Comment 34 for bug 799997

Revision history for this message
Jamie Strandboge (jdstrand) wrote : Re: error happen when using virsh to start a vm " internal error cannot generate AppArmor profile"

A typical (though unfortunately undocumented (we should really add this to the wiki somewhere)) is to do something like (see /usr/lib/libvirt/virt-aa-helper -h more more info (-u/--uuid is of form 'libvirt-<domuuid>'):

If profile does not exist:
export VM=foo ; virsh dumpxml $VM | sudo /usr/lib/libvirt/virt-aa-helper -c -u libvirt-`virsh domuuid $VM`

If profile already does exist:
export VM=foo ; virsh dumpxml $VM | sudo /usr/lib/libvirt/virt-aa-helper -r -u libvirt-`virsh domuuid $VM`

So, I saved your xml to /tmp/xml, then did:
cat /tmp/xml | sudo /usr/lib/libvirt/virt-aa-helper -c -u libvirt-6445bf42-7513-985a-7920-9e89a4c42ffe
virt-aa-helper: warning: path does not exist, skipping file type checks
virt-aa-helper: error: /lib4/vmpool1/myhost.org-sda.raw
virt-aa-helper: error: skipped restricted file
virt-aa-helper: error: invalid VM definition

What is happening is that virt-aa-helper does some safety checks and notices that the disk (a writable file) is in the non-standard directory that starts with /lib, so it skips the file. Because this file is the disk, it fails with 'invalid VM definition'. The bad news is that the restricted file checks are hardcoded in the source code for virt-aa-helper. The good news is that if you move it somewhere else (eg, /srv/vmpool1/myhost.org-sda.raw) it should work fine and you will be able to retain the guest isolation security that the apparmor driver provides (virt-aa-helper is a bit noisy since I don't have the disk present, but not that is not an error condition). Eg, making the change to the xml:
$ cat /tmp/xml | sudo /usr/lib/libvirt/virt-aa-helper -c -u libvirt-6445bf42-7513-985a-7920-9e89a4c42ffe
virt-aa-helper: warning: path does not exist, skipping file type checks
2012-12-29 19:30:27.679+0000: 10245: info : libvirt version: 0.9.13
2012-12-29 19:30:27.679+0000: 10245: warning : virDomainDiskDefForeachPath:14691 : Ignoring open failure on /srv/vmpool1/myhost.org-sda.raw: No such file or directory
$ sudo aa-status | grep libvirt-6445bf42-7513-985a-7920-9e89a4c42ffe
   libvirt-6445bf42-7513-985a-7920-9e89a4c42ffe