[Touch-packages] [Bug 1772538] Re: Can't start arm64 VM due to apparmor error.
We have a few changes, but none of these is "the" issue. - Cpu features - cpu model - emulator without redirect But I found that your nvram line is wrong: /usr/share/AAVMF/AAVMF_VARS.fd With that you want it to change the systems default template, you should instead use /var/lib/libvirt/qemu/nvram/b1_VARS.fd With an individual guest name. This misconfiguration is the problem that breaks it: error: internal error: cannot load AppArmor profile 'libvirt-1f776433-dc84-43ac-9e60-b8e571ae22ff' If anything the message is sort of misleading, but that is another issue (see bug 1767934 for that). For this bug here it is just misconfiguration, switching to my suggestion above avoids the issue and make it work. Note: The apparmor Deny messages are actually a Red Herring and no more occurring in later versions. ** Changed in: libvirt (Ubuntu) Status: New => Invalid ** Changed in: apparmor (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1772538 Title: Can't start arm64 VM due to apparmor error. Status in apparmor package in Ubuntu: Invalid Status in libvirt package in Ubuntu: Invalid Bug description: I can create an aarch64 VM but when I go to start the VM I see this error: $ virsh start legal-coyote error: Failed to start domain legal-coyote error: internal error: cannot load AppArmor profile 'libvirt-9728b707-1f47-4cd7-a4ca-6eddf5d98d04' This was on a brand new ubuntu 16.04.4 install. Below are the steps that were executed, including what produced there error as well as some system information. 1. $ sudo apt update && sudo apt upgrade && sudo apt install emacs libvirt-bin qemu-system-arm qemu-efi 2. Created a VM with MAAS. 3. $ virsh list --all IdName State - legal-coyote shut off 4. $ virsh dumpxml legal-coyote legal-coyote 9728b707-1f47-4cd7-a4ca-6eddf5d98d04 1048576 1048576 1 hvm /usr/share/AAVMF/AAVMF_CODE.fd /usr/share/AAVMF/AAVMF_VARS.fd destroy restart restart /usr/bin/qemu-system-aarch64 5. $ virsh start legal-coyote error: Failed to start domain legal-coyote error: internal error: cannot load AppArmor profile 'libvirt-9728b707-1f47-4cd7-a4ca-6eddf5d98d04' 6. Checking dmesg... [ 726.425389] virbr0: $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.4 LTS Release: 16.04 Codename: xenialport 1(virbr0-nic) entered listening state [ 726.425419] virbr0: port 1(virbr0-nic) entered listening state [ 727.959553] virbr0: port 1(virbr0-nic) entered disabled state [ 896.933127] audit: type=1400 audit(1526946784.127:18): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/proc/9083/auxv" pid=9083 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 896.933169] audit: type=1400 audit(1526946784.127:19): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/proc/9083/auxv" pid=9083 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 896.933846] audit: type=1400 audit(1526946784.127:20): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/proc/9083/auxv" pid=9083 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 896.933890] audit: type=1400 audit(1526946784.127:21): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/proc/9083/auxv" pid=9083 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 896.937130] audit: type=1400 audit(1526946784.131:22): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/var/lib/libvirt/maas-images/796e5e0f-ab62-4e44-8189-bbc754635e0b" pid=9083 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 943.086388] audit: type=1400 audit(1526946830.280:23): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/proc/9174/auxv" pid=9174 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 943.086429] audit: type=1400 audit(1526946830.280:24): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/proc/9174/auxv" pid=9174 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 943.087171] audit: type=1400 audit(1526946830.
[Touch-packages] [Bug 1772538] Re: Can't start arm64 VM due to apparmor error.
I set up a Xenial on arm64. I created a working guest like: b1 1f776433-dc84-43ac-9e60-b8e571ae22ff https://launchpad.net/uvtool/libvirt/1";>ssh-rsa B3NzaC1yc2EDAQABAAABAQCWcGghaCsAwBh0VauPNnnRshKfGD6uXqHEQb9djUlSQ/wKjgNCemAamaVTZjHJoT+Q5whAtv0SkRc6Vj9mlODBtBeBPqZS00HbM1TqH6HkX44SG52IhO9zVnNU1uc6SanhCqd7mEuz5PpWnTWl1zzXJnaFJUKf25gTOdms85jBKEx2hyL6YBSuACVN6nmhhPGlpq1IAyzz4wK9WdYjYHkHtJubvqRu/6eXZOoQRcf3RciHC4Monicq2d95H9qTD7mZpyk/LwA3gFXbsVzzL5o4o0k0WdrUq9Ic+Dt81AjzhakQrcdTLwhh6Pv7cDFLMpLkgYsSaq7fHbNY0nFJRZMZ root@localhost ssh-dss B3NzaC1kc3MAAACBANiaS3GwkeTyoQevH1IPIUARdFKECFYH7G7XAru+R52nVy3C670aSuNtcYhXv4U418n8kZWE9TEypICC9o9cDo55EQRMr+een1CepHgXCRRwFv52koFq7E0Hse6/v6i+oNvM2tV+R9RoPOPI3KgW4nvkfKcKH91taeEa4SENZYHhFQD6h2G43Re8FNw4Y/hz5hmxONyGhwAAAIEAlnBjI2FRDbk4CwkNk7FQdo2D9dAjrGtVG6yzMVq7cOfwo7V/rVYlUOxzwUFi/1LJDquE12NzxQgLnYBkNtzO+xx3KrNwyNE4weOTqfZvrl+HGSTOmjLGKa1tGHsBJFC4uN6mo08Vl7fOvMCsDSqsXTGpNHedU5KssM7GvizikAMAAACAIKqIaYn4kL3VgXaRyX7foJLxduJ0L+kruzic51+qFSS6fWrqgDH6Dz4pQnIK4+TJB6ZQd4ebj/EmTlVodMghjf871kx3kenA9T4cLDhvKF1/XsfVbbU3n1OcKhiTjDlhK7U8DdW7fmKWqdpc8zPidgkbzdbgCZIOm4MFasYI1U4= root@localhost ecdsa-sha2-nistp256 E2VjZHNhLXNoYTItbmlzdHAyNTYIbmlzdHAyNTYAAABBBPA6IYS9nG9a2J04SE5cueII8NQDJgqfVxYapr9lAU12GJUQ2MIRVXlHkoWXRn5B+RzfdAxncdjQ2eiZS5tSNdQ= root@localhost ssh-ed25519 C3NzaC1lZDI1NTE5IK8YgP8eYAJTSTVhEh0NVBFCyT2JZPLbUQ6DV8q6HKmA root@localhost 524288 524288 1 /machine hvm /usr/share/AAVMF/AAVMF_CODE.fd /var/lib/libvirt/qemu/nvram/b1_VARS.fd host destroy restart destroy /usr/bin/kvm libvirt-1f776433-dc84-43ac-9e60-b8e571ae22ff libvirt-1f776433-dc84-43ac-9e60-b8e571ae22ff This is with ii libvirt-bin1.3.1-1ubuntu10.23 arm64programs for the libvirt library ii libvirt0:arm64 1.3.1-1ubuntu10.23 arm64library for interfacing with different virtualization systems ii qemu-block-extra:arm64 1:2.5+dfsg-5ubuntu10.29 arm64extra block backend modules for qemu-system and qemu-utils ii qemu-efi 0~20160408.ffea0a2c-2 all UEFI firmware for virtual machines ii qemu-kvm 1:2.5+dfsg-5ubuntu10.29 arm64QEMU Full virtualization ii qemu-system-arm1:2.5+dfsg-5ubuntu10.29 arm64QEMU full system emulation binaries (arm) ii qemu-system-common 1:2.5+dfsg-5ubuntu10.29 arm64QEMU full system emulation binaries (common files) ii qemu-utils 1:2.5+dfsg-5ubuntu10.29 arm64QEMU utilities This works just fine for me, so lets try to find what exactly is different in your case. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1772538 Title: Can't start arm64 VM due to apparmor error. Status in apparmor package in Ubuntu: New Status in libvirt package in Ubuntu: New Bug description: I can create an aarch64 VM but when I go to start the VM I see this error: $ virsh start legal-coyote error: Failed to start domain legal-coyote error: internal error: cannot load AppArmor profile 'libvirt-9728b707-1f47-4cd7-a4ca-6eddf5d98d04' This was on a brand new ubuntu 16.04.4 install. Below are the steps that were executed, including what produced there error as well as some system information. 1. $ sudo apt update && sudo apt upgrade && sudo apt install emacs libvirt-bin qemu-system-arm qemu-efi 2. Created a VM with MAAS. 3. $ virsh list --all IdName State - legal-coyote shut off 4. $ virsh dumpxml legal-coyote legal-coyote 9728b707-1f47-4cd7-a4ca-6eddf5d98d04 1048576 1048576 1 hvm /usr/share/AAVMF/AAVMF_CODE.fd /usr/share/AAVMF/AAVMF_VARS.fd destroy restart restart /usr/bin/qemu-system-aarch64 5. $ virsh start legal-coyote error: Failed to start domain legal-coyote error: internal error: cannot load AppArmor profile 'libvirt-9728b707-1f47-4cd7-a4ca-6eddf5d98d04' 6. Checking dmesg... [ 726.425389] virbr0: $ lsb_release -a No LSB modules are ava
[Touch-packages] [Bug 1772538] Re: Can't start arm64 VM due to apparmor error.
