5:42 a.m.
Hi. I upgraded one of my servers to Ubuntu 20.04. Since then domains
won't shutdown. They are in the "in shutdown" state.
I googled around and I found it is probably because of apparmor.
I see this message in the logs:
kernel: [740222.848210] audit: type=1400 audit(1606983397.013:338):
apparmor="DENIED" operation="signal"
profile="libvirt-a2c1456f-3371-49eb-9fa4-f8576ca4e878" pid=2375
comm="libvirtd" requested_mask="receive"
denied_mask="receive" signal=term
peer="libvirtd"
I tried to run this but it does nothing:
aa-complain /usr/sbin/libvirtd
The only solution I found was to run aa-disable to the machine id
so it can be shut down.
I found some similar issues but I can't figure out what I have to tweak
in the apparmor files. If you can point me to some doc may be I skipped
I will or any solution I would appreciate it.
This is
- Ubuntu 20.04
- libvirt 6.0.0-0
- qemu-kvm 1:4.2-3
Thank you very much.
12:20 p.m.
On 12/3/20 4:42 AM, Francesc Guasch wrote:
Hi. I upgraded one of my servers to Ubuntu 20.04. Since then domains
won't shutdown. They are in the "in shutdown" state.
I googled around and I found it is probably because of apparmor.
I see this message in the logs:
kernel: [740222.848210] audit: type=1400 audit(1606983397.013:338):
apparmor="DENIED" operation="signal"
profile="libvirt-a2c1456f-3371-49eb-9fa4-f8576ca4e878" pid=2375
comm="libvirtd"
requested_mask="receive" denied_mask="receive" signal=term
peer="libvirtd"
Are you using lxc? I recently posted a patch allowing lxc domains to receive
signals from libvirtd
https://www.redhat.com/archives/libvir-list/2020-December/msg00187.html
If you are using qemu, ensure the libvirt-qemu abstraction contains similar
rules. They were introduced in libvirt 5.2.0, so your libvirt-qemu abstraction
should already have them.
Regards,
Jim
2:21 a.m.
On 03/12/2020 19:20, Jim Fehlig wrote:
On 12/3/20 4:42 AM, Francesc Guasch wrote:
> Hi. I upgraded one of my servers to Ubuntu 20.04. Since then domains
> won't shutdown. They are in the "in shutdown" state.
>
> I see this message in the logs:
>
> kernel: [740222.848210] audit: type=1400 audit(1606983397.013:338):
> apparmor="DENIED" operation="signal"
> profile="libvirt-a2c1456f-3371-49eb-9fa4-f8576ca4e878" pid=2375
> comm="libvirtd" requested_mask="receive"
denied_mask="receive"
> signal=term peer="libvirtd"
Are you using lxc? I recently posted a patch allowing lxc domains to
receive signals from libvirtd
https://www.redhat.com/archives/libvir-list/2020-December/msg00187.html
Jim ! I am not using LXC, but KVM. That worked like a charm. For the
record that is exactly what I changed:
I added to the file :
/etc/apparmor.d/usr.sbin.libvirtd
below:
# For communication/control from libvirtd
signal (receive) peer=libvirtd,
signal (receive) peer=/usr/sbin/libvirtd
Thank you very much.
10:23 a.m.
On 12/4/20 1:21 AM, Francesc Guasch wrote:
On 03/12/2020 19:20, Jim Fehlig wrote:
> On 12/3/20 4:42 AM, Francesc Guasch wrote:
>> Hi. I upgraded one of my servers to Ubuntu 20.04. Since then domains
>> won't shutdown. They are in the "in shutdown" state.
>>
>> I see this message in the logs:
>>
>> kernel: [740222.848210] audit: type=1400 audit(1606983397.013:338):
>> apparmor="DENIED" operation="signal"
>> profile="libvirt-a2c1456f-3371-49eb-9fa4-f8576ca4e878" pid=2375
>> comm="libvirtd" requested_mask="receive"
denied_mask="receive" signal=term
>> peer="libvirtd"
>
> Are you using lxc? I recently posted a patch allowing lxc domains to receive
> signals from libvirtd
>
> https://www.redhat.com/archives/libvir-list/2020-December/msg00187.html
>
Jim ! I am not using LXC, but KVM. That worked like a charm. For the
record that is exactly what I changed:
I added to the file :
/etc/apparmor.d/usr.sbin.libvirtd
below:
# For communication/control from libvirtd
signal (receive) peer=libvirtd,
signal (receive) peer=/usr/sbin/libvirtd
I'm no apparmor expert, but this doesn't make sense to me. You've added a rule
to the libvirtd profile allowing libvirtd to receive signals from libvirtd :-).
Let's look again at your apparmor denied message
kernel: [740222.848210] audit: type=1400 audit(1606983397.013:338):
apparmor="DENIED" operation="signal"
profile="libvirt-a2c1456f-3371-49eb-9fa4-f8576ca4e878" pid=2375
comm="libvirtd" requested_mask="receive"
denied_mask="receive" signal=term
peer="libvirtd"
This essentially says profile libvirt-a2c1456f-3371-49eb-9fa4-f8576ca4e878 was
denied receiving SIGTERM from libvirtd. Profile
libvirt-a2c1456f-3371-49eb-9fa4-f8576ca4e878 is created at VM start. It contains
rules allowing the VM process access to resources it uses from the host, e.g. a
path on the host where the VM's disk image resides. The profile also includes
the <abstractions/libvirt-qemu> profile, which contains rules applicable to all
VM processes. As I understand it, the abstraction is where you want to place the
rules. On your system that is likely /etc/apparmor.d/abstractions/libvirt-qemu.
Regards,
Jim
1448
days inactive
1450
days old
3 comments
2 participants
participants (2)
-
Francesc Guasch -
Jim Fehlig