Public bug reported:
I just upgraded from noble to oracular and my libvirt domains (using
qemu:///session + qemu-bridge-helper for the network) can't start
anymore.
$ virsh start ubuntu-nvmeotcp-poc-target
error: Failed to start domain 'ubuntu-nvmeotcp-poc-target'
error: /usr/lib/qemu/qemu-bridge-helper --use-vnet --br=pocbr0 --fd=32: failed
to communicate with bridge helper: : Transport endpoint is not connected
[162559.444684] audit: type=1400 audit(1725612671.214:6873):
apparmor="DENIED" operation="file_mmap" class="file"
profile="libvirtd//qemu_bridge_helper" name="/usr/bin/dash" pid=699975
comm="qemu-bridge-hel" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
After switching to AA complain mode, the domains can start again:
$ sudo aa-complain /etc/apparmor.d/usr.sbin.libvirtd
skipping disabled profile usr.sbin.squid
skipping disabled profile usr.bin.firefox
Setting /etc/apparmor.d/usr.sbin.libvirtd to complain mode.
$ virsh start ubuntu-nvmeotcp-poc-target
Domain 'ubuntu-nvmeotcp-poc-target' started
[162838.572654] audit: type=1400 audit(1725612950.342:6955): apparmor="ALLOWED"
operation="file_mmap" class="file" profile="libvirtd//qemu_bridge_helper"
name="/usr/bin/dash" pid=700572 comm="qemu-bridge-hel" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=0
[162838.573199] audit: type=1400 audit(1725612950.342:6956): apparmor="ALLOWED"
operation="exec" class="file" profile="libvirtd//qemu_bridge_helper"
name="/usr/bin/sleep" pid=700574 comm="qemu-bridge-hel" requested_mask="x"
denied_mask="x" fsuid=1000 ouid=0
target="libvirtd//qemu_bridge_helper//null-/usr/bin/sleep"
[162838.573204] audit: type=1400 audit(1725612950.342:6957): apparmor="ALLOWED"
operation="file_inherit" class="file"
profile="libvirtd//qemu_bridge_helper//null-/usr/bin/sleep" name="/dev/null"
pid=700574 comm="sleep" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0
[162838.573207] audit: type=1400 audit(1725612950.343:6958): apparmor="ALLOWED"
operation="file_inherit" class="net" profile="libvirtd" pid=700574 comm="sleep"
family="unix" sock_type="stream" protocol=0 requested="send receive"
denied="send receive" addr=none peer_addr=none
peer="libvirtd//qemu_bridge_helper//null-/usr/bin/sleep"
[162838.573271] audit: type=1400 audit(1725612950.343:6959): apparmor="ALLOWED"
operation="file_mmap" class="file"
profile="libvirtd//qemu_bridge_helper//null-/usr/bin/sleep"
name="/usr/bin/sleep" pid=700574 comm="sleep" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=0
[162838.573277] audit: type=1400 audit(1725612950.343:6960): apparmor="ALLOWED"
operation="file_mmap" class="file"
profile="libvirtd//qemu_bridge_helper//null-/usr/bin/sleep"
name="/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2" pid=700574 comm="sleep"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[162838.573340] audit: type=1400 audit(1725612950.343:6961): apparmor="ALLOWED"
operation="open" class="file"
profile="libvirtd//qemu_bridge_helper//null-/usr/bin/sleep"
name="/etc/ld.so.cache" pid=700574 comm="sleep" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=0
[162838.573345] audit: type=1400 audit(1725612950.343:6962): apparmor="ALLOWED"
operation="getattr" class="file"
profile="libvirtd//qemu_bridge_helper//null-/usr/bin/sleep"
name="/etc/ld.so.cache" pid=700574 comm="sleep" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=0
** Affects: libvirt (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2079806
Title:
qemu-bridge-helper denied by apparmor on oracular
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/2079806/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