Hi Newell - Hmm, interesting.
We have
owner @{PROC}/*/auxv r,
for qemu, but never had/needed so for
/etc/apparmor.d/usr.lib.libvirt.virt-aa-helper which your denies are against.
For "myself" IN only resolved arm VMs in Bionic and forward (since I made
uvtool fully work for me on arm), but together with Dannf I know that they
could be run before.
Let me try to re-create your case ...
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1772538
Title:
Can't start arm64 VM due to apparmor error.
Status in apparmor package in Ubuntu:
New
Status in libvirt package in Ubuntu:
New
Bug description:
I can create an aarch64 VM but when I go to start the VM I see this
error:
$ virsh start legal-coyote
error: Failed to start domain legal-coyote
error: internal error: cannot load AppArmor profile
'libvirt-9728b707-1f47-4cd7-a4ca-6eddf5d98d04'
This was on a brand new ubuntu 16.04.4 install. Below are the steps
that were executed, including what produced there error as well as
some system information.
1. $ sudo apt update && sudo apt upgrade && sudo apt install emacs
libvirt-bin qemu-system-arm qemu-efi
2. Created a VM with MAAS.
3. $ virsh list --all
IdName State
- legal-coyote shut off
4. $ virsh dumpxml legal-coyote
legal-coyote
9728b707-1f47-4cd7-a4ca-6eddf5d98d04
1048576
1048576
1
hvm
/usr/share/AAVMF/AAVMF_CODE.fd
/usr/share/AAVMF/AAVMF_VARS.fd
destroy
restart
restart
/usr/bin/qemu-system-aarch64
5. $ virsh start legal-coyote
error: Failed to start domain legal-coyote
error: internal error: cannot load AppArmor profile
'libvirt-9728b707-1f47-4cd7-a4ca-6eddf5d98d04'
6. Checking dmesg...
[ 726.425389] virbr0: $ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.4 LTS
Release: 16.04
Codename: xenialport 1(virbr0-nic) entered listening state
[ 726.425419] virbr0: port 1(virbr0-nic) entered listening state
[ 727.959553] virbr0: port 1(virbr0-nic) entered disabled state
[ 896.933127] audit: type=1400 audit(1526946784.127:18): apparmor="DENIED"
operation="open" profile="/usr/lib/libvirt/virt-aa-helper"
name="/proc/9083/auxv" pid=9083 comm="virt-aa-helper" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
[ 896.933169] audit: type=1400 audit(1526946784.127:19): apparmor="DENIED"
operation="open" profile="/usr/lib/libvirt/virt-aa-helper"
name="/proc/9083/auxv" pid=9083 comm="virt-aa-helper" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
[ 896.933846] audit: type=1400 audit(1526946784.127:20): apparmor="DENIED"
operation="open" profile="/usr/lib/libvirt/virt-aa-helper"
name="/proc/9083/auxv" pid=9083 comm="virt-aa-helper" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
[ 896.933890] audit: type=1400 audit(1526946784.127:21): apparmor="DENIED"
operation="open" profile="/usr/lib/libvirt/virt-aa-helper"
name="/proc/9083/auxv" pid=9083 comm="virt-aa-helper" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
[ 896.937130] audit: type=1400 audit(1526946784.131:22): apparmor="DENIED"
operation="open" profile="/usr/lib/libvirt/virt-aa-helper"
name="/var/lib/libvirt/maas-images/796e5e0f-ab62-4e44-8189-bbc754635e0b"
pid=9083 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 943.086388] audit: type=1400 audit(1526946830.280:23): apparmor="DENIED"
operation="open" profile="/usr/lib/libvirt/virt-aa-helper"
name="/proc/9174/auxv" pid=9174 comm="virt-aa-helper" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
[ 943.086429] audit: type=1400 audit(1526946830.280:24): apparmor="DENIED"
operation="open" profile="/usr/lib/libvirt/virt-aa-helper"
name="/proc/9174/auxv" pid=9174 comm="virt-aa-helper" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
[ 943.087171] audit: type=1400 audit(1526946830.280:25): apparmor="DENIED"
operation="open" profile="/usr/lib/libvirt/virt-aa-helper"
name="/proc/9174/auxv" pid=9174 comm="virt-aa-helper" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
[ 943.087214] audit: type=1400 audit(1526946830.280:26): apparmor="DENIED"
operation="open" profile="/usr/lib/libvirt/virt-aa-helper"
name="/proc/9174/auxv" pid=9174 comm="virt-aa-helper" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
[ 943.090417] audit: type=1400 audit(1526946830.284:27): apparmor="DENIED"
operation="open" profile="/usr/lib/libvirt/virt-a
[Touch-packages] [Bug 1772538] Re: Can't start arm64 VM due to apparmor error.
