[Bug 431090] Re: libvirt apparmor profile is preventing libvirt from running eucalyptus VMs

Daniel Nurmi dnurmi at gmail.com
Thu Sep 17 19:11:58 BST 2009

Jamie, thank you for taking a look here.  First, after your response,
I've been able to modify /etc/apparmor.d/abstractions/libvirt-qemu with
the following:

  /var/lib/eucalyptus/instances/**/console.log w,
  /var/lib/eucalyptus/instances/**/kernel r,
  /var/lib/eucalyptus/instances/**/ramdisk r,

in order to allow the NC to start a VM.  I believe that kernel can
always be 'r' only, but I'm not 100% sure about the initrc (ramdisk).
It may be the case that some VMs could potentially modify the initrd on

Regarding pidfile, monitor, log file:

from the commandline -

/usr/bin/kvm -S -M pc-0.11 -m 128 -smp 1 -name i-4CFC08E8 -uuid
9f141023-980c-0577-d143-72fcd2d8b7f1 -nographic -monitor
unix:/var/run/libvirt/qemu/i-4CFC08E8.monitor,server,nowait -boot c
-kernel /var/lib/eucalyptus/instances/admin/i-4CFC08E8/kernel -initrd
/var/lib/eucalyptus/instances/admin/i-4CFC08E8/ramdisk -append
root=/dev/sda1 console=ttyS0 -drive
-net nic,macaddr=d0:0d:4c:fc:08:e8,vlan=0,model=e1000,name=e1000.0 -net
tap,fd=17,vlan=0,name=tap.0 -serial
-parallel none -usb

I at least see the monitor file path
(/var/run/libvirt/qemu/i-4CFC08E8.monitor), libvirt doesn't appear to be
specifying a pid or logfile path, and so i believe they are going to
their default location(s).  I can at least confirm that the logfile is
being dropped in /var/log/libvirt/qemi//i-4CFC08E8.log (cannot confirm
pidfile because the process is dying right away).

example libvirt dumpxml:

Connecting to uri: qemu:///system
<domain type='kvm' id='7'>
    <type arch='x86_64' machine='pc-0.11'>hvm</type>
    <cmdline>root=/dev/sda1 console=ttyS0</cmdline>
    <boot dev='hd'/>
  <clock offset='utc'/>
    <disk type='file' device='disk'>
      <source file='/var/lib/eucalyptus/instances/admin/i-516E092C/disk'/>
      <target dev='sda' bus='scsi'/>
    <interface type='bridge'>
      <mac address='d0:0d:51:6e:09:2c'/>
      <source bridge='br0'/>
      <target dev='vnet0'/>
      <model type='e1000'/>
    <serial type='file'>
      <source path='/var/lib/eucalyptus/instances/admin/i-516E092C/console.log'/>
      <target port='0'/>
    <console type='file'>
      <source path='/var/lib/eucalyptus/instances/admin/i-516E092C/console.log'/>
      <target port='0'/>


libvirt apparmor profile is preventing libvirt from running eucalyptus VMs
