[Bug 1095556] New: Virtualization/libvirt: creating qemu VM with --boot uefi fails due to missing AppArmor profile
http://bugzilla.opensuse.org/show_bug.cgi?id=1095556 Bug ID: 1095556 Summary: Virtualization/libvirt: creating qemu VM with --boot uefi fails due to missing AppArmor profile Classification: openSUSE Product: openSUSE.org Version: unspecified Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: 3rd party software Assignee: jfehlig@suse.com Reporter: neyers@geod.uni-bonn.de QA Contact: bnc-team-screening@forge.provo.novell.com Found By: --- Blocker: --- Copy&paste from my mailing list posts: I have a problem creating virtual machines with UEFI boot mode. It seems that the required AppArmor profile is not created. % virt-install --connect qemu:///system --boot uefi --name ovmf --memory 1024 --disk size=10 WARNING No operating system detected, VM performance may suffer. Specify an OS with --os-variant for optimal results. Starting install... Allocating 'ovmf-1.qcow2' | 10 GB 00:00:00 ERROR internal error: cannot load AppArmor profile 'libvirt-071236ef-5b3d-457e-962b-bfedda1bbba5' ... Looking for the profile yields no result: % find /etc/apparmor.d/libvirt/ -name libvirt-071236ef-5b3d-457e-962b-bfedda1bbba5 Though when I create a non-UEFI VM, it works as expected. % virt-install --connect qemu:///system --boot hd --name ovmf --memory 1024 --disk size=10 % virsh --connect qemu:///system dominfo ovmf | grep label Security label: libvirt-76ae48ba-fa95-4695-8bfc-f461d1cab1c0 (enforcing) % find /etc/apparmor.d/libvirt/ -name 76ae48ba-fa95-4695-8bfc-f461d1cab1c0 /etc/apparmor.d/libvirt/libvirt-76ae48ba-fa95-4695-8bfc-f461d1cab1c0 In virt-manager I get effectively the same error when I select the ovmf firmware in the pre-install configuration: Unable to complete install: 'internal error: cannot load AppArmor profile 'libvirt-f49ca662-58d3-4c92-8201-9d98458cc365'' Here is the diff (omitting uuid, source file and mac address changes) between % virt-install --connect qemu:///system --boot hd --name ovmf --memory 1024 --disk size=10 --print-xml > boot-hd.xml % virt-install --connect qemu:///system --boot uefi --name ovmf --memory 1024 --disk size=10 --print-xml > boot-uefi.xml % diff boot-hd.xml boot-uefi.xml 8a9
<loader readonly="yes"
type="pflash">/usr/share/qemu/ovmf-x86_64-ms-4m-code.bin</loader> Looking further into this, I found that [1] patches /src/qemu/qemu.conf to new ovmf locations, but in /src/security/virt-aa-helper.c [2] the old locations are still in place. Might this be the problem? Thanks and cheers [1] https://build.opensuse.org/package/view_file/Virtualization/libvirt/suse-ovm... [2] https://gitlab.com/libvirt/libvirt/blob/master/src/security/virt-aa-helper.c... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1095556 http://bugzilla.opensuse.org/show_bug.cgi?id=1095556#c1 James Fehlig <jfehlig@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #1 from James Fehlig <jfehlig@suse.com> --- Thanks for the report. I've added the path to OVMF and AAVMF images on SUSE distros (/usr/share/qemu) to suse-ovmf-paths.patch. It will be included in the libvirt 4.4.0 Factory submission I'll create shortly. If you want to test before it hits Factory/TW, try the libvirt packages from the Virtualization devel repo https://download.opensuse.org/repositories/Virtualization/openSUSE_Factory/ Note to self: also fixed in SLE12 SP3/4, and SLE15 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1095556 http://bugzilla.opensuse.org/show_bug.cgi?id=1095556#c3 James Fehlig <jfehlig@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ralf.koelmel@kit.edu --- Comment #3 from James Fehlig <jfehlig@suse.com> --- *** Bug 1102890 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com