[Bug 2143251] Re: ubuntu_pro_esm_cache_systemd_detect_virt apparmor DENIED audit messages for perfmon capability

Spencer Runde Wed, 20 May 2026 12:00:54 -0700

Hi all, I'm having trouble reproducing this issue. I'm launching a
Resolute server like so:


```sh
qemu-system-x86_64 \
  -machine q35,accel=kvm \
  -cpu host \
  -m 4G \
  -smp 2 \
  -nographic \
  -drive file=resolute-server-cloudimg-amd64.img,format=qcow2,if=virtio \
  -drive file=seed.iso,media=cdrom,if=virtio \
  -netdev user,id=net0,hostfwd=tcp::2222-:22 \
  -device virtio-net-pci,netdev=net0
```

Where `seed.iso` is just built from `user-data` and `meta-data` using
the following:

```
cat user-data                              
#cloud-config
password: password
chpasswd: { expire: False }
ssh_pwauth: True
```

```
cat meta-data 
instance-id: my-resolute-server
local-hostname: resolute-server
```

```
cloud-localds seed.iso user-data meta-data
```

And `resolute-server-cloudimg-amd64.img` from `https://cloud-
images.ubuntu.com/resolute/current/` is:

```
8ed228c9f08a50122fa72307623d9f88d9209ba26e7e849edd584fa675e34863 
*resolute-server-cloudimg-amd64.img
```

Here's the result from a fresh Resolute server install using the latest
server image:

```
...
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

ubuntu@resolute-server:~$ journalctl --no-pager | grep 'apparmor="DENIED"'
May 20 18:40:42 resolute-server kernel: audit: type=1400 
audit(1779302442.860:181): apparmor="DENIED" operation="sendmsg" class="file" 
profile="systemd-detect-virt" 
name="/apparmor/disconnected/run/systemd/journal/socket" pid=1479 
comm="systemd-detect-" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
May 20 18:40:42 resolute-server kernel: audit: type=1400 
audit(1779302442.860:182): apparmor="DENIED" operation="capable" class="cap" 
profile="systemd-detect-virt" pid=1479 comm="systemd-detect-" capability=38  
capname="perfmon"
May 20 18:40:42 resolute-server kernel: audit: type=1400 
audit(1779302442.860:183): apparmor="DENIED" operation="sendmsg" class="file" 
profile="systemd-detect-virt" name="/apparmor/disconnected/run/systemd/notify" 
pid=1479 comm="systemd-detect-" requested_mask="w" denied_mask="w" fsuid=0 
ouid=0
May 20 18:40:50 resolute-server kernel: audit: type=1400 
audit(1779302450.641:187): apparmor="DENIED" operation="open" class="file" 
profile="who" name="/usr/share/coreutils/locales/uucore/en-US.ftl" pid=1705 
comm="who" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
```

After running the cache explicitly, I'm still not seeing anything:

```
ubuntu@resolute-server:~$ sudo /usr/lib/ubuntu-advantage/esm_cache.py 
ubuntu@resolute-server:~$ journalctl --no-pager | grep 'apparmor="DENIED"'
May 20 18:40:42 resolute-server kernel: audit: type=1400 
audit(1779302442.860:181): apparmor="DENIED" operation="sendmsg" class="file" 
profile="systemd-detect-virt" 
name="/apparmor/disconnected/run/systemd/journal/socket" pid=1479 
comm="systemd-detect-" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
May 20 18:40:42 resolute-server kernel: audit: type=1400 
audit(1779302442.860:182): apparmor="DENIED" operation="capable" class="cap" 
profile="systemd-detect-virt" pid=1479 comm="systemd-detect-" capability=38  
capname="perfmon"
May 20 18:40:42 resolute-server kernel: audit: type=1400 
audit(1779302442.860:183): apparmor="DENIED" operation="sendmsg" class="file" 
profile="systemd-detect-virt" name="/apparmor/disconnected/run/systemd/notify" 
pid=1479 comm="systemd-detect-" requested_mask="w" denied_mask="w" fsuid=0 
ouid=0
May 20 18:40:50 resolute-server kernel: audit: type=1400 
audit(1779302450.641:187): apparmor="DENIED" operation="open" class="file" 
profile="who" name="/usr/share/coreutils/locales/uucore/en-US.ftl" pid=1705 
comm="who" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
```

Are you still encountering this issue in your pipelines? I tried with
the image in https://cloud-images.ubuntu.com/resolute/20260221/ as well
and still could not repro.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2143251

Title:
  ubuntu_pro_esm_cache_systemd_detect_virt apparmor DENIED audit
  messages for perfmon capability

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2143251/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2143251] Re: ubuntu_pro_esm_cache_systemd_detect_virt apparmor DENIED audit messages for perfmon capability

Reply via email to