apparmor DENIED on domain shutdown

Hi. I upgraded one of my servers to Ubuntu 20.04. Since then domains won't shutdown. They are in the "in shutdown" state. I googled around and I found it is probably because of apparmor. I see this message in the logs: kernel: [740222.848210] audit: type=1400 audit(1606983397.013:338): apparmor="DENIED" operation="signal" profile="libvirt-a2c1456f-3371-49eb-9fa4-f8576ca4e878" pid=2375 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term peer="libvirtd" I tried to run this but it does nothing: aa-complain /usr/sbin/libvirtd The only solution I found was to run aa-disable to the machine id so it can be shut down. I found some similar issues but I can't figure out what I have to tweak in the apparmor files. If you can point me to some doc may be I skipped I will or any solution I would appreciate it. This is - Ubuntu 20.04 - libvirt 6.0.0-0 - qemu-kvm 1:4.2-3 Thank you very much.

On 12/3/20 4:42 AM, Francesc Guasch wrote:
Hi. I upgraded one of my servers to Ubuntu 20.04. Since then domains won't shutdown. They are in the "in shutdown" state.
I googled around and I found it is probably because of apparmor.
I see this message in the logs:
kernel: [740222.848210] audit: type=1400 audit(1606983397.013:338): apparmor="DENIED" operation="signal" profile="libvirt-a2c1456f-3371-49eb-9fa4-f8576ca4e878" pid=2375 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term peer="libvirtd"
Are you using lxc? I recently posted a patch allowing lxc domains to receive signals from libvirtd https://www.redhat.com/archives/libvir-list/2020-December/msg00187.html If you are using qemu, ensure the libvirt-qemu abstraction contains similar rules. They were introduced in libvirt 5.2.0, so your libvirt-qemu abstraction should already have them. Regards, Jim

On 03/12/2020 19:20, Jim Fehlig wrote:
On 12/3/20 4:42 AM, Francesc Guasch wrote:
Hi. I upgraded one of my servers to Ubuntu 20.04. Since then domains won't shutdown. They are in the "in shutdown" state.
I see this message in the logs:
kernel: [740222.848210] audit: type=1400 audit(1606983397.013:338): apparmor="DENIED" operation="signal" profile="libvirt-a2c1456f-3371-49eb-9fa4-f8576ca4e878" pid=2375 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term peer="libvirtd"
Are you using lxc? I recently posted a patch allowing lxc domains to receive signals from libvirtd
https://www.redhat.com/archives/libvir-list/2020-December/msg00187.html
Jim ! I am not using LXC, but KVM. That worked like a charm. For the record that is exactly what I changed: I added to the file : /etc/apparmor.d/usr.sbin.libvirtd below: # For communication/control from libvirtd signal (receive) peer=libvirtd, signal (receive) peer=/usr/sbin/libvirtd Thank you very much.

On 12/4/20 1:21 AM, Francesc Guasch wrote:
On 03/12/2020 19:20, Jim Fehlig wrote:
On 12/3/20 4:42 AM, Francesc Guasch wrote:
Hi. I upgraded one of my servers to Ubuntu 20.04. Since then domains won't shutdown. They are in the "in shutdown" state.
I see this message in the logs:
kernel: [740222.848210] audit: type=1400 audit(1606983397.013:338): apparmor="DENIED" operation="signal" profile="libvirt-a2c1456f-3371-49eb-9fa4-f8576ca4e878" pid=2375 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term peer="libvirtd"
Are you using lxc? I recently posted a patch allowing lxc domains to receive signals from libvirtd
https://www.redhat.com/archives/libvir-list/2020-December/msg00187.html
Jim ! I am not using LXC, but KVM. That worked like a charm. For the record that is exactly what I changed:
I added to the file :
/etc/apparmor.d/usr.sbin.libvirtd
below:
# For communication/control from libvirtd
signal (receive) peer=libvirtd, signal (receive) peer=/usr/sbin/libvirtd
I'm no apparmor expert, but this doesn't make sense to me. You've added a rule to the libvirtd profile allowing libvirtd to receive signals from libvirtd :-). Let's look again at your apparmor denied message
kernel: [740222.848210] audit: type=1400 audit(1606983397.013:338): apparmor="DENIED" operation="signal" profile="libvirt-a2c1456f-3371-49eb-9fa4-f8576ca4e878" pid=2375 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term peer="libvirtd"
This essentially says profile libvirt-a2c1456f-3371-49eb-9fa4-f8576ca4e878 was denied receiving SIGTERM from libvirtd. Profile libvirt-a2c1456f-3371-49eb-9fa4-f8576ca4e878 is created at VM start. It contains rules allowing the VM process access to resources it uses from the host, e.g. a path on the host where the VM's disk image resides. The profile also includes the <abstractions/libvirt-qemu> profile, which contains rules applicable to all VM processes. As I understand it, the abstraction is where you want to place the rules. On your system that is likely /etc/apparmor.d/abstractions/libvirt-qemu. Regards, Jim
participants (2)
-
Francesc Guasch
-
Jim Fehlig