On 12/4/20 1:21 AM, Francesc Guasch wrote:
On 03/12/2020 19:20, Jim Fehlig wrote:
On 12/3/20 4:42 AM, Francesc Guasch wrote:
Hi. I upgraded one of my servers to Ubuntu 20.04. Since then domains won't shutdown. They are in the "in shutdown" state.
I see this message in the logs:
kernel: [740222.848210] audit: type=1400 audit(1606983397.013:338): apparmor="DENIED" operation="signal" profile="libvirt-a2c1456f-3371-49eb-9fa4-f8576ca4e878" pid=2375 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term peer="libvirtd"
Are you using lxc? I recently posted a patch allowing lxc domains to receive signals from libvirtd
https://www.redhat.com/archives/libvir-list/2020-December/msg00187.html
Jim ! I am not using LXC, but KVM. That worked like a charm. For the record that is exactly what I changed:
I added to the file :
/etc/apparmor.d/usr.sbin.libvirtd
below:
# For communication/control from libvirtd
signal (receive) peer=libvirtd, signal (receive) peer=/usr/sbin/libvirtd
I'm no apparmor expert, but this doesn't make sense to me. You've added a rule to the libvirtd profile allowing libvirtd to receive signals from libvirtd :-). Let's look again at your apparmor denied message
kernel: [740222.848210] audit: type=1400 audit(1606983397.013:338): apparmor="DENIED" operation="signal" profile="libvirt-a2c1456f-3371-49eb-9fa4-f8576ca4e878" pid=2375 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term peer="libvirtd"
This essentially says profile libvirt-a2c1456f-3371-49eb-9fa4-f8576ca4e878 was denied receiving SIGTERM from libvirtd. Profile libvirt-a2c1456f-3371-49eb-9fa4-f8576ca4e878 is created at VM start. It contains rules allowing the VM process access to resources it uses from the host, e.g. a path on the host where the VM's disk image resides. The profile also includes the <abstractions/libvirt-qemu> profile, which contains rules applicable to all VM processes. As I understand it, the abstraction is where you want to place the rules. On your system that is likely /etc/apparmor.d/abstractions/libvirt-qemu. Regards, Jim