[libvirt-users] About seclabel configure,Migrate error

Michal Privoznik mprivozn at redhat.com
Tue Jul 25 11:43:48 UTC 2017 

On 07/25/2017 04:16 AM, 露露 wrote:
> libvirt
> version: 3.4.0
> architecture: x86_64 ubuntu16.04-server
> hypervisor: kvm,qemu
> 
> When migrate vm, I encounter error:
>  "Migrate VM virt21 failed unsupported configuration: Unable to find security driver for model apparmor"
> but two host are same environment.before this error, migrate can be success.
> the source host seclabel configure is this :
> <seclabel type='dynamic' model='apparmor' relabel='yes'>
>     <label>libvirt-8e4ec209-17ca-4b59-abb7-72f3984244f3</label>
>     <imagelabel>libvirt-8e4ec209-17ca-4b59-abb7-72f3984244f3</imagelabel>
>   </seclabel>
> I create a vm on the destination host ,the vm configure not seclabel congfigure.

You mean, there's no apparmor seclabel when you run the domain on the
destination? Well, then the two hosts are not identical in
configuration. What's the output of `aa-status` ran on the destination?

> I reinstall libvirt on the destination host and migrate same vm, this error disappear.vm seclabel configure is default.
> I recreate a vm on the destination host ,the vm configure has the seclabel configure , I don't known the reason.

Is this the latest release? If not, can you try it because the bug might
have been fixed.

> 
> Another question:
> I configure a vm xml's seclabel like this:
>  <seclabel type='none' model='none'/>

Not quite sure what are you trying to achieve with this.

> and then call virDomainCreate create the vm, call virsh dumpxml, the vm xml's seclabel is this:
>  <seclabel type='none' model='none'/>
>   <seclabel type='dynamic' model='dac' relabel='yes'>
>     <label>+0:+0</label>
>     <imagelabel>+0:+0</imagelabel>
>   </seclabel>
> I don't the reason.

This is because DAC security driver is enabled by default. Therefore
when libvirt is starting new domain it changes ownership of files qemu
is going to touch (again, by default). If you want to suppress this
behaviour you can:

<seclabel type='none' model='dac' relabel='no'/>

Michal

More information about the libvirt-users mailing list