This is a top-notch bug report! Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1772538 Title: Can't start arm64 VM due to apparmor error. Status in apparmor package in Ubuntu: New Status in libvirt package in Ubuntu: New Bug description: I can create an aarch64 VM but when I go to start the VM I see this error: $ virsh start legal-coyote error: Failed to start domain legal-coyote error: internal error: cannot load AppArmor profile 'libvirt-9728b707-1f47-4cd7-a4ca-6eddf5d98d04' This was on a brand new ubuntu 16.04.4 install. Below are the steps that were executed, including what produced there error as well as some system information. 1. $ sudo apt update && sudo apt upgrade && sudo apt install emacs libvirt-bin qemu-system-arm qemu-efi 2. Created a VM with MAAS. 3. $ virsh list --all IdName State - legal-coyote shut off 4. $ virsh dumpxml legal-coyote legal-coyote 9728b707-1f47-4cd7-a4ca-6eddf5d98d04 1048576 1048576 1 hvm /usr/share/AAVMF/AAVMF_CODE.fd /usr/share/AAVMF/AAVMF_VARS.fd destroy restart restart /usr/bin/qemu-system-aarch64 5. $ virsh start legal-coyote error: Failed to start domain legal-coyote error: internal error: cannot load AppArmor profile 'libvirt-9728b707-1f47-4cd7-a4ca-6eddf5d98d04' 6. Checking dmesg... [ 726.425389] virbr0: $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.4 LTS Release: 16.04 Codename: xenialport 1(virbr0-nic) entered listening state [ 726.425419] virbr0: port 1(virbr0-nic) entered listening state [ 727.959553] virbr0: port 1(virbr0-nic) entered disabled state [ 896.933127] audit: type=1400 audit(1526946784.127:18): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/proc/9083/auxv" pid=9083 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 896.933169] audit: type=1400 audit(1526946784.127:19): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/proc/9083/auxv" pid=9083 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 896.933846] audit: type=1400 audit(1526946784.127:20): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/proc/9083/auxv" pid=9083 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 896.933890] audit: type=1400 audit(1526946784.127:21): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/proc/9083/auxv" pid=9083 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 896.937130] audit: type=1400 audit(1526946784.131:22): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/var/lib/libvirt/maas-images/796e5e0f-ab62-4e44-8189-bbc754635e0b" pid=9083 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 943.086388] audit: type=1400 audit(1526946830.280:23): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/proc/9174/auxv" pid=9174 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 943.086429] audit: type=1400 audit(1526946830.280:24): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/proc/9174/auxv" pid=9174 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 943.087171] audit: type=1400 audit(1526946830.280:25): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/proc/9174/auxv" pid=9174 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 943.087214] audit: type=1400 audit(1526946830.280:26): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/proc/9174/auxv" pid=9174 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 943.090417] audit: type=1400 audit(1526946830.284:27): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/var/lib/libvirt/maas-images/796e5e0f-ab62-4e44-8189-bbc754635e0b" pid=9174 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 7. $ dpkg -l | grep libvirt ii libvirt-bin 1.3.1-1ubuntu10.23 arm64programs for the libvirt library ii libvirt0:arm64
