[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: apparmor DENIED on domain shutdown



On 12/4/20 1:21 AM, Francesc Guasch wrote:
On 03/12/2020 19:20, Jim Fehlig wrote:
On 12/3/20 4:42 AM, Francesc Guasch wrote:
Hi. I upgraded one of my servers to Ubuntu 20.04. Since then domains
won't shutdown. They are in the "in shutdown" state.

I see this message in the logs:

kernel: [740222.848210] audit: type=1400 audit(1606983397.013:338): apparmor="DENIED" operation="signal" profile="libvirt-a2c1456f-3371-49eb-9fa4-f8576ca4e878" pid=2375 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term peer="libvirtd"

Are you using lxc? I recently posted a patch allowing lxc domains to receive signals from libvirtd

https://www.redhat.com/archives/libvir-list/2020-December/msg00187.html


Jim ! I am not using LXC, but KVM. That worked like a charm. For the
record that is exactly what I changed:

I added to the file :

     /etc/apparmor.d/usr.sbin.libvirtd

below:

     # For communication/control from libvirtd

     signal (receive) peer=libvirtd,
     signal (receive) peer=/usr/sbin/libvirtd

I'm no apparmor expert, but this doesn't make sense to me. You've added a rule to the libvirtd profile allowing libvirtd to receive signals from libvirtd :-).

Let's look again at your apparmor denied message

> kernel: [740222.848210] audit: type=1400 audit(1606983397.013:338):
> apparmor="DENIED" operation="signal"
> profile="libvirt-a2c1456f-3371-49eb-9fa4-f8576ca4e878" pid=2375
> comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term
> peer="libvirtd"

This essentially says profile libvirt-a2c1456f-3371-49eb-9fa4-f8576ca4e878 was denied receiving SIGTERM from libvirtd. Profile libvirt-a2c1456f-3371-49eb-9fa4-f8576ca4e878 is created at VM start. It contains rules allowing the VM process access to resources it uses from the host, e.g. a path on the host where the VM's disk image resides. The profile also includes the <abstractions/libvirt-qemu> profile, which contains rules applicable to all VM processes. As I understand it, the abstraction is where you want to place the rules. On your system that is likely /etc/apparmor.d/abstractions/libvirt-qemu.

Regards,
Jim



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]