Bug#1094583: libvirt-daemon-driver-qemu: apparmor template missing from filesystem

[Kevin Otte]

I didn't make any changes to the file. I didn't even know of its 
existence until I was trying to troubleshoot why I couldn't create VMs.

This seems to be my week for finding oddball edge cases. Given I've got 
the config files back and was able to deploy a VM, I guess you can close 
this out as notabug.

On 1/28/25 21:39, Alban Browaeys wrote:
Le mardi 28 janvier 2025 à 21:20 -0500, Kevin Otte a écrit :
I had tried doing an "apt --reinstall install ..." of the package to
get
the configuration to no avail. Ultimately I had to do a "dpkg
--force-confmiss -i ..." to get the files.

This was an upgrade from the previous version in testing, so it may
be
something to be aware of in the upgrade process.


I was also upgrading in testing (Trixie) from libvirt-daemon-driver-
qemu 10.10.0-3.

The apparmor template was already shipped by
https://snapshot.debian.org/package/libvirt/10.7.0-3/#libvirt-daemon-driver-qemu_10.7.0-3
but not by
https://snapshot.debian.org/package/libvirt/10.5.0-1/#libvirt-daemon-driver-qemu_10.5.0-1

Though as far as I know a conffile that was not deleted by an user (or
a FS corruption) is automatically installed when included in the
package. I doubt there is an apt perference/ dpkg option that prevents
new conffiles from installing but I did not check.

Maybe
https://unix.stackexchange.com/questions/736439/files-defined-in-conffiles-not-installed-on-first-install
ie you might have tweaked the apparmor template then uninstalled the
package before reinstalling?

Cheers,
Alban


On 1/28/25 21:10, Alban Browaeys wrote:
On Tue, 28 Jan 2025 19:28:24 -0500 Kevin Otte
<[ni...@nivex.net](mailto:ni...@nivex.net)> wrote:
Package: libvirt-daemon-driver-qemu
Version: 11.0.0-1
Severity: grave
Justification: renders package unusable
   
Dear Maintainer,
   
The package manifest includes an AppArmor template, but it is not
seen on the filesystem after the package is installed:
   
[root@saratoga](mailto:root@saratoga):/tmp# dpkg -L libvirt-
daemon-driver-qemu | grep -i template
/etc/apparmor.d/libvirt/TEMPLATE.qemu
[root@saratoga](mailto:root@saratoga):/tmp# ls -l
/etc/apparmor.d/libvirt/
total 0

I cannot reproduce
ii  libvirt-daemon-driver-qemu 11.0.0-1     amd64
Virtualization daemon QEMU connection driver

ls -l /etc/apparmor.d/libvirt/TEMPLATE.qemu
-rw-r--r-- 1 root root 192  2 sept. 11:47
/etc/apparmor.d/libvirt/TEMPLATE.qemu

Either way if the template is shipped by the package it is not a
package bug if the file is missing after installation.
Still it could be an dpkg/apt bug but unlikely.

Could it be you were running out of space on the /etc partition
while installing or had a crash that corrupted
this filesystem while installing ?

https://packages.debian.org/trixie/amd64/libvirt-daemon-driver-qemu/filelist
  shows the apparmor template is shipped

downloading
http://http.us.debian.org/debian/pool/main/libv/libvirt/libvirt-daemon-driver-qemu_11.0.0-1_amd64.deb
and opening it with file-roller shows inside of it an
/etc/apparmor.d/libvirt/TEMPLATE.qemu file with content: "
#
# This profile is for the domain whose UUID matches this file.
#

#include <tunables/global>

profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
    #include <abstractions/libvirt-qemu>
}
"

This bug looks like a local system issue.

Cheers,
Alban

This has the effect of rendering virt-install/virt-manager unable
to deploy any new VMs:
   
Unable to complete install: 'internal error: cannot load AppArmor
profile 'libvirt-f9987331-aa46-412e-baf0-bdef4b5a631e''
   
Traceback (most recent call last):
     File "/usr/share/virt-manager/virtManager/asyncjob.py", line
71, in cb_wrapper
       callback(asyncjob, *args, **kwargs)
       ~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^
     File "/usr/share/virt-manager/virtManager/createvm.py", line
2008, in _do_async_install
       installer.start_install(guest, meter=meter)
       ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^
     File "/usr/share/virt-manager/virtinst/install/installer.py",
line 726, in start_install
       domain = self._create_guest(
               guest, meter, initial_xml, final_xml,
               doboot, transient)
     File "/usr/share/virt-manager/virtinst/install/installer.py",
line 667, in _create_guest
       domain = self.conn.createXML(initial_xml or final_xml, 0)
     File "/usr/lib/python3/dist-packages/libvirt.py", line 4545,
in createXML
       raise libvirtError('virDomainCreateXML() failed')
libvirt.libvirtError: internal error: cannot load AppArmor
profile 'libvirt-f9987331-aa46-412e-baf0-bdef4b5a631e'
   
   
2025-01-28T11:21:15.809798-05:00 saratoga libvirtd[1025]:
internal error: Child process (LIBVIRT_LOG_OUTPUTS=3:stderr
/usr/lib/libvirt/virt-aa-helper -c -u lib
virt-f9987331-aa46-412e-baf0-bdef4b5a631e) unexpected exit status
1: virt-aa-helper: error: template does not exist#012virt-aa-
helper: error: could not create
profile
2025-01-28T11:21:15.809885-05:00 saratoga libvirtd[1025]:
internal error: cannot load AppArmor profile 'libvirt-f9987331-
aa46-412e-baf0-bdef4b5a631e'
   
   
-- System Information:
Debian Release: trixie/sid
     APT prefers testing
     APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
   
Kernel: Linux 6.12.10-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
   
Versions of packages libvirt-daemon-driver-qemu depends on:
ii  adduser                     3.137
ii  debconf [debconf-2.0]       1.5.89
ii  libc6                       2.40-6
ii  libgcc-s1                   14.2.0-12
ii  libglib2.0-0t64             2.82.4-2