starting kvm guest with disk file in /etc fails with apparmor error 'could not remove profile'

Bug #530400 reported by Simon Huerlimann on 2010-03-02
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Medium
Jamie Strandboge

Bug Description

This may be related to bugs #448671, and #496163. syslog looks similar... Ask if you need it or some other log/config...

On a fresh installation of Ubuntu Server 9.10 I've created a KVM instance using ubuntu-vm-builder. I then run 'define' and 'start' in virsh, successfully starting the virtual server.

I then added another bridge on the KVM-Host and added an interface to the KVM-Guest. It all works well.

I then tried to create another guest using ubuntu-vm-builder. While the creation went well, and I could 'define' it in virsh, it won't start. It shows the following error:

 virsh # start dns01
 error: Failed to start domain dns01
 error: could not remove profile for 'libvirt-9081d82b-a859-47a2-5c2b-6caa424c4887'

I tried the same with another time creating a third guest... Same error, new name...

Related branches

Simon Huerlimann (huerlisi) wrote :

I have no idea about the inner functionality of apparmor. I thus tried to get the hosts running by

 sudo /etc/init.d/apparmor stop

But this doesn't seem to help. Still the same error...

Any idea how to disable apparmor for kvm/libvirt?

Simon Huerlimann (huerlisi) wrote :

Well after restarting libvirt (sudo /etc/init.d/libvirt-bin restart), too it now works...

Simon Huerlimann (huerlisi) wrote :

Starting apparmor again, and restarting libvirt brings back the error.

Jamie Strandboge (jdstrand) wrote :

Simon,

Can you provide the kern.log after you see this error? Can you also give the exact steps to reproduce this problem?

Changed in libvirt (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Incomplete
Simon Huerlimann (huerlisi) wrote :
Download full text (3.5 KiB)

Well, I think I've tracked it down:

The VM can't be started and virsh shows the above mentioned error when the qcow2 disk source file is located in /etc (at least when in /etc/libvirt/qemu or /etc/network). So the following snipplet in the XML file triggers the error:
    <disk type='file' device='disk'>
      <source file='/etc/libvirt/qemu/infra01/disk0.qcow2'/>
      <target dev='hda' bus='ide'/>
    </disk>

While something like
   <disk type='file' device='disk'>
      <source file='/srv/cyt.ch/kvm/infra01/disk0.qcow2'/>
      <target dev='hda' bus='ide'/>
    </disk>
works like a charm.

Well, it's absolutely stupid to create disk files in /etc, I know. Was triggered by simply running ubuntu-vm-builder from those directories while not being fully awake...

Well, in the end I think it's a sysadmins decision where to put those disk files. While /etc is really stupid, there might be some other places "silently forbidden" by apparmor. I think while some more bugs like this will be filed if there's no better error message... For this reason, I'm leaving this bug open, even though it could be considered invalid...

Well kern.log is quite quiet:
Mar 2 14:53:54 leo01 kernel: [84139.330434] type=1505 audit(1267538034.463:52): operation="profile_remove" info="failed: profile does not exist" pid=11213 name=libvirt-009c6a05-d841-2b80-51ac-fc940f0000f4 namespace=default

syslog is more verbose:
Mar 2 14:53:54 leo01 libvirtd: 14:53:54.226: error : virSecurityReportError:108 : error calling aa_change_profile()
Mar 2 14:53:54 leo01 libvirtd: 14:53:54.226: error : qemudSecurityHook:1790 : internal error Failed to set security label
Mar 2 14:53:54 leo01 libvirtd: 14:53:54.227: error : virExecDaemonize:678 : internal error Intermediate daemon process exited with status 1.
Mar 2 14:53:54 leo01 kernel: [84139.085901] device vnet2 entered promiscuous mode
Mar 2 14:53:54 leo01 kernel: [84139.086434] br_dmz: port 2(vnet2) entering learning state
Mar 2 14:53:54 leo01 kernel: [84139.114878] br_dmz: port 2(vnet2) entering disabled state
Mar 2 14:53:54 leo01 kernel: [84139.154409] device vnet2 left promiscuous mode
Mar 2 14:53:54 leo01 kernel: [84139.154413] br_dmz: port 2(vnet2) entering disabled state
Mar 2 14:53:54 leo01 libvirtd: 14:53:54.333: error : qemudReadLogOutput:816 : internal error Process exited while reading console log output
Mar 2 14:53:54 leo01 libvirtd: 14:53:54.333: error : qemudWaitForMonitor:1103 : internal error unable to start guest: libvir: Security Labeling error : error calling aa_change_profile()#012libvir: QEMU error : internal error Failed to set security label#012
Mar 2 14:53:54 leo01 libvirtd: 14:53:54.471: error : virRun:833 : internal error '/usr/bin/virt-aa-helper -R -u libvirt-009c6a05-d841-2b80-51ac-fc940f0000f4' exited with non-zero status 1 and signal 0: libvir: error : internal error '/sbin/apparmor_parser -R /etc/apparmor.d/libvirt/libvirt-009c6a05-d841-2b80-51ac-fc940f0000f4' exited with non-zero status 234 and signal 0: /sbin/apparmor_parser: Unable to remove "libvirt-009c6a05-d841-2b80-51ac-fc940f0000f4". Profile doesn't exist#012virt-aa-helper: error: failed to run apparmor_parser#012
Mar 2 14:53:54 leo01...

Read more...

summary: - starting second kvm guest created using ubuntu-vm-builder fails with
+ starting kvm guest with disk file in /etc fails with apparmor error
'could not remove profile'
Changed in libvirt (Ubuntu):
status: Incomplete → Triaged
importance: Undecided → Medium
milestone: none → ubuntu-10.04
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 0.7.5-5ubuntu9

---------------
libvirt (0.7.5-5ubuntu9) lucid; urgency=low

  * debian/apparmor/libvirt-qemu:
    - explicitly deny setpcap to silence denials. See LP: 522845 for details
    - allow read access to /proc/*/status
  * debian/patches/9014-apparmor-remove-unloaded-profile-is-not-fatal.patch:
    Don't exit with error if the user unloaded the profile outside of libvirt
    (LP: #530400)
 -- Jamie Strandboge <email address hidden> Wed, 03 Mar 2010 06:29:39 -0600

Changed in libvirt (Ubuntu):
status: Triaged → Fix Released
lhotari (lartsa) wrote :

bug #665531 might be related. replacing "host_device" with "raw" in xml definitions fixed the problem for me.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers