[Pkg-libvirt-maintainers] Bug#890084: libvirt: error : unable to set AppArmor profile

reusser reusser.mb at gmail.com
Wed Oct 23 08:01:25 BST 2019 

Package: libvirt-daemon-system
Version: 5.0.0-4
Followup-For: Bug #890084

Dear Maintainer,

this happened yesterday again. It is most likely related to a restart
of the host system.

After removing the apparmor.d profiles with zero length, the vm started as expected.

The bug report asks about the output of "sudo journalctl -u libvirtd.service" and the relevant
file timestamps:

Okt 22 18:06:47 h2700532 libvirtd[723]: Domain id=11 name='sambaDC' uuid=07fbaa3b-d6e8-494f-89e3-6802ee0cff16 is tainted: custom-argv
Okt 22 18:06:48 h2700532 libvirtd[723]: Child quit during startup handshake: Eingabe-/Ausgabefehler
Okt 22 18:06:48 h2700532 libvirtd[723]: internal error: Process exited prior to exec: libvirt:  error : unable to set AppArmor profile 'libvirt-07fbaa3b-d6e8-494f-89e3
Okt 23 08:22:43 h2700532 libvirtd[723]: Domain id=12 name='vpnServer' uuid=b3279270-c20e-4aa6-9f8d-48859775e71e is tainted: custom-argv
Okt 23 08:22:43 h2700532 libvirtd[723]: Child quit during startup handshake: Eingabe-/Ausgabefehler
Okt 23 08:22:43 h2700532 libvirtd[723]: internal error: Process exited prior to exec: libvirt:  error : unable to set AppArmor profile 'libvirt-b3279270-c20e-4aa6-9f8d
Okt 23 08:22:43 h2700532 libvirtd[723]: Failed to open file '/sys/class/net/vnet11/operstate': Datei oder Verzeichnis nicht gefunden
Okt 23 08:22:43 h2700532 libvirtd[723]: unable to read: /sys/class/net/vnet11/operstate: Datei oder Verzeichnis nicht gefunden

-rw-r--r-- 1 root root   0 Okt 22 17:51 /etc/apparmor.d/libvirt/libvirt-07fbaa3b-d6e8-494f-89e3-6802ee0cff16
-rw-r--r-- 1 root root 418 Okt 22 18:06 /etc/apparmor.d/libvirt/libvirt-07fbaa3b-d6e8-494f-89e3-6802ee0cff16.files
-rw-r--r-- 1 root root   0 Okt 22 17:51 /etc/apparmor.d/libvirt/libvirt-2360878a-5a72-4c1a-8117-2fef9023b26b
-rw-r--r-- 1 root root 466 Okt 22 17:56 /etc/apparmor.d/libvirt/libvirt-2360878a-5a72-4c1a-8117-2fef9023b26b.files
-rw-r--r-- 1 root root   0 Okt 22 17:51 /etc/apparmor.d/libvirt/libvirt-3a3bdf59-6dc4-4fd3-a0e3-a2a285a1bcfb
-rw-r--r-- 1 root root 417 Okt 22 17:56 /etc/apparmor.d/libvirt/libvirt-3a3bdf59-6dc4-4fd3-a0e3-a2a285a1bcfb.files
-rw-r--r-- 1 root root 351 Okt 22 17:56 /etc/apparmor.d/libvirt/libvirt-4132ad9b-0169-4422-b5cc-4d86864a154d
-rw-r--r-- 1 root root 783 Okt 22 17:56 /etc/apparmor.d/libvirt/libvirt-4132ad9b-0169-4422-b5cc-4d86864a154d.files
-rw-r--r-- 1 root root 351 Okt 22 17:56 /etc/apparmor.d/libvirt/libvirt-4e97abcc-9f65-4fa3-94dc-d6e67aaee349
-rw-r--r-- 1 root root 665 Okt 22 17:56 /etc/apparmor.d/libvirt/libvirt-4e97abcc-9f65-4fa3-94dc-d6e67aaee349.files
-rw-r--r-- 1 root root   0 Okt 22 17:51 /etc/apparmor.d/libvirt/libvirt-b3279270-c20e-4aa6-9f8d-48859775e71e
-rw-r--r-- 1 root root 432 Okt 23 08:22 /etc/apparmor.d/libvirt/libvirt-b3279270-c20e-4aa6-9f8d-48859775e71e.files
-rw-r--r-- 1 root root 351 Okt 22 17:56 /etc/apparmor.d/libvirt/libvirt-b99667b3-255b-4053-8232-75c6e570f3ee
-rw-r--r-- 1 root root 665 Okt 22 17:56 /etc/apparmor.d/libvirt/libvirt-b99667b3-255b-4053-8232-75c6e570f3ee.files


