Public bug reported: I have VMs failing to start with 2017-02-17 15:38:44.458 264015 ERROR nova.compute.manager [instance: 0c97ab16-2d30-43fa-b0e4-a064a842b5ed] libvirtError: internal error: process exited while connecting to monitor: 2017-02-17T15:38:43.907222Z qemu-system-x86_64: -netdev tap,ifname=tapf34ef99e-18,id=hostnet0,vhost=on,vhostfd=28: network script /etc/qemu-ifup failed with status 256
Log excerpt: http://cdn.pasteraw.com/b3tw4cjefomfi3e9k09hvodrfun85z Seems to be that /etc/qemu-ifup is being blocked by apparmor: type=AVC msg=audit(1487347189.015:28536): apparmor="DENIED" operation="exec" profile="libvirt-4a03fea7-e966-48e4-80ac-aa138db67243" name="/etc/qemu-ifup" pid=285438 comm="qemu-system-x86" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 type=PATH msg=audit(1487347189.015:28536): item=0 name="/etc/qemu-ifup" inode=66403 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL root@ubuntu-trusty-5773:/etc/apparmor.d/abstractions# cat /etc/apparmor.d/libvirt/libvirt-4a03fea7-e966-48e4-80ac-aa138db67243 # # This profile is for the domain whose UUID matches this file. # #include <tunables/global> profile libvirt-4a03fea7-e966-48e4-80ac-aa138db67243 { #include <abstractions/libvirt-qemu> #include <libvirt/libvirt-4a03fea7-e966-48e4-80ac-aa138db67243.files> } root@ubuntu-trusty-5773:/etc/apparmor.d/abstractions# cat /etc/apparmor.d/libvirt/libvirt-4a03fea7-e966-48e4-80ac-aa138db67243.files # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT. "/var/log/libvirt/**/instance-00000008.log" w, "/var/lib/libvirt/qemu/domain-instance-00000008/monitor.sock" rw, "/var/run/libvirt/**/instance-00000008.pid" rwk, "/run/libvirt/**/instance-00000008.pid" rwk, "/var/run/libvirt/**/*.tunnelmigrate.dest.instance-00000008" rw, "/run/libvirt/**/*.tunnelmigrate.dest.instance-00000008" rw, "/var/lib/nova/instances/4a03fea7-e966-48e4-80ac-aa138db67243/console.log" rw, "/var/lib/nova/instances/4a03fea7-e966-48e4-80ac-aa138db67243/console.log" rw, # for qemu guest agent channel owner "/var/lib/libvirt/qemu/channel/target/domain-instance-00000008/**" rw, /dev/vhost-net rw, root@ubuntu-trusty-5773:/etc/apparmor.d/abstractions# dpkg -S libvirt-qemu libvirt-bin: /etc/apparmor.d/abstractions/libvirt-qemu root@ubuntu-trusty-5773:/etc/apparmor.d/abstractions# dpkg -l libvirt-bin Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-=========================================-=========================-=========================-======================================================================================= ii libvirt-bin 1.3.1-1ubuntu10.6~cloud0 amd64 programs for the libvirt library Seeing identical behavior on Xenial ubuntu@ubuntu-xenial-5165:~$ dpkg -l libvirt-bin Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-=========================================-=========================-=========================-======================================================================================= ii libvirt-bin 1.3.1-1ubuntu10.8 amd64 programs for the libvirt library ** Affects: libvirt (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665698 Title: /etc/qemu-ifup not allowed by apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1665698/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
