libvirt, libxl, and AppArmor

George Dunlap George.Dunlap at eu.citrix.com
Thu Jun 26 11:26:15 UTC 2014 

There appears to be a bug in the AppArmor profile for libvirtd, so
that it refuses to allow libvirtd to run pygrub.

After using virt-install to create a VM image, creation of the VM fails:

# virsh -c xen:/// start ubuntu
error: Failed to start domain ubuntu
error: internal error: libxenlight failed to create new domain 'ubuntu'

/var/log/libvirt/libvirtd.log has a not-particularly-useful repeat:
2014-06-26 11:20:39.422+0000: 1187: error : libxlVmStart:787 :
internal error: libxenlight failed to create new domain 'ubuntu'

/var/log/libvirt/libxl/ubuntu.log has more useful information
libxl: debug: libxl_bootloader.c:535:bootloader_gotptys: executing
bootloader: /usr/lib/xen-4.4/bin/pygrub
libxl: debug: libxl_bootloader.c:539:bootloader_gotptys:   bootloader
arg: /usr/lib/xen-4.4/bin/pygrub
libxl: debug: libxl_bootloader.c:539:bootloader_gotptys:   bootloader
arg: --output=/var/run/xen/bootloader.3.out
libxl: debug: libxl_bootloader.c:539:bootloader_gotptys:   bootloader
arg: --output-format=simple0
libxl: debug: libxl_bootloader.c:539:bootloader_gotptys:   bootloader
arg: --output-directory=/var/run/xen/bootloader.3.d
libxl: debug: libxl_bootloader.c:539:bootloader_gotptys:   bootloader
arg: /root/F0L1.img
libxl: debug: libxl_event.c:514:watchfd_callback: watch
w=0x7f46780011e8 wpath=/local/domain/3 token=3/1: event
epath=/local/domain/3
libxl: error: libxl_bootloader.c:628:bootloader_finished: bootloader
failed - consult logfile /var/log/xen/bootloader.3.log

/var/log/xen/bootloader.3.log says:
libxl: cannot execute /usr/lib/xen-4.4/bin/pygrub: Permission denied

But when I run pygrub manually, or if I use "virsh domxl-to-native
xen-xm" to create an xl config, I can boot the VM with xl.  Eventually
I looked in /var/log/kern.log:

Jun 26 07:20:39 unassigned-hostname kernel: [ 2957.634455] type=1400
audit(1403781639.410:24): apparmor="DENIED" operation="exec"
profile="/usr/sbin/libvirtd" name="/usr/lib/xen-4.4/bin/pygrub"
pid=1773 comm="libvirtd" requested_mask="x" denied_mask="x" fsuid=0
ouid=0

There's probably a handful of other Xen helper processes that need to
be whitelisted.

 -George

More information about the ubuntu-server mailing list