Thanks for the hint with the security_driver option. However, the error still appears after adding the following line to the configuration file
security_driver = "none" and restarting the services sudo service libvirtd restart sudo service libvirt-guests restart On a side note: /etc/libvirt/qemu.conf states that "The default security driver is SELinux" So could SELinux cause the blocking of the secret file? How would enable access to the file in SELinux? the domain xml is attached... Am Di., 30. Juli 2019 um 11:06 Uhr schrieb Guido Günther <[email protected]>: > Hi, > On Tue, Jul 30, 2019 at 10:43:25AM +0200, Dominik Reusser wrote: > > Thanks for your reply > > > > On 30.07.19 09:00, Guido Günther wrote:> Hi, > > > On Tue, Jul 30, 2019 at 07:36:18AM +0200, Dominik wrote: > > >> Package: libvirt-daemon > > >> Version: 5.0.0-4 > > >> Severity: normal > > >> > > >> Dear Maintainer, > > >> > > >> after upgrading to buster, the encrypted kvm-guests stop to work. An > > error is thrown about missing rights to the file containing the > encryption > > secret, which I placed under /etc/libvirt/secret/. > > >> > > >> I openend a question with more details on serverfault a while ago: > > > https://serverfault.com/questions/974689/encrypted-qemu-virtual-machines-do-not-start-after-upgrade-to-buster-permission > > > As a workaround you can disable apparmor > > Do I need to disable apparmor completely through grub as described here: > > https://wiki.debian.org/AppArmor/HowToUse or would it be possible to > > disable the profiles for libvirt with aa-disable? > > > Try > > security_driver = "none" > > in /etc/libvirt/qemu.conf. > > instead of disabling apparmor overall. > > Attaching the domain xml might help reproducing the bug. > Cheers, > -- Guido > > > > > > > > but can you attach the dmesg > > > output after trying to start a domain? > > $ virsh --connect qemu:///system start Feigenbaum > > error: Failed to start domain Feigenbaum > > error: internal error: process exited while connecting to monitor: > > 2019-07-30T08:15:39.975264Z qemu-system-x86_64: --object > > secret,id=sec0,file=/etc/libvirt/secrets/Feigenbaum.secret: Unable to > read > > /etc/libvirt/secrets/Feigenbaum.secret: Failed to open file > > “/etc/libvirt/secrets/Feigenbaum.secret”: Permission denied > > > > $ sudo dmesg > > > > [585353.519853] virbr0: port 2(vnet0) entered blocking state > > [585353.519854] virbr0: port 2(vnet0) entered disabled state > > [585353.519887] device vnet0 entered promiscuous mode > > [585353.519982] virbr0: port 2(vnet0) entered blocking state > > [585353.519983] virbr0: port 2(vnet0) entered listening state > > [585353.706058] virbr0: port 2(vnet0) entered disabled state > > [585353.707387] device vnet0 left promiscuous mode > > [585353.707395] virbr0: port 2(vnet0) entered disabled state > > > > (I removed a bunch of UFW BLOCK messages) > > > > Extract from syslog: > > > > Jul 30 10:15:39 www kernel: [585353.519853] virbr0: port 2(vnet0) entered > > blocking state > > Jul 30 10:15:39 www kernel: [585353.519854] virbr0: port 2(vnet0) entered > > disabled state > > Jul 30 10:15:39 www kernel: [585353.519887] device vnet0 entered > > promiscuous mode > > Jul 30 10:15:39 www kernel: [585353.519982] virbr0: port 2(vnet0) entered > > blocking state > > Jul 30 10:15:39 www kernel: [585353.519983] virbr0: port 2(vnet0) entered > > listening state > > Jul 30 10:15:39 www libvirtd[775]: Domain id=5 name='Feigenbaum' > > uuid=2734b78b-2dc6-4fed-a47b-9bb2534db76e is tainted: custom-argv > > Jul 30 10:15:40 www kernel: [585353.706058] virbr0: port 2(vnet0) entered > > disabled state > > Jul 30 10:15:40 www kernel: [585353.707387] device vnet0 left promiscuous > > mode > > Jul 30 10:15:40 www kernel: [585353.707395] virbr0: port 2(vnet0) entered > > disabled state > > Jul 30 10:15:40 www libvirtd[775]: Unable to read from monitor: > Connection > > reset by peer > > Jul 30 10:15:40 www libvirtd[775]: internal error: qemu unexpectedly > closed > > the monitor: 2019-07-30T08:15:39.975264Z qemu-system-x86_64: --object > > secret,id=sec0,file=/etc/libvirt/secrets/Feigenbaum.secret: Unable to > read > > /etc/libvirt/secrets/Feigenbaum.secret: Failed to open file > > “/etc/libvirt/secrets/Feigenbaum.secret”: Permission denied > > Jul 30 10:15:40 www libvirtd[775]: internal error: process exited while > > connecting to monitor: 2019-07-30T08:15:39.975264Z qemu-system-x86_64: > > --object secret,id=sec0,file=/etc/libvirt/secrets/Feigenbaum.secret: > Unable > > to read /etc/libvirt/secrets/Feigenbaum.secret: Failed to open file > > “/etc/libvirt/secrets/Feigenbaum.secret”: Permission denied > > > > > > > That should have details what > > > fails exactly. > > Let me know if I can provide additional information to get more details > on > > what fails. > > > > Greetings > > > > Dominik > > > > > > Am Di., 30. Juli 2019 um 09:00 Uhr schrieb Guido Günther < > [email protected]>: > > > > > Hi, > > > On Tue, Jul 30, 2019 at 07:36:18AM +0200, Dominik wrote: > > > > Package: libvirt-daemon > > > > Version: 5.0.0-4 > > > > Severity: normal > > > > > > > > Dear Maintainer, > > > > > > > > after upgrading to buster, the encrypted kvm-guests stop to work. An > > > error is thrown about missing rights to the file containing the > encryption > > > secret, which I placed under /etc/libvirt/secret/. > > > > > > > > I openend a question with more details on serverfault a while ago: > > > > https://serverfault.com/questions/974689/encrypted-qemu-virtual-machines-do-not-start-after-upgrade-to-buster-permission > > > > > > As a workaround you can disable apparmor but can you attach the dmesg > > > output after trying to start a domain? That should have details what > > > fails exactly. > > > Cheers, > > > -- Guido > > > >
<domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'> <name>Feigenbaum</name> <uuid>2734b78b-2dc6-4fed-a47b-9bb2534db76e</uuid> <memory unit='KiB'>819200</memory> <currentMemory unit='KiB'>819200</currentMemory> <vcpu placement='static'>1</vcpu> <os> <type arch='x86_64' machine='pc-i440fx-2.10'>hvm</type> <boot dev='hd'/> </os> <features> <acpi/> <apic/> </features> <cpu mode='host-model' check='partial'> <model fallback='allow'/> </cpu> <clock offset='utc'> <timer name='rtc' tickpolicy='catchup'/> <timer name='pit' tickpolicy='delay'/> <timer name='hpet' present='no'/> </clock> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>destroy</on_crash> <pm> <suspend-to-mem enabled='no'/> <suspend-to-disk enabled='no'/> </pm> <devices> <emulator>/usr/bin/kvm</emulator> <controller type='usb' index='0' model='ich9-ehci1'> <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x7'/> </controller> <controller type='usb' index='0' model='ich9-uhci1'> <master startport='0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0' multifunction='on'/> </controller> <controller type='usb' index='0' model='ich9-uhci2'> <master startport='2'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x1'/> </controller> <controller type='usb' index='0' model='ich9-uhci3'> <master startport='4'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x2'/> </controller> <controller type='pci' index='0' model='pci-root'/> <controller type='virtio-serial' index='0'> <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/> </controller> <interface type='network'> <mac address='52:54:00:fa:40:46'/> <source network='default'/> <model type='virtio'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface> <serial type='pty'> <target type='isa-serial' port='0'> <model name='isa-serial'/> </target> </serial> <console type='pty'> <target type='serial' port='0'/> </console> <channel type='unix'> <target type='virtio' name='org.qemu.guest_agent.0'/> <address type='virtio-serial' controller='0' bus='0' port='1'/> </channel> <input type='tablet' bus='usb'> <address type='usb' bus='0' port='1'/> </input> <input type='mouse' bus='ps2'/> <input type='keyboard' bus='ps2'/> <graphics type='vnc' port='-1' autoport='yes'> <listen type='address'/> </graphics> <video> <model type='cirrus' vram='16384' heads='1' primary='yes'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/> </video> <memballoon model='virtio'> <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/> </memballoon> <rng model='virtio'> <backend model='random'>/dev/urandom</backend> <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/> </rng> </devices> <qemu:commandline> <qemu:arg value='--object'/> <qemu:arg value='secret,id=sec0,file=/etc/libvirt/secrets/Feigenbaum.secret'/> <qemu:arg value='-drive'/> <qemu:arg value='driver=qcow2,file.filename=/var/lib/libvirt/images/Feigenbaum.qcow2,encrypt.key-secret=sec0'/> </qemu:commandline> </domain>
