On 03/14/2017 05:03 PM, Michael Ströder wrote:
Michal Privoznik wrote:
> On 03/14/2017 10:51 AM, Michael Ströder wrote:
>> HI!
>>
>> After the last OS update (openSUSE Tumbleweed) with libvirt being updated from
3.0.0 to
>> 3.1.0 starting the VMs (qemu-kvm) does not work anymore:
>>
>> error: internal error: child reported: Kernel does not provide mount namespace:
>> Permission denied
>
> Hey, this is definitely a libvirt bug. Since 3.1.0 libvirt spawns each
> qemu in its own mount namespace so that it can have private /dev mount.
> I've heard that there are some issues with AppArmor - is that what are
> you using?
Hmm, yes. I was using AppArmor. Disabling it helped. I will point the author of the
AppArmor profiles in this direction.
Yeah, I still know that AppArmor is preventing our namespaces code from
working properly. Unfortunately, I don't know much about it, and
certainly not enough to fix it. But maybe I can find somebody who does.
> Meanwhile, you can disable namespaces by setting:
>
> namespaces=[]
>
> in qemu.conf.
Only setting this did not help.
Have you restarted libvirtd afterwards? Maybe I should have written that
explicitly instead of assuming it. Also, this is meant as a temporary
workaround. Disabling namespaces does not enable the full security
features. Ideally, users would use namespaces without even noticing it.
Michal