[Bug 605593] [NEW] virsh won't start any domain, but gives an error message; maybe related to apparmor

mk 605593 at bugs.launchpad.net
Wed Jul 14 21:11:30 BST 2010 

Public bug reported:

Binary package hint: libvirt-bin

1. Ubuntu version: Ubuntu maverick (developement branch), 10.10
2. Package versions: libvirt-bin_0.8.1-2ubuntu1, virt-manager_0.8.4-3ubuntu5, apparmor_2.5-0ubuntu3

3. What I expected to happen: My virtual domains would start as usual.

4. What happened instead:

Error
-------
When I try to start any of my virtual guest domains, I get an error like this:

root at meta: virsh start maverick
error: Failed to start domain maverick
error: internal error Process exited while reading console log output: libvir: Security Labeling error : internal error error calling aa_change_profile()

syslog
---------
In /var/log/syslog, I can afterwards find lines like these:

Jul 14 21:31:09 meta libvirtd: 21:31:09.931: error : qemudReadLogOutput:1870 : internal error Process exited while reading console log output: libvir: Security Labeling error : internal error error calling aa_change_profile()#012
Jul 14 21:31:10 meta kernel: [ 3137.876313] type=1400 audit(1279135870.105:113):  operation="profile_remove" info="profile does not exist" error=-2 pid=4102 name="libvirt-ec6cd778-6ae9-019b-e81a-134ab631fa1e" pid=4102 comm="apparmor_parser"
Jul 14 21:31:10 meta kernel: [ 3138.099070] type=1400 audit(1279135870.325:114):  operation="getattr" pid=1346 parent=1 profile="/usr/sbin/libvirtd" name="/" pid=1346 comm="libvirtd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Domain configuration file
----------------------------------
The domain configuration file looks like this:

root at meta# virsh dumpxml maverick
<domain type='kvm'>
  <name>maverick</name>
  <uuid>ec6cd778-6ae9-019b-e81a-134ab631fa1e</uuid>
  <memory>1048576</memory>
  <currentMemory>1048576</currentMemory>
  <vcpu>2</vcpu>
  <os>
    <type arch='x86_64' machine='pc-0.12'>hvm</type>
    <boot dev='hd'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <pae/>
  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/bin/kvm</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='raw'/>
      <source file='/home/VMs/maverick.img'/>
      <target dev='vda' bus='virtio'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
    </disk>
    <disk type='file' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <source file='/home/VMs/ISO/ubuntu-10.04-desktop-amd64.iso'/>
      <target dev='hdc' bus='ide'/>
      <readonly/>
      <address type='drive' controller='0' bus='1' unit='0'/>
    </disk>
    <controller type='ide' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
    </controller>
    <interface type='bridge'>
      <mac address='52:54:00:47:04:05'/>
      <source bridge='br0'/>
      <target dev='vnet0'/>
      <model type='virtio'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
    </interface>
    <serial type='pty'>
      <target port='0'/>
    </serial>
    <console type='pty'>
      <target port='0'/>
    </console>
    <input type='tablet' bus='usb'/>
    <input type='mouse' bus='ps2'/>
    <graphics type='vnc' port='-1' autoport='yes'/>
    <video>
      <model type='vmvga' vram='32768' heads='1'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>
  </devices>
</domain>

Apparmor profile
-----------------------
aa_change_profile() seems to be part of apparmor. However, the profiles are in place, I guess:

root at meta# cat /etc/apparmor.d/libvirt/libvirt-ec6cd778-6ae9-019b-e81a-134ab631fa1e
#
# This profile is for the domain whose UUID matches this file.
#

#include <tunables/global>

profile libvirt-ec6cd778-6ae9-019b-e81a-134ab631fa1e {
  #include <abstractions/libvirt-qemu>
  #include <libvirt/libvirt-ec6cd778-6ae9-019b-e81a-134ab631fa1e.files>

}

root at meta# cat /etc/apparmor.d/libvirt/libvirt-ec6cd778-6ae9-019b-e81a-134ab631fa1e.files 
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
  "/var/log/libvirt/**/maverick.log" w,
  "/var/lib/libvirt/**/maverick.monitor" rw,
  "/var/run/libvirt/**/maverick.pid" rwk,
  "/home/VMs/maverick.img" rw,
  "/home/VMs/ISO/ubuntu-10.04-desktop-amd64.iso" r,
  # don't audit writes to readonly files
  deny "/home/VMs/ISO/ubuntu-10.04-desktop-amd64.iso" w,

virt-manager
------------------
As I thought, there might be an apparmor-related line missing in the domain configuration, I tried to set up a new domain using virt-manager. However, I get the same error here when the newly created domain is started for the first time.

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: libvirt-bin 0.8.1-2ubuntu1
ProcVersionSignature: Ubuntu 2.6.35-7.12-generic 2.6.35-rc4
Uname: Linux 2.6.35-7-generic x86_64
NonfreeKernelModules: nvidia
Architecture: amd64
Date: Wed Jul 14 21:29:32 2010
SourcePackage: libvirt

** Affects: libvirt (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug maverick

-- 
virsh won't start any domain, but gives an error message; maybe related to apparmor
https://bugs.launchpad.net/bugs/605593
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.

More information about the Ubuntu-server-bugs mailing list