Home / ubuntu / Questions / 1048157
In Process
Christian Ehrhardt
Asked: 2018-06-21 01:57:22 +0800 CST

libvirt/kvm guest failing due issues in the ApparmorProfile

  • 772

Why is my guest failing to start / failing to attach a device with this apparmor profile error.

Start:

error: Failed to start domain c
error: internal error: cannot load AppArmor profile 'libvirt-8763795d-f056-4373-9d57-3d3bad391e5a'

attach-device:

   error: Failed to attach device from disk.xml
   error: internal error: cannot update AppArmor profile 'libvirt-8763795d-f056-4373-9d57-3d3bad391e5a'

Where and what is this libvirt-8763795d-f056-4373-9d57-3d3bad391e5a thing?

virtualization kvm apparmor

1 Answers

  1. In this particular case I had a filename that had characters that can't be mapped into apparmor rules that prevent the guest breaking out. In the logs I found:

    virt-aa-helper: error: skipped restricted file
virt-aa-helper: error: invalid VM definition

    Due to my file with the (this time rather obviously) broken name.

    <disk type='file' device='disk'>
  <driver name='qemu' type='qcow2'/>
  <source file='/var/lib/libvirt/images/break,^*[]&quot;, foo&quot;me.qcow'/>
  <target dev='vdd' bus='virtio'/>
</disk>

    There is a wiki page about AppArmor in regard to libvirt/KVM which explains how to get to the logs and how to tweak configuration in those cases.

    The page also covers more common cases like uncommon image paths and using qemu:commandline through libvirt.

    P.S. Please let me know if you think there is a common case missing on the wiki page so we can extend it together.

    • 2