libvirt/kvm problems with


I am running a Leap 42.2 as KVM host with several Linux guests. Since an update this morning the Linux guests are no longer starting.

virsh start mail
Fehler: Domain mail konnte nicht gestartet werden
Fehler: unsupported configuration: Unable to find security driver for model apparmor

virsh dumpxml mail || grep seclabel
  <seclabel type='none' model='apparmor'/>

So it looks like I have an apparmor problem. But apparmor is disabled on the Leap server. Am I missing a libvirtd apparmor driver?

This seclabel line is btw missing when I use “virsh edit mail”. When and why is the seclabel line added to the XML file?

It was possible to start some of my linux guests but not all of them by editing the config (virsh edit mail) and inserting the following line:
<seclabel type=‘none’ model=‘none’/>

Any idea how to fix this?


There is a libvirt wiki for troubleshooting libvirt/apparmor problems

The page only describes what your tests should look like if apparmor is enabled for libvirt, but the wiki also says that because of the nature of how virtualization already affords a fairly high degree of security and isolation, apparmor may be disabled (but doesn’t describe exactly how to do that, only where).

I recommend first that you run the various tests on the page and submit a bug report to
Then, assuming that these machines need to be running, either

  • Deploy another Host without the recent update to run your Guests (which I highly recommend, a good Disaster Recovery plan should always include backup offline HostOS ready to activate on a moment’s notice. If you have multiple HostOS, then at least temporarily you can hopefully over-provision the working HostOS).
  • Undo the latest updates however you can. If you’re running BTRFS, you can probably simply roll back to yesterday’s snapshot. If you have a backup, then restore.

You have a good Disaster Recovery plan in place you can put in action immediately.



apparmor is and was disabled on my Leap server. I know, I should spend some more time on that, but …

I could finally convince kvm/qemu/libvirt to forget about apparmor by adding a line to /etc/libvirt/qemu.conf:
security_driver = “none”

Now libvirt is adding

<seclabel type=‘none’ model=‘none’/>

to the VMs config file and my VMs are running again.


If you had disabled apparmor earlier,
Then that was probably your problem until you fixed it just now…

Glad to hear you were able to fix your problem and what you posted should be useful to others who follow behind you,
But it should be noted that your path is one less often taken (Unless you have good reason to disable apparmor, it’s probably not advisable).