A first restart seems to have fails on Okt 22 at 17:50 with the
following entries in syslog:

Oct 22 17:50:47 h2700532 kernel: [   18.569563] igb 0000:03:00.0 eno1: igb: eno1 NIC Link is Up 100 Mbps Full Duplex, Flow Control: RX
Oct 22 17:50:47 h2700532 kernel: [   18.589008] IPv6: ADDRCONF(NETDEV_CHANGE): eno1: link becomes ready
Oct 22 17:50:47 h2700532 freshclam[644]: Tue Oct 22 17:50:47 2019 -> Reading CVD header (main.cvd): Tue Oct 22 17:50:47 2019 -> ^Can't get information about db.local.c
lamav.net: Temporary failure in name resolution
Oct 22 17:50:47 h2700532 freshclam[644]: Tue Oct 22 17:50:47 2019 -> ^Can't read main.cvd header from db.local.clamav.net (IP: )
Oct 22 17:50:47 h2700532 freshclam[644]: Tue Oct 22 17:50:47 2019 -> Trying again in 5 secs...
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@

Nothing thereafter in the syslog.

And then a second restart occurs at 17:53, which then is successfull

The zero length file seems to come from the period of the unsuccessfull
restart.


-- System Information:
Debian Release: 10.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) (ignored: LC_ALL set to de_DE.utf8), LANGUAGE=de_DE.utf8 (charmap=UTF-8) (ignored: LC_ALL set to de_DE.utf8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libvirt-daemon-system depends on:
ii  adduser                3.118
ii  debconf [debconf-2.0]  1.5.71
ii  gettext-base           0.19.8.1-9
ii  iptables               1.8.2-4
ii  libacl1                2.2.53-4
ii  libapparmor1           2.13.2-10
ii  libaudit1              1:2.8.4-3
ii  libblkid1              2.33.1-0.1
ii  libc6                  2.28-10
ii  libcap-ng0             0.7.9-2
ii  libdbus-1-3            1.12.16-1
ii  libdevmapper1.02.1     2:1.02.155-3
ii  libgnutls30            3.6.7-4
ii  libnl-3-200            3.4.0-1
ii  libnl-route-3-200      3.4.0-1
ii  libnuma1               2.0.12-1
ii  libselinux1            2.8-1+b1
ii  libvirt-clients        5.0.0-4
ii  libvirt-daemon         5.0.0-4
ii  libvirt0               5.0.0-4
ii  libxml2                2.9.4+dfsg1-7+b3
ii  libyajl2               2.1.0-3
ii  logrotate              3.14.0-4
ii  lsb-base               10.2019051400
ii  policykit-1            0.105-25

Versions of packages libvirt-daemon-system recommends:
ii  dmidecode                    3.2-1
ii  dnsmasq-base [dnsmasq-base]  2.80-1
ii  iproute2                     4.20.0-2
ii  parted                       3.2-25

Versions of packages libvirt-daemon-system suggests:
ii  apparmor    2.13.2-10
ii  auditd      1:2.8.4-3
pn  nfs-common  <none>
ii  open-iscsi  2.0.874-7.1
pn  pm-utils    <none>
pn  radvd       <none>
ii  systemd     241-7~deb10u1
pn  systemtap   <none>
pn  zfsutils    <none>

