[apparmor] Disable apparmor without restart
Seth Arnold
seth.arnold at canonical.com
Wed Jan 5 03:04:51 UTC 2022
On Sun, Jan 02, 2022 at 08:49:05PM -0800, John Johansen wrote:
> On 12/28/21 2:00 AM, Sina Kashipazha wrote:
> > Hey there,
> >
> > I have two hosts in my setup, one of them uses AppArmor (h1), and
> > another one doesn't have it (h2). I want to use virsh to live migrate
> > my VMs from h1 to h2, but I'm not able to do that because the h2 host
> > doesn't have the AppArmor policy.
> >
> > I was wondering, is it possible to edit the XML configuration file of
> > the VM and disable AppArmor without restarting the VMs?
> >
>
> AFAIK no, but you can manually remove the apparmor protection on the VM
> by unloading the profiles.
>
> sudo aa-teardown
>
> will remove apparmor protections from the whole system.
>
> if you want to be more selective you can just unload the the VMs
> profiles. Using apparmor_parser -R
My guess is that you're probably getting stuck on a *libvirt* check
to make sure that source and destination systems are 'identical', and
actually tearing down the apparmor profiles in place at runtime behind
the back of libvirt will just lead to a very confused libvirt environment.
It's my theory that trying to disable AppArmor itself on the sending
machine isn't going to get you to where you want to go.
I don't have an environment available for testing, but my guess is the
virsh dumpxml --migratable may be able to emit XML that omits the security
information.
I hope this helps.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20220105/9e233638/attachment.sig>
More information about the AppArmor
mailing list