[Pkg-libvirt-maintainers] Bug#924418: libvirt-daemon-system: apparmor prevents libvirtd from spawning VMs

Robbie Harwood rharwood at club.cc.cmu.edu
Tue Mar 12 19:20:39 GMT 2019 

Package: libvirt-daemon-system
Version: 5.0.0-1
Severity: important

Dear Maintainer,

When I attempt to spawn a QEMU/kvm VM (sudo virsh start vmname), it fails with:

    error: Failed to start domain 7-1
    error: internal error: Process exited prior to exec: libvirt:  error : unable to set AppArmor profile 'libvirt-16efecbc-66ca-4559-8558-7084588065d4' for '/usr/bin/kvm': No existe el fichero o el directorio

(That approximately translates to "The file or directory doesn't exist".  I
set LC_ALL=en_US.utf8, but it didn't seem to be respected.)

Here's the contents of /etc/apparmor.d/libvirt:

    root at seton:~# ls -1 /etc/apparmor.d/libvirt
    libvirt-0bb30752-0938-406e-a1db-897cc3dafff5
    libvirt-0bb30752-0938-406e-a1db-897cc3dafff5.files
    libvirt-168159f5-b57b-49f1-9326-306feeedcc44
    libvirt-168159f5-b57b-49f1-9326-306feeedcc44.files
    libvirt-16efecbc-66ca-4559-8558-7084588065d4
    libvirt-16efecbc-66ca-4559-8558-7084588065d4.files
    libvirt-2c26722b-4577-426a-af38-b81e7575c0ca
    libvirt-2c26722b-4577-426a-af38-b81e7575c0ca.files
    libvirt-4e7b35eb-3999-4879-afb6-e408445540ba
    libvirt-4e7b35eb-3999-4879-afb6-e408445540ba.files
    libvirt-53d197b4-935b-414e-8978-cd1c7fbbdf46
    libvirt-53d197b4-935b-414e-8978-cd1c7fbbdf46.files
    libvirt-59dc44de-10a8-41e8-bdc8-602bc03627a5
    libvirt-59dc44de-10a8-41e8-bdc8-602bc03627a5.files
    libvirt-92762faa-855e-43ab-8398-73f5cf54e7b9
    libvirt-92762faa-855e-43ab-8398-73f5cf54e7b9.files
    libvirt-ba5458f8-9ab6-4713-9bab-fdc620e4c64e
    libvirt-ba5458f8-9ab6-4713-9bab-fdc620e4c64e.files
    libvirt-c2bf8e0f-a7bc-4b01-ab12-bccae2ad43d0
    libvirt-c2bf8e0f-a7bc-4b01-ab12-bccae2ad43d0.files
    libvirt-d3397f74-1497-4f9a-9239-a941567f5201
    libvirt-d3397f74-1497-4f9a-9239-a941567f5201.files
    libvirt-e3a53b88-8c90-4126-b539-745e04d9169a
    libvirt-e3a53b88-8c90-4126-b539-745e04d9169a.files
    libvirt-e7d3374a-321b-4e50-9ca0-34ee843395c2
    libvirt-e7d3374a-321b-4e50-9ca0-34ee843395c2.files
    libvirt-ea10a337-7a16-469f-9bbf-49601a7390bc
    libvirt-ea10a337-7a16-469f-9bbf-49601a7390bc.files
    libvirt-f402a8d4-d6f3-4823-a20a-66c6e5a62924
    libvirt-f402a8d4-d6f3-4823-a20a-66c6e5a62924.files
    TEMPLATE.lxc
    TEMPLATE.qemu
    root at seton:~#

and indeed, it's not there.

I don't know how to debug this further, but please let me know if there's more
information I can provide.

Thanks,
--Robbie

-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (700, 'testing-debug'), (700, 'testing'), (500, 'unstable-debug'), (500, 'unstable'), (300, 'experimental-debug'), (300, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-2-rt-amd64 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=es_US.UTF-8, LC_CTYPE=es_US.UTF-8 (charmap=UTF-8), LANGUAGE=es_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libvirt-daemon-system depends on:
ii  adduser                3.118
ii  debconf [debconf-2.0]  1.5.71
ii  gettext-base           0.19.8.1-9
ii  iptables               1.8.2-4
ii  libacl1                2.2.53-4
ii  libapparmor1           2.13.2-9
ii  libaudit1              1:2.8.4-2
ii  libblkid1              2.33.1-0.1
ii  libc6                  2.28-8
ii  libcap-ng0             0.7.9-2
ii  libdbus-1-3            1.12.12-1
ii  libdevmapper1.02.1     2:1.02.155-2
ii  libgnutls30            3.6.6-2
ii  libnl-3-200            3.4.0-1
ii  libnl-route-3-200      3.4.0-1
ii  libnuma1               2.0.12-1
ii  libselinux1            2.8-1+b1
ii  libvirt-clients        5.0.0-1
ii  libvirt-daemon         5.0.0-1
ii  libvirt0               5.0.0-1
ii  libxml2                2.9.4+dfsg1-7+b3
ii  libyajl2               2.1.0-3
ii  logrotate              3.14.0-4
ii  lsb-base               10.2018112800
ii  policykit-1            0.105-25

Versions of packages libvirt-daemon-system recommends:
ii  dmidecode                    3.2-1
ii  dnsmasq-base [dnsmasq-base]  2.80-1
ii  ebtables                     2.0.10.4+snapshot20181205-2
ii  iproute2                     4.20.0-2
ii  parted                       3.2-24

Versions of packages libvirt-daemon-system suggests:
ii  apparmor    2.13.2-9
pn  auditd      <none>
ii  nfs-common  1:1.3.4-2.4
pn  open-iscsi  <none>
ii  pm-utils    1.4.1-18
pn  radvd       <none>
ii  systemd     241-1
pn  systemtap   <none>
pn  zfsutils    <none>

-- Configuration Files:
/etc/libvirt/nwfilter/allow-arp.xml [Errno 13] Permiso denegado: '/etc/libvirt/nwfilter/allow-arp.xml'
/etc/libvirt/nwfilter/allow-dhcp-server.xml [Errno 13] Permiso denegado: '/etc/libvirt/nwfilter/allow-dhcp-server.xml'
/etc/libvirt/nwfilter/allow-dhcp.xml [Errno 13] Permiso denegado: '/etc/libvirt/nwfilter/allow-dhcp.xml'
/etc/libvirt/nwfilter/allow-incoming-ipv4.xml [Errno 13] Permiso denegado: '/etc/libvirt/nwfilter/allow-incoming-ipv4.xml'
/etc/libvirt/nwfilter/allow-ipv4.xml [Errno 13] Permiso denegado: '/etc/libvirt/nwfilter/allow-ipv4.xml'
/etc/libvirt/nwfilter/clean-traffic-gateway.xml [Errno 13] Permiso denegado: '/etc/libvirt/nwfilter/clean-traffic-gateway.xml'
/etc/libvirt/nwfilter/clean-traffic.xml [Errno 13] Permiso denegado: '/etc/libvirt/nwfilter/clean-traffic.xml'
/etc/libvirt/nwfilter/no-arp-ip-spoofing.xml [Errno 13] Permiso denegado: '/etc/libvirt/nwfilter/no-arp-ip-spoofing.xml'
/etc/libvirt/nwfilter/no-arp-mac-spoofing.xml [Errno 13] Permiso denegado: '/etc/libvirt/nwfilter/no-arp-mac-spoofing.xml'
/etc/libvirt/nwfilter/no-arp-spoofing.xml [Errno 13] Permiso denegado: '/etc/libvirt/nwfilter/no-arp-spoofing.xml'
/etc/libvirt/nwfilter/no-ip-multicast.xml [Errno 13] Permiso denegado: '/etc/libvirt/nwfilter/no-ip-multicast.xml'
/etc/libvirt/nwfilter/no-ip-spoofing.xml [Errno 13] Permiso denegado: '/etc/libvirt/nwfilter/no-ip-spoofing.xml'
/etc/libvirt/nwfilter/no-mac-broadcast.xml [Errno 13] Permiso denegado: '/etc/libvirt/nwfilter/no-mac-broadcast.xml'
/etc/libvirt/nwfilter/no-mac-spoofing.xml [Errno 13] Permiso denegado: '/etc/libvirt/nwfilter/no-mac-spoofing.xml'
/etc/libvirt/nwfilter/no-other-l2-traffic.xml [Errno 13] Permiso denegado: '/etc/libvirt/nwfilter/no-other-l2-traffic.xml'
/etc/libvirt/nwfilter/no-other-rarp-traffic.xml [Errno 13] Permiso denegado: '/etc/libvirt/nwfilter/no-other-rarp-traffic.xml'
/etc/libvirt/nwfilter/qemu-announce-self-rarp.xml [Errno 13] Permiso denegado: '/etc/libvirt/nwfilter/qemu-announce-self-rarp.xml'
/etc/libvirt/nwfilter/qemu-announce-self.xml [Errno 13] Permiso denegado: '/etc/libvirt/nwfilter/qemu-announce-self.xml'
/etc/libvirt/qemu.conf [Errno 13] Permiso denegado: '/etc/libvirt/qemu.conf'
/etc/libvirt/qemu/networks/default.xml [Errno 13] Permiso denegado: '/etc/libvirt/qemu/networks/default.xml'

-- debconf information:
  libvirt-daemon-system/id_warning: true

More information about the Pkg-libvirt-maintainers mailing list