Ubuntu
libvirt package

virsh won't start any domain, but gives an error message; maybe related to apparmor

Bug #605593 reported by mk
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Binary package hint: libvirt-bin

1. Ubuntu version: Ubuntu maverick (developement branch), 10.10
2. Package versions: libvirt-bin_0.8.1-2ubuntu1, virt-manager_0.8.4-3ubuntu5, apparmor_2.5-0ubuntu3

3. What I expected to happen: My virtual domains would start as usual.

4. What happened instead:

Error
-------
When I try to start any of my virtual guest domains, I get an error like this:

root@meta: virsh start maverick
error: Failed to start domain maverick
error: internal error Process exited while reading console log output: libvir: Security Labeling error : internal error error calling aa_change_profile()

syslog
---------
In /var/log/syslog, I can afterwards find lines like these:

Jul 14 21:31:09 meta libvirtd: 21:31:09.931: error : qemudReadLogOutput:1870 : internal error Process exited while reading console log output: libvir: Security Labeling error : internal error error calling aa_change_profile()#012
Jul 14 21:31:10 meta kernel: [ 3137.876313] type=1400 audit(1279135870.105:113): operation="profile_remove" info="profile does not exist" error=-2 pid=4102 name="libvirt-ec6cd778-6ae9-019b-e81a-134ab631fa1e" pid=4102 comm="apparmor_parser"
Jul 14 21:31:10 meta kernel: [ 3138.099070] type=1400 audit(1279135870.325:114): operation="getattr" pid=1346 parent=1 profile="/usr/sbin/libvirtd" name="/" pid=1346 comm="libvirtd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Domain configuration file
----------------------------------
The domain configuration file looks like this:

root@meta# virsh dumpxml maverick
<domain type='kvm'>
  <name>maverick</name>
  <uuid>ec6cd778-6ae9-019b-e81a-134ab631fa1e</uuid>
  <memory>1048576</memory>
  <currentMemory>1048576</currentMemory>
  <vcpu>2</vcpu>
  <os>
    <type arch='x86_64' machine='pc-0.12'>hvm</type>
    <boot dev='hd'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <pae/>
  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/bin/kvm</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='raw'/>
      <source file='/home/VMs/maverick.img'/>
      <target dev='vda' bus='virtio'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
    </disk>
    <disk type='file' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <source file='/home/VMs/ISO/ubuntu-10.04-desktop-amd64.iso'/>
      <target dev='hdc' bus='ide'/>
      <readonly/>
      <address type='drive' controller='0' bus='1' unit='0'/>
    </disk>
    <controller type='ide' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
    </controller>
    <interface type='bridge'>
      <mac address='52:54:00:47:04:05'/>
      <source bridge='br0'/>
      <target dev='vnet0'/>
      <model type='virtio'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
    </interface>
    <serial type='pty'>
      <target port='0'/>
    </serial>
    <console type='pty'>
      <target port='0'/>
    </console>
    <input type='tablet' bus='usb'/>
    <input type='mouse' bus='ps2'/>
    <graphics type='vnc' port='-1' autoport='yes'/>
    <video>
      <model type='vmvga' vram='32768' heads='1'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>
  </devices>
</domain>

Apparmor profile
-----------------------
aa_change_profile() seems to be part of apparmor. However, the profiles are in place, I guess:

root@meta# cat /etc/apparmor.d/libvirt/libvirt-ec6cd778-6ae9-019b-e81a-134ab631fa1e
#
# This profile is for the domain whose UUID matches this file.
#

#include <tunables/global>

profile libvirt-ec6cd778-6ae9-019b-e81a-134ab631fa1e {
  #include <abstractions/libvirt-qemu>
  #include <libvirt/libvirt-ec6cd778-6ae9-019b-e81a-134ab631fa1e.files>

}

root@meta# cat /etc/apparmor.d/libvirt/libvirt-ec6cd778-6ae9-019b-e81a-134ab631fa1e.files
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
  "/var/log/libvirt/**/maverick.log" w,
  "/var/lib/libvirt/**/maverick.monitor" rw,
  "/var/run/libvirt/**/maverick.pid" rwk,
  "/home/VMs/maverick.img" rw,
  "/home/VMs/ISO/ubuntu-10.04-desktop-amd64.iso" r,
  # don't audit writes to readonly files
  deny "/home/VMs/ISO/ubuntu-10.04-desktop-amd64.iso" w,

virt-manager
------------------
As I thought, there might be an apparmor-related line missing in the domain configuration, I tried to set up a new domain using virt-manager. However, I get the same error here when the newly created domain is started for the first time.

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: libvirt-bin 0.8.1-2ubuntu1
ProcVersionSignature: Ubuntu 2.6.35-7.12-generic 2.6.35-rc4
Uname: Linux 2.6.35-7-generic x86_64
NonfreeKernelModules: nvidia
Architecture: amd64
Date: Wed Jul 14 21:29:32 2010
SourcePackage: libvirt

Revision history for this message
mk (harald-hetzner) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libvirt (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.