[opensuse-support] creating qemu VM with --boot uefi fails due to missing AppArmor profile
Hello list, I have a problem creating virtual machines with UEFI boot mode. It seems that the required AppArmor profile is not created. % virt-install --connect qemu:///system --boot uefi --name ovmf --memory 1024 --disk size=10 WARNING No operating system detected, VM performance may suffer. Specify an OS with --os-variant for optimal results. Starting install... Allocating 'ovmf-1.qcow2' | 10 GB 00:00:00 ERROR internal error: cannot load AppArmor profile 'libvirt-071236ef-5b3d-457e-962b-bfedda1bbba5' ... Looking for the profile yields no result: % find /etc/apparmor.d/libvirt/ -name libvirt-071236ef-5b3d-457e-962b-bfedda1bbba5 Though when I create a non-UEFI VM, it works as expected. % virt-install --connect qemu:///system --boot hd --name ovmf --memory 1024 --disk size=10 % virsh --connect qemu:///system dominfo ovmf | grep label Security label: libvirt-76ae48ba-fa95-4695-8bfc-f461d1cab1c0 (enforcing) % find /etc/apparmor.d/libvirt/ -name 76ae48ba-fa95-4695-8bfc-f461d1cab1c0 /etc/apparmor.d/libvirt/libvirt-76ae48ba-fa95-4695-8bfc-f461d1cab1c0 Is there something I'm missing or should I file a bug? Cheers -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
Op vrijdag 1 juni 2018 12:37:03 CEST schreef Christian Neyers:
Hello list,
I have a problem creating virtual machines with UEFI boot mode. It seems that the required AppArmor profile is not created.
% virt-install --connect qemu:///system --boot uefi --name ovmf --memory 1024 --disk size=10 WARNING No operating system detected, VM performance may suffer. Specify an OS with --os-variant for optimal results.
Starting install... Allocating 'ovmf-1.qcow2'
| 10 GB 00:00:00
ERROR internal error: cannot load AppArmor profile 'libvirt-071236ef-5b3d-457e-962b-bfedda1bbba5' ...
Looking for the profile yields no result:
% find /etc/apparmor.d/libvirt/ -name libvirt-071236ef-5b3d-457e-962b-bfedda1bbba5
Though when I create a non-UEFI VM, it works as expected.
% virt-install --connect qemu:///system --boot hd --name ovmf --memory 1024 --disk size=10 % virsh --connect qemu:///system dominfo ovmf | grep label Security label: libvirt-76ae48ba-fa95-4695-8bfc-f461d1cab1c0 (enforcing) % find /etc/apparmor.d/libvirt/ -name 76ae48ba-fa95-4695-8bfc-f461d1cab1c0 /etc/apparmor.d/libvirt/libvirt-76ae48ba-fa95-4695-8bfc-f461d1cab1c0
Is there something I'm missing or should I file a bug?
Cheers Two options: Wait for cboltz to jump in ( our Apparmor hero ) Try setting it up through virt-manager, then have a look at the config and see if there's any difference with what you're trying from cli.
-- Gertjan Lettink a.k.a. Knurpht openSUSE Board Member openSUSE Forums Team -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
On 2018-06-01 12:41, Knurpht @ openSUSE wrote:
Two options: Wait for cboltz to jump in ( our Apparmor hero ) Try setting it up through virt-manager, then have a look at the config and see if there's any difference with what you're trying from cli.
In virt-manager I get effectively the same error when I select the ovmf firmware in the pre-install configuration: Unable to complete install: 'internal error: cannot load AppArmor profile 'libvirt-f49ca662-58d3-4c92-8201-9d98458cc365'' But you made me remember the --print-xml option to virt-install, so here is the diff (omitting uuid, source file and mac address changes) between % virt-install --connect qemu:///system --boot hd --name ovmf --memory 1024 --disk size=10 --print-xml > boot-hd.xml % virt-install --connect qemu:///system --boot uefi --name ovmf --memory 1024 --disk size=10 --print-xml > boot-uefi.xml % diff boot-hd.xml boot-uefi.xml 8a9
<loader readonly="yes"
type="pflash">/usr/share/qemu/ovmf-x86_64-ms-4m-code.bin</loader> Looking further into this, I found that [1] patches /src/qemu/qemu.conf to new ovmf locations, but in /src/security/virt-aa-helper.c [2] the old locations are still in place. Might this be the problem? Thanks and cheers [1] https://build.opensuse.org/package/view_file/Virtualization/libvirt/suse-ovm... [2] https://gitlab.com/libvirt/libvirt/blob/master/src/security/virt-aa-helper.c... -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
Hello, Am Freitag, 1. Juni 2018, 12:41:58 CEST schrieb Knurpht @ openSUSE:
Two options: Wait for cboltz to jump in ( our Apparmor hero )
The problem sounds like libvirt doesn't create or load an AppArmor profile, therefore I'm afraid I can't do too much ;-) IMHO this is worth a bugreport for libvirt (assignee: jfehlig AT suse.com) As a workaround, it might be possible to create a profile manually (based on an existing libvirt profile). Regards, Christian Boltz -- The Consultant's Curse: When the customer has beaten upon you long enough, give him what he asks for, instead of what he needs. This is very strong medicine, and is normally only required once. -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
On 2018-06-01 13:37, Christian Boltz wrote:
IMHO this is worth a bugreport for libvirt (assignee: jfehlig AT suse.com)
https://bugzilla.opensuse.org/show_bug.cgi?id=1095556 Thanks and cheers -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
participants (3)
-
Christian Boltz -
Christian Neyers -
Knurpht @ openSUSE