Hi, I'm having the same problem and indeed it seems to be related to apparmor. My system is using the same library version numbers as Benoit's system.
As a workaround I set set security_driver = "none" in in /etc/libvirt/qemu.conf and rebooted: --- /etc/libvirt/qemu.conf 2019/07/21 19:33:30 1.1 +++ /etc/libvirt/qemu.conf 2019/07/21 19:35:54 1.3 @@ -414,6 +414,7 @@ # isolation, but it cannot appear in a list of drivers. # #security_driver = "selinux" +security_driver = "none" # If set to non-zero, then the default security labeling # will make guests confined. If set to zero, then guests This seems to work for me but I suspect that this is not how it is supposed to be from a security perspective. When explicitly setting security_driver = "apparmor" I had the same problems as in the default configuration, when security_driver is completely commented out. ----- Here the result of some experiments I did *before* changing anything in /etc/libvirt/qemu.conf - maybe this is helpful for finding the bug or giving advice how to properly configure our systems: After host boot, before any VM is started: $ ls -l /etc/apparmor.d/libvirt total 8 -rw-r--r-- 1 root root 342 Jun 17 19:05 TEMPLATE.lxc -rw-r--r-- 1 root root 192 Jun 17 19:05 TEMPLATE.qemu Start a VM: virsh # start buster5 Domain buster5 started $ ls -l /etc/apparmor.d/libvirt total 16 -rw-r--r-- 1 root root 342 Jun 17 19:05 TEMPLATE.lxc -rw-r--r-- 1 root root 192 Jun 17 19:05 TEMPLATE.qemu -rw-r--r-- 1 root root 293 Jul 21 21:07 libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5 -rw-r--r-- 1 root root 649 Jul 21 21:07 libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files $ cat /etc/apparmor.d/libvirt/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT. "/var/log/libvirt/**/buster5.log" w, "/var/lib/libvirt/qemu/domain-buster5/monitor.sock" rw, "/var/lib/libvirt/qemu/domain-1-buster5/*" rw, "/var/run/libvirt/**/buster5.pid" rwk, "/run/libvirt/**/buster5.pid" rwk, "/var/run/libvirt/**/*.tunnelmigrate.dest.buster5" rw, "/run/libvirt/**/*.tunnelmigrate.dest.buster5" rw, "/var/lib/libvirt/images/buster5.qcow2" rwk, "/var/lib/libvirt/qemu/domain-1-buster5/{,**}" rwk, "/var/lib/libvirt/qemu/channel/target/domain-1-buster5/{,**}" rwk, "/var/lib/libvirt/qemu/domain-1-buster5/master-key.aes" rwk, "/dev/net/tun" rwk, $ cp /etc/apparmor.d/libvirt/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files /tmp/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files.1 create a snapshot virsh # domblklist buster5 --details Type Device Target Source ----------------------------------------------------------------- file disk hda /var/lib/libvirt/images/buster5.qcow2 file cdrom hdb - virsh # snapshot-create-as --domain buster5 --name backup_overlay --disk-only --atomic --no-metadata Domain snapshot backup_overlay created virsh # domblklist buster5 --details Type Device Target Source -------------------------------------------------------------------------- file disk hda /var/lib/libvirt/images/buster5.backup_overlay file cdrom hdb - $ ls -l /etc/apparmor.d/libvirt total 16 -rw-r--r-- 1 root root 342 Jun 17 19:05 TEMPLATE.lxc -rw-r--r-- 1 root root 192 Jun 17 19:05 TEMPLATE.qemu -rw-r--r-- 1 root root 293 Jul 21 21:07 libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5 -rw-r--r-- 1 root root 535 Jul 21 21:13 libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files $ cat /etc/apparmor.d/libvirt/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT. "/var/log/libvirt/**/buster5.log" w, "/var/lib/libvirt/qemu/domain-buster5/monitor.sock" rw, "/var/lib/libvirt/qemu/domain-1-buster5/*" rw, "/var/run/libvirt/**/buster5.pid" rwk, "/run/libvirt/**/buster5.pid" rwk, "/var/run/libvirt/**/*.tunnelmigrate.dest.buster5" rw, "/run/libvirt/**/*.tunnelmigrate.dest.buster5" rw, "/var/lib/libvirt/images/buster5.qcow2" rwk, "/dev/pts/5" rw, "/dev/pts/5" rw, "/var/lib/libvirt/images/buster5.backup_overlay" rwk, $ cp /etc/apparmor.d/libvirt/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files /tmp/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files.2 $ diff -u /tmp/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files.