Libvirt KVM can not create snapshot (with qemu-guest-agent)

Status changed to 'Confirmed' because the bug affects multiple users.

Seeing this bug in openstack as well using libvirt-bin 1.2.16.

Using openstack, from nova-compute.log :

ERROR oslo_messaging.rpc.dispatcher if ret == -1: raise libvirtError ('virDomainManagedSave() failed', dom=self)
libvirtError: internal error: cannot update AppArmor profile 'libvirt-7f10dbb6-b650-4bc5-aaaa-b6e47bb099c1'

Using `sudo aa-audit /usr/sbin/libvirtd` we then see in /var/log/libvirt/libvirtd.log :

2015-12-21 17:21:33.253+0000: 25832: error : virCommandWait:2552 : internal error: Child process (/usr/lib/libvirt/virt-aa-helper -p 0 -r -u libvirt-7f10dbb6-b650-4bc5-aaaa-b6e47bb099c1 -F /var/lib/libvirt/qemu/save/instance-000000a0.save) unexpected exit status 1: virt-aa-helper: error: /var/lib/libvirt/qemu/org.qemu.guest_agent.0.instance-000000a0.sock
virt-aa-helper: error: skipped restricted file
virt-aa-helper: error: invalid VM definition
2015-12-21 17:21:33.253+0000: 25832: error : reload_profile:296 : internal error: cannot update AppArmor profile 'libvirt-7f10dbb6-b650-4bc5-aaaa-b6e47bb099c1'

usr.sbin.libvirtd already has :

  # allow changing to our UUID-based named profiles
  change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,

@curran736,

could you attach the vm xml definition for an affected VM?

Hi Serge,

I have done some debugging and the solution is here:

https://github.com/libvirt/libvirt/commit/a188c57d5432fce72daf818ccdb970ee6b71e936

The qemu-ga (/var/lib/libvirt/qemu/org.qemu.guest_agent.0.instance-000000a0.sock) socket is being rejected and virt-aa-helper is failing, due to the fact that it is a socket.

If the patch above can be implemented, it would be appreciated. I don't think there should be any merge issues.

Thanks,
Mohammed

Thanks.

This patch is in xenial's source. I'll mark this to be SRUd to wily.

Status changed to 'Confirmed' because the bug affects multiple users.

Hello Alan, or anyone else affected,

Accepted libvirt into wily-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libvirt/1.2.16-2ubuntu11.15.10.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

I installed the proposed libvirt packages yesterday and was able to successfully create a live external snapshot and then flatten the snapshot back into the top-level image as follows:

1. virsh snapshot-create-as dns sn1 "snapshot1" --disk-only --atomic

2. virsh blockpull --domain dns --path /home/alank/vm/dns.qcow2 --verbose --wait

Version of package tested: 1.2.16-2ubuntu11.15.10.4

I just realized that the two commands mentioned above were not the ones I noted in the original ticket, so for completeness, I went back and tried the original command:

virsh snapshot-create-as --quiesce --domain dns sn1 --diskspec hda,file=/home/alank/vm/dns-sn1.qcow2 --disk-only --atomic

This command executes successfully. However, when I attempt to flatten the snapshot back into the base image, with the following command:

virsh blockcommit dns hda --active --verbose --pivot

I receive the following error:

error: internal error: unable to execute QEMU command 'block-commit': Could not reopen file: Permission denied

The qemu packages I have installed are version 1:2.3+dfsg-5ubuntu9.2

Hi Alan - does that mean the 'verification-done' tag should be
changed to verification-failed?

Serge - I'm thinking that the problem causing the blockcommit to fail might not be related to libvirt, but qemu. Doing a bit of searching, it seems as if other people have had a similar issue and suggested that qemu 2.3 might be to blame.

Strictly speaking, the virsh command that prompted this ticket has been fixed. So, I can now successfully create a live snapshot using the proposed packages. Unfortunately, I have no way to flatten the snapshot back into the base image now.

The package was removed due to its SRU bug(s) not being verified in a timely fashion.