BTW: some of you asked for the per-guest profiles in /etc/apparmor.d/libvirt
Those are still created, just instead of an unreliable cron job to clean them
"every now and then" they are now removed once the guest reaches its EOL. So
after a shutdown or crash it is normal that it is gone.
For debugging in case of a dying guest, you can still get the output via the
following:
1. get an xml of your guest (I assume it is in shutdown state)
$ virsh dumpxml <guestname> /tmp/test.xml
2. get the UUID of the guest
$ virsh dominfo <guestname> | grep UUID
3. let virt-aa-helper run against this xml and check what it is generating
$ /usr/lib/libvirt/virt-aa-helper -u libvirt-<UUID> -r --dryrun <
/tmp/test.xml
That looks something like this then:
$ /usr/lib/libvirt/virt-aa-helper -u
libvirt-488cf3a8-c765-4418-8e47-7f9aa622ff40 -r --dryrun < /tmp/test.xml
virt-aa-helper:
/etc/apparmor.d/libvirt/libvirt-488cf3a8-c765-4418-8e47-7f9aa622ff40.files
virt-aa-helper:
"/var/log/libvirt/**/subiquity-test.log" w,
"/var/lib/libvirt/qemu/domain-subiquity-test/monitor.sock" rw,
"/var/lib/libvirt/qemu/domain--1-subiquity-test/*" rw,
"/var/lib/libvirt/qemu/channel/target/domain--1-subiquity-test/*" rw,
"/var/run/libvirt/**/subiquity-test.pid" rwk,
"/run/libvirt/**/subiquity-test.pid" rwk,
"/var/run/libvirt/**/*.tunnelmigrate.dest.subiquity-test" rw,
"/run/libvirt/**/*.tunnelmigrate.dest.subiquity-test" rw,
"/var/lib/libvirt/images/subiquity-test.qcow2" rwk,
I'd ask all of you in the affected cases to report the following so that I can
reproduce, debug and code a fix.
1. your disk setup (how you set up your lvm / zfs so that I can build something
comparable)
2. you guest XML (I want to recreate your case, so your raw virsh dumpxml
<guestname> will help me a lot)
3. the output of virt-aa-helper as I outlined above, if possible one of
4.0.0-1ubuntu4 and one of 4.0.0-1ubuntu5 so that we can check all differences
4. the dmesg output when you fail-start a guest with the new version to see the
associated apparmor denie
In said update of libvirt that you are referring to there is one (and only one)
change in the area that should be responsible. We fixed that symlinks are
resolved before going into the per-guest rules.
In theory that should always be correct - as apparmor in the kernel resolves
symlinks before comparing them against the rules - but maybe we found a case
where this isn't fully true.
TL;DR: help me reproducing your case so that I can work out a fix.
** Changed in: libvirt (Ubuntu)
Status: Confirmed => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1756394
Title:
Upgrading libvirt from 4.0.0-1ubuntu4 to 4.0.0-1ubuntu5 introduced a
permission denied on device error
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1756394/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