{1,2} --- /tmp/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files.1 2019-07-21 21:11:55.637296657 +0200 +++ /tmp/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files.2 2019-07-21 21:14:59.759204162 +0200 @@ -7,7 +7,6 @@ "/var/run/libvirt/**/*.tunnelmigrate.dest.buster5" rw, "/run/libvirt/**/*.tunnelmigrate.dest.buster5" rw, "/var/lib/libvirt/images/buster5.qcow2" rwk, - "/var/lib/libvirt/qemu/domain-1-buster5/{,**}" rwk, - "/var/lib/libvirt/qemu/channel/target/domain-1-buster5/{,**}" rwk, - "/var/lib/libvirt/qemu/domain-1-buster5/master-key.aes" rwk, - "/dev/net/tun" rwk, + "/dev/pts/5" rw, + "/dev/pts/5" rw, + "/var/lib/libvirt/images/buster5.backup_overlay" rwk, cp /var/lib/libvirt/images/buster5.qcow2 /backups/buster5-20190721.qcow2 try blockcommit virsh # blockcommit --domain buster5 --path hda --pivot error: internal error: unable to execute QEMU command 'block-commit': Could not reopen file: Permission denied syslog says: Jul 21 21:16:13 virthost kernel: [20738.344485] audit: type=1400 audit(1563736573.754:28): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5" pid=12452 comm="apparmor_parser" Jul 21 21:16:13 virthost kernel: [20738.472223] audit: type=1400 audit(1563736573.882:29): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5" pid=12456 comm="apparmor_parser" $ ls -l /etc/apparmor.d/libvirt total 16 -rw-r--r-- 1 root root 342 Jun 17 19:05 TEMPLATE.lxc -rw-r--r-- 1 root root 192 Jun 17 19:05 TEMPLATE.qemu -rw-r--r-- 1 root root 293 Jul 21 21:07 libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5 -rw-r--r-- 1 root root 672 Jul 21 21:16 libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files $ cat /etc/apparmor.d/libvirt/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT. "/var/log/libvirt/**/buster5.log" w, "/var/lib/libvirt/qemu/domain-buster5/monitor.sock" rw, "/var/lib/libvirt/qemu/domain-1-buster5/*" rw, "/var/run/libvirt/**/buster5.pid" rwk, "/run/libvirt/**/buster5.pid" rwk, "/var/run/libvirt/**/*.tunnelmigrate.dest.buster5" rw, "/run/libvirt/**/*.tunnelmigrate.dest.buster5" rw, "/var/lib/libvirt/images/buster5.backup_overlay" rwk, "/var/lib/libvirt/images/buster5.qcow2" rk, # don't audit writes to readonly files deny "/var/lib/libvirt/images/buster5.qcow2" w, "/dev/pts/5" rw, "/dev/pts/5" rw, "/var/lib/libvirt/images/buster5.qcow2" rwk, $ cp /etc/apparmor.d/libvirt/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files /tmp/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files.3 $ diff -u /tmp/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files.{2,3} --- /tmp/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files.2 2019-07-21 21:14:59.759204162 +0200 +++ /tmp/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files.3 2019-07-21 21:17:51.601252623 +0200 @@ -6,7 +6,10 @@ "/run/libvirt/**/buster5.pid" rwk, "/var/run/libvirt/**/*.tunnelmigrate.dest.buster5" rw, "/run/libvirt/**/*.tunnelmigrate.dest.buster5" rw, - "/var/lib/libvirt/images/buster5.qcow2" rwk, + "/var/lib/libvirt/images/buster5.backup_overlay" rwk, + "/var/lib/libvirt/images/buster5.qcow2" rk, + # don't audit writes to readonly files + deny "/var/lib/libvirt/images/buster5.qcow2" w, "/dev/pts/5" rw, "/dev/pts/5" rw, - "/var/lib/libvirt/images/buster5.backup_overlay" rwk, + "/var/lib/libvirt/images/buster5.qcow2" rwk, stopping apparmor allows me to do the blockcommit $ sudo aa-teardown Unloading AppArmor profiles virsh # blockcommit --domain buster5 --path hda --pivot Successfully pivoted $ sudo rm /var/lib/libvirt/images/buster5.backup_overlay $ cp /etc/apparmor.d/libvirt/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files /tmp/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files.4 $ diff -u /tmp/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files.{3,4} (unchanged) Maybe the "deny ..." line causes the problems? $ sudo grep -r 'DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.' /etc /usr /etc/apparmor.d/libvirt/libvirt-089ee8b3-5793-4ef6-900f-46f6a62769d5.files:# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT. Binary file /usr/lib/libvirt/virt-aa-helper matches So /usr/lib/libvirt/virt-aa-helper or its configuration will probably need further examination. Thanks Sebastian