I knew from my former tests: 1. apparmor 3.0 = bad 2. downgrading to 2.13.3-7ubuntu6 and back up to 3.0 = good 3. aa-enforce + service restart = good
I checked the logs on the affected systems how this got into the bad state: $ grep -E 'configure (lib)?(apparmor|libvirt)' /var/log/dpkg.log 2020-09-16 05:56:09 configure libapparmor1:amd64 3.0.0~beta1-0ubuntu1 <none> 2020-09-16 05:56:18 configure apparmor:amd64 3.0.0~beta1-0ubuntu1 <none> 2020-09-16 05:57:31 configure libvirt-daemon-system-systemd:amd64 6.6.0-1ubuntu2 <none> 2020-09-16 05:57:31 configure libvirt0:amd64 6.6.0-1ubuntu2 <none> 2020-09-16 05:57:33 configure libvirt-clients:amd64 6.6.0-1ubuntu2 <none> 2020-09-16 05:57:36 configure libvirt-daemon:amd64 6.6.0-1ubuntu2 <none> 2020-09-16 05:57:36 configure libvirt-daemon-driver-qemu:amd64 6.6.0-1ubuntu2 <none> 2020-09-16 05:57:36 configure libvirt-daemon-system:amd64 6.6.0-1ubuntu2 <none> 2020-09-16 05:58:05 configure apparmor-utils:amd64 3.0.0~beta1-0ubuntu1 <none> 2020-09-17 14:04:17 configure libvirt-daemon-system-dbgsym:amd64 6.6.0-1ubuntu2 <none> 2020-09-17 14:04:17 configure libvirt0-dbgsym:amd64 6.6.0-1ubuntu2 <none> 2020-09-17 14:04:17 configure libvirt-daemon-driver-qemu-dbgsym:amd64 6.6.0-1ubuntu2 <none> 2020-09-17 14:04:17 configure libvirt-clients-dbgsym:amd64 6.6.0-1ubuntu2 <none> 2020-09-17 14:04:17 configure libvirt-daemon-dbgsym:amd64 6.6.0-1ubuntu2 <none> 2020-09-22 06:56:34 configure apparmor:amd64 3.0.0~beta1-0ubuntu5 <none> It seems I had: 1. groovy container 2. upgrade to proposed (including libapparmor1 / apparmor 3.0) 3. install libvirt I was trying to recreate the above with a new container as of today: 1. groovy container (2.13.3-7ubuntu6, all still confined) 2. upgrade to proposed (3.0.0~beta1-0ubuntu5, all still confined) 3. install libvirt (confinement working well) Hmm, something must have been different. I know I have used container snapshots when I ran into that - I need to sort out in what order that happened and if it would occur again. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1895967 Title: 3.0.0~beta1-0ubuntu1 in Groovy breaks Libvirt/Qemu/KVM Status in apparmor package in Ubuntu: Incomplete Bug description: Hi, I stumbled over this due to automatic tests checking proposed. I found that Focal no more could migrate to Groovy with: $ virsh migrate --unsafe --live fguest qemu+ssh://10.162.30.163/system error: unsupported configuration: Security driver model 'apparmor' is not available I looked after it and found that while all former releases detected apparmor correctly: $ virsh capabilities | grep -C 3 secmodel <cache> <bank id='0' level='3' type='both' size='15' unit='MiB' cpus='0-11'/> </cache> <secmodel> <model>apparmor</model> <doi>0</doi> </secmodel> <secmodel> <model>dac</model> <doi>0</doi> <baselabel type='kvm'>+64055:+108</baselabel> <baselabel type='qemu'>+64055:+108</baselabel> </secmodel> Now on groovy that didn't work anymore: <secmodel> <model>none</model> <doi>0</doi> </secmodel> <secmodel> <model>dac</model> <doi>0</doi> <baselabel type='kvm'>+64055:+108</baselabel> <baselabel type='qemu'>+64055:+108</baselabel> </secmodel> Since 3.0 is only in proposed: # apt-cache policy apparmor apparmor: Installed: 2.13.3-7ubuntu6 Candidate: 3.0.0~beta1-0ubuntu1 Version table: 3.0.0~beta1-0ubuntu1 500 500 http://archive.ubuntu.com/ubuntu groovy-proposed/main amd64 Packages *** 2.13.3-7ubuntu6 500 500 http://archive.ubuntu.com/ubuntu groovy/main amd64 Packages 100 /var/lib/dpkg/status I installed the former version. $ apt install apparmor=2.13.3-7ubuntu6 $ rm /var/cache/libvirt/qemu/capabilities/* $ systemctl restart libvirtd And it works again. Interestingly going back to 3.0 then works and keeps working. Therefore maybe it is a red-herring and I'll consider it incomplete & low prio for now until I know more (allowing others that might see the same to find this bug and chime in). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895967/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
