Bug#933385: [Pkg-libvirt-maintainers] Bug#933385: libvirt-daemon: encrypted qemu virtual machines do not start after upgrade to buster: permission denied

Tue, 30 Jul 2019 02:09:42 -0700 

Hi,
On Tue, Jul 30, 2019 at 10:43:25AM +0200, Dominik Reusser wrote:
> Thanks for your reply
> 
> On 30.07.19 09:00, Guido Günther wrote:> Hi,
> > On Tue, Jul 30, 2019 at 07:36:18AM +0200, Dominik wrote:
> >> Package: libvirt-daemon
> >> Version: 5.0.0-4
> >> Severity: normal
> >>
> >> Dear Maintainer,
> >>
> >> after upgrading to buster, the encrypted kvm-guests stop to work. An
> error is thrown about missing rights to the file containing the encryption
> secret, which I placed under /etc/libvirt/secret/.
> >>
> >> I openend a question with more details on serverfault a while ago:
> https://serverfault.com/questions/974689/encrypted-qemu-virtual-machines-do-not-start-after-upgrade-to-buster-permission
> > As a workaround you can disable apparmor
> Do I need to disable apparmor completely through grub as described here:
> https://wiki.debian.org/AppArmor/HowToUse or would it be possible to
> disable the profiles for libvirt with aa-disable?


Try

security_driver = "none"

in /etc/libvirt/qemu.conf.

instead of disabling apparmor overall.

Attaching the domain xml might help reproducing the bug.
Cheers,
 -- Guido

> 
> 
> > but can you attach the dmesg
> > output after trying to start a domain?
> $ virsh --connect qemu:///system start Feigenbaum
> error: Failed to start domain Feigenbaum
> error: internal error: process exited while connecting to monitor:
> 2019-07-30T08:15:39.975264Z qemu-system-x86_64: --object
> secret,id=sec0,file=/etc/libvirt/secrets/Feigenbaum.secret: Unable to read
> /etc/libvirt/secrets/Feigenbaum.secret: Failed to open file
> “/etc/libvirt/secrets/Feigenbaum.secret”: Permission denied
> 
> $ sudo dmesg
> 
> [585353.519853] virbr0: port 2(vnet0) entered blocking state
> [585353.519854] virbr0: port 2(vnet0) entered disabled state
> [585353.519887] device vnet0 entered promiscuous mode
> [585353.519982] virbr0: port 2(vnet0) entered blocking state
> [585353.519983] virbr0: port 2(vnet0) entered listening state
> [585353.706058] virbr0: port 2(vnet0) entered disabled state
> [585353.707387] device vnet0 left promiscuous mode
> [585353.707395] virbr0: port 2(vnet0) entered disabled state
> 
> (I removed a bunch of UFW BLOCK messages)
> 
> Extract from syslog:
> 
> Jul 30 10:15:39 www kernel: [585353.519853] virbr0: port 2(vnet0) entered
> blocking state
> Jul 30 10:15:39 www kernel: [585353.519854] virbr0: port 2(vnet0) entered
> disabled state
> Jul 30 10:15:39 www kernel: [585353.519887] device vnet0 entered
> promiscuous mode
> Jul 30 10:15:39 www kernel: [585353.519982] virbr0: port 2(vnet0) entered
> blocking state
> Jul 30 10:15:39 www kernel: [585353.519983] virbr0: port 2(vnet0) entered
> listening state
> Jul 30 10:15:39 www libvirtd[775]: Domain id=5 name='Feigenbaum'
> uuid=2734b78b-2dc6-4fed-a47b-9bb2534db76e is tainted: custom-argv
> Jul 30 10:15:40 www kernel: [585353.706058] virbr0: port 2(vnet0) entered
> disabled state
> Jul 30 10:15:40 www kernel: [585353.707387] device vnet0 left promiscuous
> mode
> Jul 30 10:15:40 www kernel: [585353.707395] virbr0: port 2(vnet0) entered
> disabled state
> Jul 30 10:15:40 www libvirtd[775]: Unable to read from monitor: Connection
> reset by peer
> Jul 30 10:15:40 www libvirtd[775]: internal error: qemu unexpectedly closed
> the monitor: 2019-07-30T08:15:39.975264Z qemu-system-x86_64: --object
> secret,id=sec0,file=/etc/libvirt/secrets/Feigenbaum.secret: Unable to read
> /etc/libvirt/secrets/Feigenbaum.secret: Failed to open file
> “/etc/libvirt/secrets/Feigenbaum.secret”: Permission denied
> Jul 30 10:15:40 www libvirtd[775]: internal error: process exited while
> connecting to monitor: 2019-07-30T08:15:39.975264Z qemu-system-x86_64:
> --object secret,id=sec0,file=/etc/libvirt/secrets/Feigenbaum.secret: Unable
> to read /etc/libvirt/secrets/Feigenbaum.secret: Failed to open file
> “/etc/libvirt/secrets/Feigenbaum.secret”: Permission denied
> 
> 
> > That should have details what
> > fails exactly.
> Let me know if I can provide additional information to get more details on
> what fails.
> 
> Greetings
> 
> Dominik
> 
> 
> Am Di., 30. Juli 2019 um 09:00 Uhr schrieb Guido Günther <a...@sigxcpu.org>:
> 
> > Hi,
> > On Tue, Jul 30, 2019 at 07:36:18AM +0200, Dominik wrote:
> > > Package: libvirt-daemon
> > > Version: 5.0.0-4
> > > Severity: normal
> > >
> > > Dear Maintainer,
> > >
> > > after upgrading to buster, the encrypted kvm-guests stop to work. An
> > error is thrown about missing rights to the file containing the encryption
> > secret, which I placed under /etc/libvirt/secret/.
> > >
> > > I openend a question with more details on serverfault a while ago:
> > https://serverfault.com/questions/974689/encrypted-qemu-virtual-machines-do-not-start-after-upgrade-to-buster-permission
> >
> > As a workaround you can disable apparmor but can you attach the dmesg
> > output after trying to start a domain? That should have details what
> > fails exactly.
> > Cheers,
> >  -- Guido
> >

Reply via email to