** Changed in: cloud-archive/zed
Assignee: Heather Lemon (hypothetical-lemon) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1988270
Title:
AppArmor fails to start with Yoga UCA libvirt profile on Focal
Status in Ubuntu Cloud Archive:
Confirmed
Status in Ubuntu Cloud Archive yoga series:
Confirmed
Status in Ubuntu Cloud Archive zed series:
Confirmed
Status in apparmor package in Ubuntu:
Invalid
Status in apparmor source package in Focal:
Confirmed
Status in apparmor source package in Jammy:
Confirmed
Bug description:
[ Impact ]
AppArmor fails to start with yoga-focal uca libvirt profile
[ Test Plan ]
generate yoga-focal openstack instance
juju ssh nova-compute/0
sudo systemctl restart apparmor
journalctl -xe
# Error message
ct 04 15:55:32 juju-6d4862-apparmorbug-9 apparmor.systemd[94081]: AppArmor
parser error for /etc/apparmor.d/usr.sbin.libvirtd in
/etc/apparmor.d/usr.sbin.li>
Oct 04 15:55:32 juju-6d4862-apparmorbug-9 apparmor.systemd[94082]: Skipping
profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Oct 04 15:55:32 juju-6d4862-apparmorbug-9 audit[94084]: AVC apparmor="STATUS"
operation="profile_replace" info="same as current profile, skipping" profile="u>
Oct 04 15:55:32 juju-6d4862-apparmorbug-9 apparmor.systemd[94005]: Error: At
least one profile failed to load
[ Other Notes ]
On a fully patched Ubuntu Focal with Yoga UCA enabled, after
installation of libvirt-daemon-system, restarting apparmor would fail
with error:
Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Restarting
AppArmor
Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Reloading
AppArmor profiles
Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6341]: Skipping
profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6348]: AppArmor
parser error for /etc/apparmor.d in /etc/apparmor.d/usr.sbin.libvirtd at line
29: Invalid capability bpf.
Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6413]: AppArmor
parser error for /etc/apparmor.d/usr.sbin.libvirtd in
/etc/apparmor.d/usr.sbin.libvirtd at line 29: Invalid capability bpf.
Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6418]: Skipping
profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Error: At
least one profile failed to load
Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: apparmor.service: Main
process exited, code=exited, status=1/FAILURE
Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: apparmor.service: Failed
with result 'exit-code'.
Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: Failed to start Load
AppArmor profiles.
In addition to bpf, perfmon capability, which is also enabled in
/etc/apparmor.d/usr.sbin.libvirtd profile, would lead to the same
error.
System information:
root@ubuntu2004:~# uname -a
Linux ubuntu2004.localdomain 5.4.0-125-generic #141-Ubuntu SMP Wed Aug 10
13:42:03 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
root@ubuntu2004:~# dpkg -l libvirt\*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version
Architecture Description
+++-==========================================-=======================-============-=============================================================
ii libvirt-clients 8.0.0-1ubuntu7.1~cloud0 amd64
Programs for the libvirt library
ii libvirt-daemon 8.0.0-1ubuntu7.1~cloud0 amd64
Virtualization daemon
ii libvirt-daemon-config-network 8.0.0-1ubuntu7.1~cloud0 all
Libvirt daemon configuration files (default network)
ii libvirt-daemon-config-nwfilter 8.0.0-1ubuntu7.1~cloud0 all
Libvirt daemon configuration files (default network filters)
un libvirt-daemon-driver-lxc <none> <none>
(no description available)
ii libvirt-daemon-driver-qemu 8.0.0-1ubuntu7.1~cloud0 amd64
Virtualization daemon QEMU connection driver
un libvirt-daemon-driver-storage-gluster <none> <none>
(no description available)
un libvirt-daemon-driver-storage-iscsi-direct <none> <none>
(no description available)
un libvirt-daemon-driver-storage-rbd <none> <none>
(no description available)
un libvirt-daemon-driver-storage-zfs <none> <none>
(no description available)
un libvirt-daemon-driver-vbox <none> <none>
(no description available)
un libvirt-daemon-driver-xen <none> <none>
(no description available)
ii libvirt-daemon-system 8.0.0-1ubuntu7.1~cloud0 amd64
Libvirt daemon configuration files
ii libvirt-daemon-system-systemd 8.0.0-1ubuntu7.1~cloud0 all
Libvirt daemon configuration files (systemd)
un libvirt-daemon-system-sysv <none> <none>
(no description available)
un libvirt-login-shell <none> <none>
(no description available)
un libvirt-sanlock <none> <none>
(no description available)
ii libvirt0:amd64 8.0.0-1ubuntu7.1~cloud0 amd64
library for interfacing with different virtualization systems
root@ubuntu2004:~# dpkg -l apparmor\*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=======================-=================-============-======================================
ii apparmor 2.13.3-7ubuntu5.1 amd64 user-space parser
utility for AppArmor
un apparmor-profiles-extra <none> <none> (no description
available)
un apparmor-utils <none> <none> (no description
available)
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1988270/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
