On 12/28/21 2:00 AM, Sina Kashipazha wrote: > Hey there, > > I have two hosts in my setup, one of them uses AppArmor (h1), and another one > doesn't have it (h2). I want to use virsh to live migrate my VMs from h1 to > h2, but I'm not able to do that because the h2 host doesn't have the AppArmor > policy. > > I was wondering, is it possible to edit the XML configuration file of the VM > and disable AppArmor without restarting the VMs? >
AFAIK no, but you can manually remove the apparmor protection on the VM by unloading the profiles. sudo aa-teardown will remove apparmor protections from the whole system. if you want to be more selective you can just unload the the VMs profiles. Using apparmor_parser -R > Some extra info: > > root@h1(apparmor enabled):~# virsh list > Id Name State > ---------------------------------------------------- > 7 some-VM running > > root@h1(apparmor enabled):~# virsh dumpxml 7 | grep apparmor > <seclabel type='dynamic'model='apparmor'relabel='yes' > > root@h1(apparmor enabled):~# virsh capabilities | grep -A1 secmodel > <secmodel> > <model>apparmor</model> > </secmodel> > <secmodel> > <model>dac</model> > </secmodel> > </host> > > > > root@h2(apparmor disabled):~# virsh capabilities | grep -A1 secmodel > <secmodel> > <model>none</model> > </secmodel> > <secmodel> > <model>dac</model> > </secmodel> > </host> > > > > > Kind regards, > Sina > -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
