>From the description of Dominque this seemed a common case, so I tried with just qcow files and got it confirmed.
# Create basic guest (already has two disks) uvt-simplestreams-libvirt --verbose sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=eoan uvt-kvm create --password ubuntu eoan arch=amd64 release=eoan label=daily # Add further disks for the test: sudo qemu-img create -f qcow2 /var/lib/uvtool/libvirt/images/eoan-disk1.qcow 1G sudo qemu-img create -f qcow2 /var/lib/uvtool/libvirt/images/eoan-disk2.qcow 1G <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/var/lib/uvtool/libvirt/images/eoan-disk1.qcow'/> <target dev='vdc' bus='virtio'/> </disk> <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/var/lib/uvtool/libvirt/images/eoan-disk2.qcow'/> <target dev='vdd' bus='virtio'/> </disk> The guest now looks like: $ virsh domblklist eoan --details Type Device Target Source -------------------------------------------------------------------------- file disk vda /var/lib/uvtool/libvirt/images/eoan.qcow file disk vdb /var/lib/uvtool/libvirt/images/eoan-ds.qcow file disk vdc /var/lib/uvtool/libvirt/images/eoan-disk1.qcow file disk vdd /var/lib/uvtool/libvirt/images/eoan-disk2.qcow Snapshot of single disk works: $ virsh snapshot-create-as --domain eoan --disk-only --atomic --diskspec vda,snapshot=no --diskspec vdb,snapshot=no --diskspec vdc,file=/var/lib/libvirt/images/eoan-disk1.snapshot1.qcow,snapshot=external --diskspec vdd,snapshot=no The apparmor profile got the snapshot added as expected: cat /etc/apparmor.d/libvirt/libvirt-72b929d2-389d-4c60-9f3b-4c3a8a98b4b0.files ... "/var/lib/libvirt/images/eoan-disk1.snapshot1.qcow" rwk, Snapshot of multiple disks fails: virsh snapshot-create-as --domain eoan --disk-only --atomic --diskspec vda,snapshot=no --diskspec vdb,snapshot=no --diskspec vdc,file=/var/lib/libvirt/images/eoan-disk1.snapshot1.qcow,snapshot=external --diskspec vdd,file=/var/lib/libvirt/images/eoan-disk2.snapshot1.qcow,snapshot=external error: internal error: unable to execute QEMU command 'transaction': Could not create file: Permission denied None of the two paths got added to the apparmor profile. Alongside that we see the expected apparmor denials. apparmor="DENIED" operation="open" profile="libvirt-72b929d2-389d-4c60-9f3b-4c3a8a98b4b0" name="/var/lib/libvirt/images/eoan-disk2.snapshot1.qcow" pid=23603 comm="qemu-system-x86" requested_mask="wrc" denied_mask="wrc" fsuid=64055 ouid=64055 This proves the report. I'll be out for a while after today, but I agree that we need to sort out what is missing in this case. In the single snapshot case I've seen virt-aa-helper called to add a line, needs debugging where this fails with more than one snapshot target. Until then one might as workaround try to snapshot each of the disks one by one (therefore only medium). ** Changed in: libvirt (Ubuntu) Status: Incomplete => Triaged ** Changed in: libvirt (Ubuntu) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1845506 Title: Libvirt snapshot doesn't update apparmor profile To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1845506/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs