On Thu, Nov 03, 2022 at 12:13:53 +0100, Andrea Bolognani wrote:
Distros that use AppArmor, such as Debian and Ubuntu, install QEMU under /usr/bin/qemu-system-*, and our AppArmor profile is written with that assumption in mind.
If you try to run the RHEL or CentOS version of libvirt and QEMU inside a privileged container on such distros, however, that will result in an error, because the path /usr/libexec/qemu-kvm is used instead.
So IIUC by this patch you modify the profile which gets installed into the Debian/Ubuntu host system by the Debian/Ubuntu package which then in turn allows the non-Debian/Ubuntu libvirt in the container to do it's job? I'm basing the above on the fact that the RHEL/Centos package is compiled with: -Dapparmor=disabled \ -Dapparmor_profiles=disabled \ -Dsecdriver_apparmor=disabled \ By extension, does that mean that you have to install libvirt on your host so that you can in turn run a container (which I'd presume is opaque) with libvirt bundled inside?