-- Configuration Files:
/etc/apparmor.d/libvirt/TEMPLATE.qemu changed:
profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
  #include <abstractions/libvirt-qemu>
/etc/libvirt/secret/** r,
/var/lib/libvirt/images/** rwk,
}

/etc/default/libvirt-guests changed:
START_DELAY=20

/etc/libvirt/nwfilter/allow-arp.xml [Errno 13] Keine Berechtigung: '/etc/libvirt/nwfilter/allow-arp.xml'
/etc/libvirt/nwfilter/allow-dhcp-server.xml [Errno 13] Keine Berechtigung: '/etc/libvirt/nwfilter/allow-dhcp-server.xml'
/etc/libvirt/nwfilter/allow-dhcp.xml [Errno 13] Keine Berechtigung: '/etc/libvirt/nwfilter/allow-dhcp.xml'
/etc/libvirt/nwfilter/allow-incoming-ipv4.xml [Errno 13] Keine Berechtigung: '/etc/libvirt/nwfilter/allow-incoming-ipv4.xml'
/etc/libvirt/nwfilter/allow-ipv4.xml [Errno 13] Keine Berechtigung: '/etc/libvirt/nwfilter/allow-ipv4.xml'
/etc/libvirt/nwfilter/clean-traffic-gateway.xml [Errno 13] Keine Berechtigung: '/etc/libvirt/nwfilter/clean-traffic-gateway.xml'
/etc/libvirt/nwfilter/clean-traffic.xml [Errno 13] Keine Berechtigung: '/etc/libvirt/nwfilter/clean-traffic.xml'
/etc/libvirt/nwfilter/no-arp-ip-spoofing.xml [Errno 13] Keine Berechtigung: '/etc/libvirt/nwfilter/no-arp-ip-spoofing.xml'
/etc/libvirt/nwfilter/no-arp-mac-spoofing.xml [Errno 13] Keine Berechtigung: '/etc/libvirt/nwfilter/no-arp-mac-spoofing.xml'
/etc/libvirt/nwfilter/no-arp-spoofing.xml [Errno 13] Keine Berechtigung: '/etc/libvirt/nwfilter/no-arp-spoofing.xml'
/etc/libvirt/nwfilter/no-ip-multicast.xml [Errno 13] Keine Berechtigung: '/etc/libvirt/nwfilter/no-ip-multicast.xml'
/etc/libvirt/nwfilter/no-ip-spoofing.xml [Errno 13] Keine Berechtigung: '/etc/libvirt/nwfilter/no-ip-spoofing.xml'
/etc/libvirt/nwfilter/no-mac-broadcast.xml [Errno 13] Keine Berechtigung: '/etc/libvirt/nwfilter/no-mac-broadcast.xml'
/etc/libvirt/nwfilter/no-mac-spoofing.xml [Errno 13] Keine Berechtigung: '/etc/libvirt/nwfilter/no-mac-spoofing.xml'
/etc/libvirt/nwfilter/no-other-l2-traffic.xml [Errno 13] Keine Berechtigung: '/etc/libvirt/nwfilter/no-other-l2-traffic.xml'
/etc/libvirt/nwfilter/no-other-rarp-traffic.xml [Errno 13] Keine Berechtigung: '/etc/libvirt/nwfilter/no-other-rarp-traffic.xml'
/etc/libvirt/nwfilter/qemu-announce-self-rarp.xml [Errno 13] Keine Berechtigung: '/etc/libvirt/nwfilter/qemu-announce-self-rarp.xml'
/etc/libvirt/nwfilter/qemu-announce-self.xml [Errno 13] Keine Berechtigung: '/etc/libvirt/nwfilter/qemu-announce-self.xml'
/etc/libvirt/qemu.conf [Errno 13] Keine Berechtigung: '/etc/libvirt/qemu.conf'
/etc/libvirt/qemu/networks/default.xml [Errno 13] Keine Berechtigung: '/etc/libvirt/qemu/networks/default.xml'

-- debconf information:
  libvirt-daemon-system/id_warning: true

More information about the Pkg-libvirt-maintainers mailing list