Page MenuHomeSolus

Regression in libvirtd / virt-manager not working correctly
Closed, ResolvedPublic

Description

virt-manager when using UEFI instead of BIOS (Selection firmware: "Custom: /usr/share/qemu/edk2-x86_64-code.fd") becomes impossible to create a VM / start an existing one.

It also screws up with permissions using folder passthrough while on a BIOS VM. You can set 777 on files and host will be forbidden from accessing files in passthrough share.

On boot, even after deleting VM:
sudo systemctl status libvird

● libvirtd.service - Virtualization daemon
     Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled)
     Active: inactive (dead) since Wed 2020-06-17 11:10:35 AEST; 18s ago
TriggeredBy: ● libvirtd-ro.socket
             ● libvirtd-admin.socket
             ● libvirtd.socket
       Docs: man:libvirtd(8)
             https://libvirt.org
    Process: 1217 ExecStart=/usr/sbin/libvirtd $LIBVIRTD_ARGS (code=exited, status=0/SUCCESS)
   Main PID: 1217 (code=exited, status=0/SUCCESS)

Jun 17 11:10:35 sokar dnsmasq-dhcp[1319]: read /var/lib/libvirt/dnsmasq/default.hostsfile
Jun 17 11:10:35 sokar libvirtd[1217]: libvirt version: 6.3.0
Jun 17 11:10:35 sokar libvirtd[1217]: hostname: sokar
Jun 17 11:10:35 sokar libvirtd[1217]: unsupported configuration: Security driver apparmor not enabled
Jun 17 11:10:35 sokar libvirtd[1217]: internal error: Failed to initialize security drivers
Jun 17 11:10:35 sokar libvirtd[1217]: Initialization of QEMU state driver failed: internal error: Failed to initialize security drivers
Jun 17 11:10:35 sokar libvirtd[1217]: Driver state initialization failed
Jun 17 11:10:35 sokar systemd[1]: libvirtd.service: Succeeded.
Jun 17 11:10:37 sokar dnsmasq[1319]: reading /etc/resolv.conf

Sometimes after starting virt-manager it will be unable to see any existing virtual machines.

libvirt status

Jun 17 11:11:28 sokar systemd[1]: libvirtd.service: Start request repeated too quickly.
Jun 17 11:11:28 sokar systemd[1]: libvirtd.service: Failed with result 'start-limit-hit'.
Jun 17 11:11:28 sokar systemd[1]: Failed to start Virtualization daemon.

I can get virt-manager to actually see the existing machines again running:
sudo usysconf run -f && sudo systemctl restart libvirtd

However attempting to start the machine results in this error:

Error starting domain: internal error: cannot load AppArmor profile 'libvirt-e4c361b2-62db-4d6f-ac81-a2ab02843bb4'

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 75, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 111, in tmpcb
    callback(*args, **kwargs)
  File "/usr/share/virt-manager/virtManager/object/libvirtobject.py", line 66, in newfn
    ret = fn(self, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/object/domain.py", line 1279, in startup
    self._backend.create()
  File "/usr/lib/python3.7/site-packages/libvirt.py", line 1234, in create
    if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirt.libvirtError: internal error: cannot load AppArmor profile 'libvirt-e4c361b2-62db-4d6f-ac81-a2ab02843bb4'

libvirtd then displays:

● libvirtd.service - Virtualization daemon
     Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2020-06-17 11:13:22 AEST; 2min 37s ago
TriggeredBy: ● libvirtd.socket
             ● libvirtd-admin.socket
             ● libvirtd-ro.socket
       Docs: man:libvirtd(8)
             https://libvirt.org
   Main PID: 3926 (libvirtd)
      Tasks: 19 (limit: 32768)
     Memory: 50.7M
     CGroup: /system.slice/libvirtd.service
             ├─1319 /usr/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
             ├─1320 /usr/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
             └─3926 /usr/sbin/libvirtd --timeout 120

Jun 17 11:13:22 sokar systemd[1]: Starting Virtualization daemon...
Jun 17 11:13:22 sokar systemd[1]: Started Virtualization daemon.
Jun 17 11:13:22 sokar dnsmasq[1319]: read /etc/hosts - 8 addresses
Jun 17 11:13:22 sokar dnsmasq[1319]: read /var/lib/libvirt/dnsmasq/default.addnhosts - 0 addresses
Jun 17 11:13:22 sokar dnsmasq-dhcp[1319]: read /var/lib/libvirt/dnsmasq/default.hostsfile
Jun 17 11:13:31 sokar libvirtd[3926]: libvirt version: 6.3.0
Jun 17 11:13:31 sokar libvirtd[3926]: hostname: sokar
Jun 17 11:13:31 sokar libvirtd[3926]: operation failed: pool 'default' already exists with uuid e0fb0f01-47c1-4e59-9d68-b478b014351c
Jun 17 11:15:18 sokar libvirtd[3926]: internal error: Child process (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib64/libvirt/virt-aa-helper -c -u libvirt-e4c361b2-62db-4d6f-ac81-a2ab02843bb4) unexpected exit status 1: virt-aa-helper: error: /usr/share/qemu/edk2-x86_64-code.fd
                                      virt-aa-helper: error: skipped restricted file
                                      virt-aa-helper: error: invalid VM definition
Jun 17 11:15:18 sokar libvirtd[3926]: internal error: cannot load AppArmor profile 'libvirt-e4c361b2-62db-4d6f-ac81-a2ab02843bb4'

This is due to the apparmor enablement in D8955

Changing /etc/libvirt/qemu.conf from defining security_driver = "apparmor" to "none" resolves the issue.

Related Objects

Event Timeline

Harvey created this task.Jun 17 2020, 1:26 AM
Harvey renamed this task from Regression in libvirtd / virt-manager to work correctly to Regression in libvirtd / virt-manager not working correctly.Jun 17 2020, 1:27 AM
Harvey updated the task description. (Show Details)
Harvey updated the task description. (Show Details)
Girtablulu triaged this task as High priority.Jun 17 2020, 7:03 AM
Girtablulu edited projects, added Software; removed Lacks Project.
Girtablulu moved this task from Backlog to Package Fixes on the Software board.
Girtablulu added subscribers: livingsilver94, Girtablulu.

@livingsilver94 can you have a look?

This is due to the apparmor enablement in D8955

Not quite. Here AppArmor is not blocking anything, rather it's a profile that's failing to be loaded:

libvirt.libvirtError: internal error: cannot load AppArmor profile 'libvirt-e4c361b2-62db-4d6f-ac81-a2ab02843bb4'

So your solution is more a workaround rather than the real solution.
I've never faced this issue in my previous tests. I'll take a look at it these days and see if I can find a solution without disabling AppArmor.

livingsilver94 added a subscriber: DataDrake.EditedJun 17 2020, 11:32 AM

OK after some investigation I'd say that AppArmor support in libvirt in buggy and/or not properly tested. The firmware directory technically is included into the default AppArmor profile (https://github.com/libvirt/libvirt/blob/v6.3.0/src/security/apparmor/libvirt-qemu#L86) but for some reason it's ignored anyway.

At this point I'd just disable AppArmor and make it a day, I have no resources to debug it and possibly get more and more issues reported in future to debug. Thanks for your report!
It's right what is right: @DataDrake your doubts were well-founded.