[Pkg-libvirt-maintainers] Bug#933385: Bug#933385: libvirt-daemon: encrypted qemu virtual machines do not start after upgrade to buster: permission denied

Dominik Reusser dr896543 at gmail.com
Tue Jul 30 09:43:25 BST 2019 

Thanks for your reply

On 30.07.19 09:00, Guido Günther wrote:> Hi,
> On Tue, Jul 30, 2019 at 07:36:18AM +0200, Dominik wrote:
>> Package: libvirt-daemon
>> Version: 5.0.0-4
>> Severity: normal
>>
>> Dear Maintainer,
>>
>> after upgrading to buster, the encrypted kvm-guests stop to work. An
error is thrown about missing rights to the file containing the encryption
secret, which I placed under /etc/libvirt/secret/.
>>
>> I openend a question with more details on serverfault a while ago:
https://serverfault.com/questions/974689/encrypted-qemu-virtual-machines-do-not-start-after-upgrade-to-buster-permission
> As a workaround you can disable apparmor
Do I need to disable apparmor completely through grub as described here:
https://wiki.debian.org/AppArmor/HowToUse or would it be possible to
disable the profiles for libvirt with aa-disable?


> but can you attach the dmesg
> output after trying to start a domain?
$ virsh --connect qemu:///system start Feigenbaum
error: Failed to start domain Feigenbaum
error: internal error: process exited while connecting to monitor:
2019-07-30T08:15:39.975264Z qemu-system-x86_64: --object
secret,id=sec0,file=/etc/libvirt/secrets/Feigenbaum.secret: Unable to read
/etc/libvirt/secrets/Feigenbaum.secret: Failed to open file
“/etc/libvirt/secrets/Feigenbaum.secret”: Permission denied

$ sudo dmesg

[585353.519853] virbr0: port 2(vnet0) entered blocking state
[585353.519854] virbr0: port 2(vnet0) entered disabled state
[585353.519887] device vnet0 entered promiscuous mode
[585353.519982] virbr0: port 2(vnet0) entered blocking state
[585353.519983] virbr0: port 2(vnet0) entered listening state
[585353.706058] virbr0: port 2(vnet0) entered disabled state
[585353.707387] device vnet0 left promiscuous mode
[585353.707395] virbr0: port 2(vnet0) entered disabled state

(I removed a bunch of UFW BLOCK messages)

Extract from syslog:

Jul 30 10:15:39 www kernel: [585353.519853] virbr0: port 2(vnet0) entered
blocking state
Jul 30 10:15:39 www kernel: [585353.519854] virbr0: port 2(vnet0) entered
disabled state
Jul 30 10:15:39 www kernel: [585353.519887] device vnet0 entered
promiscuous mode
Jul 30 10:15:39 www kernel: [585353.519982] virbr0: port 2(vnet0) entered
blocking state
Jul 30 10:15:39 www kernel: [585353.519983] virbr0: port 2(vnet0) entered
listening state
Jul 30 10:15:39 www libvirtd[775]: Domain id=5 name='Feigenbaum'
uuid=2734b78b-2dc6-4fed-a47b-9bb2534db76e is tainted: custom-argv
Jul 30 10:15:40 www kernel: [585353.706058] virbr0: port 2(vnet0) entered
disabled state
Jul 30 10:15:40 www kernel: [585353.707387] device vnet0 left promiscuous
mode
Jul 30 10:15:40 www kernel: [585353.707395] virbr0: port 2(vnet0) entered
disabled state
Jul 30 10:15:40 www libvirtd[775]: Unable to read from monitor: Connection
reset by peer
Jul 30 10:15:40 www libvirtd[775]: internal error: qemu unexpectedly closed
the monitor: 2019-07-30T08:15:39.975264Z qemu-system-x86_64: --object
secret,id=sec0,file=/etc/libvirt/secrets/Feigenbaum.secret: Unable to read
/etc/libvirt/secrets/Feigenbaum.secret: Failed to open file
“/etc/libvirt/secrets/Feigenbaum.secret”: Permission denied
Jul 30 10:15:40 www libvirtd[775]: internal error: process exited while
connecting to monitor: 2019-07-30T08:15:39.975264Z qemu-system-x86_64:
--object secret,id=sec0,file=/etc/libvirt/secrets/Feigenbaum.secret: Unable
to read /etc/libvirt/secrets/Feigenbaum.secret: Failed to open file
“/etc/libvirt/secrets/Feigenbaum.secret”: Permission denied


> That should have details what
> fails exactly.
Let me know if I can provide additional information to get more details on
what fails.

Greetings

Dominik


Am Di., 30. Juli 2019 um 09:00 Uhr schrieb Guido Günther <agx at sigxcpu.org>:

> Hi,
> On Tue, Jul 30, 2019 at 07:36:18AM +0200, Dominik wrote:
> > Package: libvirt-daemon
> > Version: 5.0.0-4
> > Severity: normal
> >
> > Dear Maintainer,
> >
> > after upgrading to buster, the encrypted kvm-guests stop to work. An
> error is thrown about missing rights to the file containing the encryption
> secret, which I placed under /etc/libvirt/secret/.
> >
> > I openend a question with more details on serverfault a while ago:
> https://serverfault.com/questions/974689/encrypted-qemu-virtual-machines-do-not-start-after-upgrade-to-buster-permission
>
> As a workaround you can disable apparmor but can you attach the dmesg
> output after trying to start a domain? That should have details what
> fails exactly.
> Cheers,
>  -- Guido
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-maintainers/attachments/20190730/9a4dc869/attachment.html>

More information about the Pkg-libvirt-maintainers mailing list