Package: libvirt-daemon-system
Version: 3.0.0-4+deb9u1
Severity: normal


on a Debian/stretch system with a current kernel from stretch-backports,
I tried putting together a qemu/libvirtd/virt-manager setup and noticed
that libvirt was not able to properly shut down VMs that it had started.

The problem was observable in at least two ways:

(1) Triggering the "shut down" action from virt-manager leads to a
Windows VM showing the shutdown screen, the mouse cursor can no longer
be moved. Typing "list" in virsh tells me that the VM is in state "in

(2) Typing "destroy $NAME" in virsh produces an error message:
| error: Failed to destroy domain $NAME
| error: Failed to terminate process $PID with SIGTERM: Permission denied

Manually killing the qemu process and repeating the "destroy" command
leads to the desired result (state "shut off").

>From the audit log, it is clear that AppArmor (which is enabled by
default in the kernel from stretch-backports) prevents the delivery of
signals. I was able to fix the issue for myself by using
/etc/apparmor.d/* from a newer libvirt-daemon-system version (3.10.0-1).

Please consider doing at least one of the following:
- an update of the AppArmor profile through proposed-updates and the
  next point release
- an update of libvirt via stretch-backports.

I am willing to help with either solution.


-- System Information:
Debian Release: 9.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-0.bpo.3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libvirt-daemon-system depends on:
ii  adduser                3.115
ii  debconf [debconf-2.0]  1.5.61
ii  gettext-base 
ii  init-system-helpers    1.48
ii  iptables               1.6.0+snapshot20161117-6
ii  libapparmor1           2.11.0-3
ii  libaudit1              1:2.6.7-2
ii  libblkid1              2.29.2-1
ii  libc6                  2.24-11+deb9u1
ii  libcap-ng0             0.7.7-3+b1
ii  libdbus-1-3            1.10.24-0+deb9u1
ii  libdevmapper1.02.1     2:1.02.137-2
ii  libnl-3-200            3.2.27-2
ii  libnl-route-3-200      3.2.27-2
ii  libnuma1               2.0.11-2.1
ii  librados2              10.2.5-7.2
ii  librbd1                10.2.5-7.2
ii  libselinux1            2.6-3+b3
ii  libvirt-clients        3.0.0-4+deb9u1
ii  libvirt-daemon         3.0.0-4+deb9u1
ii  libvirt0               3.0.0-4+deb9u1
ii  libxml2                2.9.4+dfsg1-2.2+deb9u2
ii  libyajl2               2.1.0-2+b3
ii  logrotate              3.11.0-0.1
ii  lsb-base               9.20161125
ii  policykit-1            0.105-18

Versions of packages libvirt-daemon-system recommends:
ii  bridge-utils  1.5-13+deb9u1
ii  dmidecode     3.0-4
ii  dnsmasq-base  2.76-5+deb9u1
ii  ebtables
ii  iproute2      4.9.0-1+deb9u1
ii  parted        3.2-17

Versions of packages libvirt-daemon-system suggests:
ii  apparmor    2.11.0-3
ii  auditd      1:2.6.7-2
ii  nfs-common  1:1.3.4-2.1
ii  pm-utils    1.4.1-17
pn  radvd       <none>
ii  systemd     232-25+deb9u1
ii  systemtap   3.1-2
pn  zfsutils    <none>

Reply via email to