benjavd
(Benjamin Van Damme)
February 28, 2025, 7:24am
1
Hello,
I created a disk snapshot of a VM. Now I can’t start this VM… It seems to be due to apparmor.
[Fri Feb 28 08:20:53 2025] audit: type=1400 audit(1740727256.969:813): apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name=“libvirt-12f32853-7e6b-4d66-b02b-4ba76bf37f1b” pid=3837143 comm=“apparmor_parser”
[Fri Feb 28 08:20:53 2025] audit: type=1400 audit(1740727257.069:814): apparmor=“DENIED” operation=“open” profile=“libvirt-12f32853-7e6b-4d66-b02b-4ba76bf37f1b” name=“/var/lib/one/datastores/0/113/disk.0.snap/0” pid=3837147 comm=“qemu-kvm-one” requested_mask=“r” denied_mask=“r” fsuid=9869 ouid=9869
root@R2-DellServer01:/etc/apparmor.d/libvirt# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 12 (bookworm)
Release: 12
Codename: bookworm
root@R2-DellServer01:/etc/apparmor.d/libvirt# dpkg -s apparmor | grep ‘^Version:’
Version: 3.0.8-3
Can someone help me ?
Thanks a lot,
Benjamin
benjavd
(Benjamin Van Damme)
February 28, 2025, 9:50am
2
I guess this is the reason:
Feb 28 10:45:16 R2-DellServer01 libvirtd[3477]: Failed to read AppArmor profiles list ‘/sys/kernel/security/apparmor/profiles’: Permission denied
root@R2-DellServer01:~# ls -l /sys/kernel/security/apparmor/profiles
-r–r–r-- 1 root root 0 Feb 28 10:41 /sys/kernel/security/apparmor/profiles
benjavd
(Benjamin Van Damme)
February 28, 2025, 10:48am
3
Disabling apparmor solve the issue…
sudo systemctl disable apparmor
init 6
Then it’s OK.
But should not be the final solution I guess.
FrancJP
(Francisco Picolini)
March 3, 2025, 12:46pm
4
Hello @benjavd ,
As it is explained on the documentation:
KVM Node Installation
The idea is to configure the Apparmor to not clash with Libvirt. If you think the behaviour should be different, let us know, so we can review it.
Cheers,
benjavd
(Benjamin Van Damme)
March 3, 2025, 6:36pm
5
Hello,
Thanks a lot for the answer. I’ll follow the documentation then.
Best regards,
Benjamin