libvirt/kvm problems with

dreyol · February 16, 2017, 1:46pm

Hi!

I am running a Leap 42.2 as KVM host with several Linux guests. Since an update this morning the Linux guests are no longer starting.


virsh start mail
Fehler: Domain mail konnte nicht gestartet werden
Fehler: unsupported configuration: Unable to find security driver for model apparmor

virsh dumpxml mail || grep seclabel
  <seclabel type='none' model='apparmor'/>

So it looks like I have an apparmor problem. But apparmor is disabled on the Leap server. Am I missing a libvirtd apparmor driver?

This seclabel line is btw missing when I use “virsh edit mail”. When and why is the seclabel line added to the XML file?

It was possible to start some of my linux guests but not all of them by editing the config (virsh edit mail) and inserting the following line:
<seclabel type=‘none’ model=‘none’/>

Any idea how to fix this?

Thx

tsu2 · February 17, 2017, 4:51pm

There is a libvirt wiki for troubleshooting libvirt/apparmor problems

http://wiki.apparmor.net/index.php/Libvirt

The page only describes what your tests should look like if apparmor is enabled for libvirt, but the wiki also says that because of the nature of how virtualization already affords a fairly high degree of security and isolation, apparmor may be disabled (but doesn’t describe exactly how to do that, only where).

I recommend first that you run the various tests on the page and submit a bug report to https://bugzilla.opensuse.org.
Then, assuming that these machines need to be running, either

Deploy another Host without the recent update to run your Guests (which I highly recommend, a good Disaster Recovery plan should always include backup offline HostOS ready to activate on a moment’s notice. If you have multiple HostOS, then at least temporarily you can hopefully over-provision the working HostOS).
Undo the latest updates however you can. If you’re running BTRFS, you can probably simply roll back to yesterday’s snapshot. If you have a backup, then restore.

Hopefully,
You have a good Disaster Recovery plan in place you can put in action immediately.

TSU

dreyol · February 17, 2017, 5:45pm

Hi!

apparmor is and was disabled on my Leap server. I know, I should spend some more time on that, but …

I could finally convince kvm/qemu/libvirt to forget about apparmor by adding a line to /etc/libvirt/qemu.conf:
security_driver = “none”

Now libvirt is adding

to the VMs config file and my VMs are running again.

Thx

tsu2 · February 17, 2017, 8:12pm

If you had disabled apparmor earlier,
Then that was probably your problem until you fixed it just now…

Glad to hear you were able to fix your problem and what you posted should be useful to others who follow behind you,
But it should be noted that your path is one less often taken (Unless you have good reason to disable apparmor, it’s probably not advisable).

TSU