On 26.06.2014 13:26, George Dunlap wrote: > There appears to be a bug in the AppArmor profile for libvirtd, so > that it refuses to allow libvirtd to run pygrub. > > After using virt-install to create a VM image, creation of the VM fails: > > # virsh -c xen:/// start ubuntu > error: Failed to start domain ubuntu > error: internal error: libxenlight failed to create new domain 'ubuntu' > > /var/log/libvirt/libvirtd.log has a not-particularly-useful repeat: > 2014-06-26 11:20:39.422+0000: 1187: error : libxlVmStart:787 : > internal error: libxenlight failed to create new domain 'ubuntu' > > /var/log/libvirt/libxl/ubuntu.log has more useful information > libxl: debug: libxl_bootloader.c:535:bootloader_gotptys: executing > bootloader: /usr/lib/xen-4.4/bin/pygrub > libxl: debug: libxl_bootloader.c:539:bootloader_gotptys: bootloader > arg: /usr/lib/xen-4.4/bin/pygrub > libxl: debug: libxl_bootloader.c:539:bootloader_gotptys: bootloader > arg: --output=/var/run/xen/bootloader.3.out > libxl: debug: libxl_bootloader.c:539:bootloader_gotptys: bootloader > arg: --output-format=simple0 > libxl: debug: libxl_bootloader.c:539:bootloader_gotptys: bootloader > arg: --output-directory=/var/run/xen/bootloader.3.d > libxl: debug: libxl_bootloader.c:539:bootloader_gotptys: bootloader > arg: /root/F0L1.img > libxl: debug: libxl_event.c:514:watchfd_callback: watch > w=0x7f46780011e8 wpath=/local/domain/3 token=3/1: event > epath=/local/domain/3 > libxl: error: libxl_bootloader.c:628:bootloader_finished: bootloader > failed - consult logfile /var/log/xen/bootloader.3.log > > /var/log/xen/bootloader.3.log says: > libxl: cannot execute /usr/lib/xen-4.4/bin/pygrub: Permission denied > > But when I run pygrub manually, or if I use "virsh domxl-to-native > xen-xm" to create an xl config, I can boot the VM with xl. Eventually > I looked in /var/log/kern.log: > > Jun 26 07:20:39 unassigned-hostname kernel: [ 2957.634455] type=1400 > audit(1403781639.410:24): apparmor="DENIED" operation="exec" > profile="/usr/sbin/libvirtd" name="/usr/lib/xen-4.4/bin/pygrub" > pid=1773 comm="libvirtd" requested_mask="x" denied_mask="x" fsuid=0 > ouid=0 > > There's probably a handful of other Xen helper processes that need to > be whitelisted. > > -George > Yes, pygrub has to be whitelisted in the profile. I uploaded a modified libcirt to Utopic but need to backport the change to Trusty. The same thing applies to libxl-save-helper which I just recently found.
-Stefan
signature.asc
Description: OpenPGP digital signature
-- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
