[Bug 1633207] Re: VM fails to start with dac security driver added

Thu, 27 Oct 2016 07:59:49 -0700 

Again at:
sudo virsh start yakkety-doubleseclabel
error: Failed to start domain yakkety-doubleseclabel
error: internal error: cannot load AppArmor profile 
'libvirt-8746b00d-aad1-4346-8784-2d4331465153'

In the log I found the related:
Okt 27 13:45:50 horsea libvirtd[10370]: internal error: Child process 
(LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -p 0 -r -u 
libvirt-8746b00d-aad1-4346-8784-2d4331465153) unexpected exit status 1: 
2016-10-27 13:45:20.873+0000: 10640: info : libvirt version: 2.1.0, package: 
1ubuntu10~ppa3 (Christian Ehrhardt <christian.ehrha...@canonical.com> Mon, 24 
Oct 2016 14:21:36 +0200)
                                        2016-10-27 13:45:20.873+0000: 10640: 
info : hostname: horsea
                                        2016-10-27 13:45:20.873+0000: 10640: 
error : virSecurityLabelDefParseXML:6473 : XML error: security label is missing
                                        virt-aa-helper: error: could not parse 
XML
                                        virt-aa-helper: error: could not get VM 
definition
Okt 27 13:45:50 horsea libvirtd[10370]: internal error: cannot load AppArmor 
profile 'libvirt-8746b00d-aad1-4346-8784-2d4331465153'
Okt 27 13:45:50 horsea virtlogd[7706]: End of file while reading data: 
Input/output error

I also found that adding dac alone is enough to trigger:

$ virsh dumpxml yakkety-doubleseclabel | grep -A 20 '<seclabel'
  <seclabel type='dynamic' model='apparmor' relabel='yes'/>
  <seclabel type='dynamic' model='dac' relabel='yes'/>
</domain>
=> Failing

$ virsh dumpxml yakkety-sec-app | grep -A 20 seclabel
  <seclabel type='dynamic' model='apparmor' relabel='yes'/>
</domain>
=> Working

$ virsh dumpxml yakkety-sec-dac | grep -A 20 seclabel
  <seclabel type='dynamic' model='dac' relabel='yes'/>
</domain>
=> Failing just as much as case 1, maybe because apparmor is default on.

Trying to check the /usr/lib/libvirt/virt-aa-helper in those cases, but
since it is not meant to be called directly that is a bit tricky.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1633207

Title:
  VM fails to start with dac security driver added

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1633207/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to