Source: libvirt Severity: important Dear Maintainer, since a few weeks all VMs stopped working. This is on a Debian 11 installed on March from testing distribution, eventually updated to stable once bullseye has been released. All VM use LVM volumes as disks. Now, when libvirt tries to start them, it stops with this error that I found in /var/log/libvirt/qemu/ad.log (text wrapped by me)
2021-10-13T09:02:14.020416Z qemu-system-x86_64: -blockdev {"driver":"host_device","filename":"/dev/vg/ad","aio":"threads"a ,"node-name":"libvirt-3-storage","cache":{"direct":false,"no-flush":true}, "auto-read-only":true,"discard":"unmap"}: Could not open '/dev/vg/ad': Permission denied 2021-10-13 09:02:14.098+0000: shutting down, reason=failed at the same time I see an error in syslog from apparmor (again, text wrapped by me): audit: type=1400 audit(1634115229.330:59): apparmor="DENIED" operation="open" profile="libvirt-2351395b-d8e8-4b8f-8c2f-59787002e863" name="/dev/dm-3" pid=6720 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=64055 I looked for any solutions on the Internet and found that the apparmor profile is rebuilt from a template configured in /etc/apparmor.d/libvirt/TEMPLATE.qemu, so I tried to add new rules for my LVM volumes: profile LIBVIRT_TEMPLATE flags=(attach_disconnected) { #include <abstractions/libvirt-qemu> /dev/vg/ad rk, /dev/vg/db rk, /dev/vg/db-dati rk, /dev/vg/os rk, /dev/vg/os-dati rk, } but it did not work. I don't know if this is important, but please note that I used the volume names found in the qemu error message even if they are not the ones from the apparmor error message. In fact they are links: lrwxrwxrwx 1 root root 7 13 ott 11.02 /dev/vg/ad -> ../dm-3 Thank you very much, Giuseppe -- System Information: Debian Release: 11.1 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-9-amd64 (SMP w/4 CPU threads) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled