There is a bug in the /etc/apparmor.d/abstractions/libvirt-qemu file on line 183
/sys/devices/system/cpu/cpu*/online r is missing the the trailing , it should be /sys/devices/system/cpu/cpu*/online r, this prevents libvirt from loading the vm profile. Unfortunately it does not report the error and only fails/reports the error when it attempts to transition to the profile that failed being loaded. Once the abstraction is fixed nested kvm works as expected for me. I have not tried this with an lxd container yet -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1686621 Title: Can't change libvirt profile on guest start in artful Status in apparmor package in Ubuntu: New Bug description: Hi, we have artful images since a few days - yay! Unfortunately they run into issues. I first thought this would be related to our slightly uncommon KVM-in-LXD setup but I can reproduce in nested KVM as well. For simplicity I'll not mention the -in-lXD logs here as they are more noisy and less common. I'm rather convinced if I'd have artful on bare metal it would show there as well but couldn't prove yet. First of all aa-status looks sane to me: $ sudo aa-status apparmor module is loaded. 15 profiles are loaded. 15 profiles are in enforce mode. /sbin/dhclient /usr/bin/lxc-start /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/NetworkManager/nm-dhcp-helper /usr/lib/connman/scripts/dhclient-script /usr/lib/snapd/snap-confine /usr/lib/snapd/snap-confine//mount-namespace-capture-helper /usr/sbin/libvirtd /usr/sbin/libvirtd//qemu_bridge_helper /usr/sbin/tcpdump lxc-container-default lxc-container-default-cgns lxc-container-default-with-mounting lxc-container-default-with-nesting virt-aa-helper 0 profiles are in complain mode. 2 processes have profiles defined. 2 processes are in enforce mode. /sbin/dhclient (850) /usr/sbin/libvirtd (3635) 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. But on actually creating a guest I get an apparmor related issue: $ uvt-simplestreams-libvirt --verbose sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=xenial $ uvt-kvm create --password=ubuntu x-on-a-test release=xenial label=daily uvt-kvm: error: libvirt: internal error: Process exited prior to exec: libvirt: error : unable to set AppArmor profile 'libvirt-38a056b4-d6b6-4bd7-a61a-add6d9b68bb0' for '/usr/bin/kvm-spice': No such file or directory Along that I see this error about change_profile: apparmor="DENIED" operation="change_profile" info="label not found" error=-2 profile="/usr/sbin/libvirtd" name="libvirt-38a056b4-d6b6-4bd7-a61a-add6d9b68bb0" pid=4492 comm="libvirtd" The same on a zesty system loads fine and dmesg holds a working reload. $ uvt-simplestreams-libvirt --verbose sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=xenial $ uvt-kvm create --password=ubuntu x-on-z-test release=xenial label=daily (working fine) I cleared dmesg and started the guest on both to get all apparmor messages that are related: Good case (zesty) apparmor="STATUS" operation="profile_load" profile="unconfined" name="libvirt-87503137-d2ad-4bd1-bc37-f2b7e4b468d5" pid=6099 comm="apparmor_parser" apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-87503137-d2ad-4bd1-bc37-f2b7e4b468d5" pid=6138 comm="apparmor_parser Bad case (artful) apparmor="DENIED" operation="change_profile" info="label not found" error=-2 profile="/usr/sbin/libvirtd" name="libvirt-c5ef4b2e-9fcc-42a6-9fc0-651c4ed698f1" pid=4618 comm="libvirtd" I didn't see load/replace in artful so far. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1686621/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
