9:16 p.m.
libvirt
version: 3.4.0
architecture: x86_64 ubuntu16.04-server
hypervisor: kvm,qemu
When migrate vm, I encounter error:
"Migrate VM virt21 failed unsupported configuration: Unable to find security driver
for model apparmor"
but two host are same environment.before this error, migrate can be success.
the source host seclabel configure is this :
<seclabel type='dynamic' model='apparmor' relabel='yes'>
<label>libvirt-8e4ec209-17ca-4b59-abb7-72f3984244f3</label>
<imagelabel>libvirt-8e4ec209-17ca-4b59-abb7-72f3984244f3</imagelabel>
</seclabel>
I create a vm on the destination host ,the vm configure not seclabel congfigure.
I reinstall libvirt on the destination host and migrate same vm, this error disappear.vm
seclabel configure is default.
I recreate a vm on the destination host ,the vm configure has the seclabel configure , I
don't known the reason.
Another question:
I configure a vm xml's seclabel like this:
<seclabel type='none' model='none'/>
and then call virDomainCreate create the vm, call virsh dumpxml, the vm xml's seclabel
is this:
<seclabel type='none' model='none'/>
<seclabel type='dynamic' model='dac' relabel='yes'>
<label>+0:+0</label>
<imagelabel>+0:+0</imagelabel>
</seclabel>
I don't the reason.
Is a vm seclabel configure dynamic change when it running?
Thanks
6:43 a.m.
On 07/25/2017 04:16 AM, 露露 wrote:
libvirt
version: 3.4.0
architecture: x86_64 ubuntu16.04-server
hypervisor: kvm,qemu
When migrate vm, I encounter error:
"Migrate VM virt21 failed unsupported configuration: Unable to find security driver
for model apparmor"
but two host are same environment.before this error, migrate can be success.
the source host seclabel configure is this :
<seclabel type='dynamic' model='apparmor' relabel='yes'>
<label>libvirt-8e4ec209-17ca-4b59-abb7-72f3984244f3</label>
<imagelabel>libvirt-8e4ec209-17ca-4b59-abb7-72f3984244f3</imagelabel>
</seclabel>
I create a vm on the destination host ,the vm configure not seclabel congfigure.
You mean, there's no apparmor seclabel when you run the domain on the
destination? Well, then the two hosts are not identical in
configuration. What's the output of `aa-status` ran on the destination?
I reinstall libvirt on the destination host and migrate same vm, this
error disappear.vm seclabel configure is default.
I recreate a vm on the destination host ,the vm configure has the seclabel configure , I
don't known the reason.
Is this the latest release? If not, can you try it because the bug might
have been fixed.
Another question:
I configure a vm xml's seclabel like this:
<seclabel type='none' model='none'/>
Not quite sure what are you trying to achieve with this.
and then call virDomainCreate create the vm, call virsh dumpxml, the
vm xml's seclabel is this:
<seclabel type='none' model='none'/>
<seclabel type='dynamic' model='dac' relabel='yes'>
<label>+0:+0</label>
<imagelabel>+0:+0</imagelabel>
</seclabel>
I don't the reason.
This is because DAC security driver is enabled by default. Therefore
when libvirt is starting new domain it changes ownership of files qemu
is going to touch (again, by default). If you want to suppress this
behaviour you can:
<seclabel type='none' model='dac' relabel='no'/>
Michal
2680
days inactive
2680
days old
1 comments
2 participants
participants (2)
-
Michal Privoznik -
露露