Bug ID 1058847
Summary libvirt fails to start guest - error: Kernel does not provide mount namespace: Permission denied
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component AppArmor
Assignee suse-beta@cboltz.de
Reporter neyers@geod.uni-bonn.de
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

I updated my system yesterday evening and this morning and could not start my
kvm/qemu virtual machines after.

The following error appears in virsh:

> virsh # connect qemu:///system
>
> virsh # start opensuse42.3-desktop
> error: Failed to start domain opensuse42.3-desktop
> error: internal error: child reported: Kernel does not provide mount namespace: Permission denied

This also happens in: https://bugzilla.opensuse.org/show_bug.cgi?id=1045158

I checked /var/log/audit/audit.log for apparmor issues and found the following
entries:

> type=AVC msg=audit(1505466698.704:526): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd" pid=6293 comm="libvirtd" requested_mask="trace" denied_mask="trace" peer="unconfined"

> type=AVC msg=audit(1505466699.828:534): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd" pid=6621 comm="libvirtd" requested_mask="trace" denied_mask="trace" peer="/usr/sbin/libvirtd"

After editing /etc/apparmor.d/usr.sbin.libvirtd to include

> ptrace trace peer=/usr/sbin/libvirtd,

and restarting apparmor.service and libvirtd.service it started working again.

You are receiving this mail because: