Comment 26 for bug 1594902

I once more tried to reproduce and check a few more logs.
Please do mind that bug 1386465 seems related or even the same - and occorring every now and then since 14.04->14.10 - but always ended similar with "unable to reproduce" or open questions :-/

I happened to find that Serge had no success reproducing so far on the older bug and expected to be no different, but always worth a try.
TODO - what I did

The upgrade then effectively was from 1.2.2-0ubuntu13.1.17 to TODO with a running guest.
The upgrade itself ran fine until it asked me to reboot, I checked status before and after that reboot,

$ service libvirt-bin status
libvirt-bin start/running, process 13840
$ virsh list | grep running
 2 testguest running
$ uvt-kvm ssh --insecure testguest "date; uptime"
Mon Feb 13 07:55:53 UTC 2017
 07:55:53 up 32 min, 0 users, load average: 0.00, 0.00, 0.00
$ dmesg | grep -i deni
<nothing>

Then after the restart I got:
- A correctly running service (now systemd output, but clealer not as in comment #9)
- Guest that starts just fine
- No Denies by apparmor

But - I had switched apparmor to audit mode for libvirt and did not see the netlink message at all.
You had:
  apparmor="DENIED" operation="create" profile="/usr/sbin/libvirtd" pid=15585 comm="libvirtd" family="netlink" sock_type="raw" protocol=9 requested_mask="create" denied_mask="create"
I'm fine not having the DENIED, but not seeing it at all, indicates to me that you have some sort of setup that triggers this.
This "bit of setup" might be what we look out for to be able to reproduce.

I'll look into that config a bit if I can easily find it, but would ask all of you if you know what of your config it might be.

I'll also duplicate a few more similar reports onto this, to hope we can find that missing config-bit together.