Ubuntu
libvirt package

libvirt-bin start prevented by apparmor

Bug #1605727 reported by Julian Taylor on 2016-07-22

This bug report is a duplicate of: Bug #1707400: libvirt-bin doesn't regenerate apparmor cache in postinst. Edit Remove

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	One Hundred Papercuts	Confirmed	High	Unassigned
	libvirt (Ubuntu)	Confirmed	High	Unassigned

Bug Description

after upgrading from 14.04 to 16.04 today libvirt failed to start due to apparmor denies:

/var/log/libvirt/libvirtd.log
2016-07-22 18:31:59.547+0000: 31739: info : libvirt version: 1.3.1, package: 1ubuntu10.1 (dann frazier <email address hidden> Fri, 03 Jun 2016 14:41:21 -0600)
2016-07-22 18:31:59.547+0000: 31739: info : hostname: sagan5.hq.eso.org
2016-07-22 18:31:59.547+0000: 31739: error : virAuditOpen:62 : Unable to initialize audit layer: Permission denied
2016-07-22 18:31:59.550+0000: 31739: error : virNetlinkEventServiceStart:676 : cannot connect to netlink socket with protocol 0: Permission denied

dmesg:
[31938.666690] audit: type=1400 audit(1469212319.543:108): apparmor="DENIED" operation="create" profile="/usr/sbin/libvirtd" pid=31739 comm="libvirtd" family="netlink" sock_type="raw" protocol=9 requested_mask="create" denied_mask="create"
[31938.669074] audit: type=1400 audit(1469212319.543:109): apparmor="DENIED" operation="create" profile="/usr/sbin/libvirtd" pid=31739 comm="libvirtd" family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"

aa_logprof added capability net_bind_service and now it starts again.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: libvirt-bin 1.3.1-1ubuntu10.1
ProcVersionSignature: Ubuntu 4.4.0-31.50-generic 4.4.13
Uname: Linux 4.4.0-31-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: Unity
Date: Fri Jul 22 20:34:29 2016
InstallationDate: Installed on 2015-12-19 (216 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021)
SourcePackage: libvirt
UpgradeStatus: Upgraded to xenial on 2016-03-31 (113 days ago)
modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf']
modified.conffile..etc.libvirt.qemu.networks.default.xml: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu/networks/default.xml']

Tags:

Revision history for this message

Julian Taylor (jtaylor) wrote on 2016-07-22:

Dependencies.txt Edit (5.5 KiB, text/plain; charset="utf-8")
JournalErrors.txt Edit (8.3 KiB, text/plain; charset="utf-8")
KernLog.txt Edit (149.9 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (316 bytes, text/plain; charset="utf-8")
RelatedPackageVersions.txt Edit (177 bytes, text/plain; charset="utf-8")

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-09-21:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libvirt (Ubuntu):
status:	New → Confirmed

Alberto Salvia Novella (es20490446e) on 2016-09-21

Changed in libvirt (Ubuntu):
importance:	Undecided → High
Changed in hundredpapercuts:
status:	New → Confirmed
importance:	Undecided → High

Revision history for this message

caowei (caowei-e) wrote on 2016-10-26:

I fixed the issue with:
apparmor_parser --purge-cache
apparmor_parser -R /etc/apparmor.d/usr.sbin.libvirtd
apparmor_parser -r /etc/apparmor.d/usr.sbin.libvirtd
systemctl restart libvirt-bin

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2017-02-13:

Hi Julian and Caowei,
I'm debugging this right now - it seems to show up every now and then, but so far was not reproducible for debugging.

Thank you for reporting that as an extra bug, keeping at least the initial logs separate is always great.

But the task now is about finding the missing bits in the config to create a valid reproducing case.
To have a better chance at this I'll mark this as a duplicate and hope that at the target bug all people together can work together to get that reproducing case.