f systemd[1]: apparmor.service: Failed with result 'exit-code'.
Oct 05 16:27:58 f systemd[1]: Failed to start Load AppArmor profiles.
Focal: 2~backport20. 04.202210042317 ~ubuntu20. 04.1 1~cloud0
- apparmor 2.13.3-7ubuntu5.1
- kernel 5.4.0-109-generic
- libvirt:
a) base 6.0.0-0ubuntu8.16
b) server-backport 8.0.0-1ubuntu7.
c) UCA Yoga 8.0.0-1ubuntu7.
With none did a restart trigger an issue as reported.
libvirtd is reported to be in enforce mode by aa-status
Something must be different on the affected systems, any idea what it might be?
But also bpf is not present in that file for any of those versions. d/usr.sbin. libvirtd
For me this is always empty:
$ grep bpf /etc/apparmor.
The reason is (and that explains why it felt known to me) that I have resolved that in march. /git.launchpad. net/~canonical- server/ ubuntu/ +source/ libvirt/ commit/ ?h=backport- libvirt- focal&id= 21eb63454433d7b 2c2b75f197b7064 c96cf7d1e8
https:/
Since it is a conffile it might not be updated on upgrades, so I have checked that.
Server backports was fine as expected.
Yoga is indeed still having bpf when purging and re-installing (to force the default conffile in the pachage).
And then I can see it: systemd[ 48796]: AppArmor parser error for /etc/apparmor. d/usr.sbin. libvirtd in /etc/apparmor. d/usr.sbin. libvirtd at line 29: Invalid capability bpf.
Oct 05 16:27:58 f apparmor.
Oct 05 16:27:58 f apparmor. systemd[ 48720]: Error: At least one profile failed to load
Oct 05 16:27:58 f systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Oct 05 16:27:58 f systemd[1]: apparmor.service: Failed with result 'exit-code'.
Oct 05 16:27:58 f systemd[1]: Failed to start Load AppArmor profiles.
And indeed it is missing here: /git.launchpad. net/~ubuntu- cloud-archive/ ubuntu/ +source/ ca-patches/ tree/yoga/ libvirt. patch
https:/
So UCA needs to pick up the patch I referenced above.