Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[kvm-qemu.sh] - libvirtd fails to start because apparmor fails to start, due to unsupported Invalid capability in profiles.

See original GitHub issue

Prerequisites

Please answer the following questions for yourself before submitting an issue.

I checked to make sure that this issue has not already been filed
I’m reporting the issue to the correct repository (for multi-repository projects)
I read my log of instalation, all issues will be closed if you don’t do your part of work
I understand that reporting issue related to any instalation script without instalation log is useless and will be closed

Expected Behavior

libvirtd starts without error after running kvm-qemu.sh and rebooting

Current Behavior

libvirtd fails to start due to apparmor error, apparmor fails to start due to an invalid capability

Failure Information (for bugs)

libvirtd status

● libvirtd.service - Virtualization daemon
     Loaded: loaded (/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled)
     Active: failed (Result: start-limit-hit) since Tue 2021-08-31 17:54:53 CDT; 37min ago
TriggeredBy: ● libvirtd-ro.socket
             ● libvirtd-admin.socket
             ● libvirtd.socket
       Docs: man:libvirtd(8)
             https://libvirt.org
    Process: 11468 ExecStart=/usr/sbin/libvirtd $LIBVIRTD_ARGS (code=exited, status=0/SUCCESS)
   Main PID: 11468 (code=exited, status=0/SUCCESS)
      Tasks: 2 (limit: 32768)
     Memory: 25.3M
     CGroup: /system.slice/libvirtd.service
             ├─1609 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
             └─1610 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper

Aug 31 17:54:53 cents-cape libvirtd[11468]: libvirt version: 7.6.0
Aug 31 17:54:53 cents-cape libvirtd[11468]: hostname: cents-cape
Aug 31 17:54:53 cents-cape libvirtd[11468]: unsupported configuration: Security driver apparmor not enabled
Aug 31 17:54:53 cents-cape libvirtd[11468]: internal error: Failed to initialize security drivers
Aug 31 17:54:53 cents-cape libvirtd[11468]: Initialization of QEMU state driver failed: internal error: Failed to initialize security drivers
Aug 31 17:54:53 cents-cape libvirtd[11468]: Driver state initialization failed

apparmor status

● apparmor.service - Load AppArmor profiles
     Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Mon 2021-08-30 21:03:18 CDT; 21h ago
       Docs: man:apparmor(7)
             https://gitlab.com/apparmor/apparmor/wikis/home/
   Main PID: 778 (code=exited, status=1/FAILURE)

Aug 30 21:03:16 cents-cape apparmor.systemd[808]: AppArmor parser error for /etc/apparmor.d in /etc/apparmor.d/usr.sbin.libvirtd at line 29: Invalid capability bpf.
Aug 30 21:03:16 cents-cape apparmor.systemd[812]: AppArmor parser error for /etc/apparmor.d in /etc/apparmor.d/usr.sbin.virtqemud at line 29: Invalid capability bpf.

Steps to Reproduce

Please provide detailed steps for reproducing the issue.

Fresh Install of ubuntu 20.04
run sudo ./kvm-qemu.sh all cape | tee kvm-qemu.log
reboot
run sudo systemctl status libvirtd
observe error

Context

Removing line 29 from both /etc/apparmor.d/usr.sbin.libvirtd and /etc/apparmor.d/usr.sbin.virtqemud resulted in it throwing another error

Aug 31 18:47:49 cents-cape apparmor.systemd[13476]: AppArmor parser error for /etc/apparmor.d in /etc/apparmor.d/usr.sbin.libvirtd at line 29: Invalid capability perfmon.
Aug 31 18:47:49 cents-cape apparmor.systemd[13480]: AppArmor parser error for /etc/apparmor.d in /etc/apparmor.d/usr.sbin.virtqemud at line 29: Invalid capability perfmon.

Again, removed that line and then appamor started correctly and allowed libvirtd to start normally.

Might be related to this thread on the libvirt mailing list - https://www.mail-archive.com/libvir-list@redhat.com/msg218313.html

Question	Answer
OS version	Ubuntu 20.04.3 LTS
Software version	QEMU 6.1.0, virsh 7.6.0

Failure Logs

Please include any relevant log snippets or files here.

Issue Analytics

State:
Created 2 years ago
Comments:14 (12 by maintainers)

Top GitHub Comments

1reaction

ditekshencommented, Sep 17, 2021

Thanks @doomedraven, works for me. I tested without even building libapparmor:

function install_apparmor() {
    # Kudos to @ditekshen for the apparmor solution with latest libvirt
    # https://gitlab.com/apparmor/apparmor/-/releases
    APPARMOR_VERSION="2.13.6"
    wget "https://launchpad.net/apparmor/2.13/$APPARMOR_VERSION/+download/apparmor-$APPARMOR_VERSION.tar.gz"
    tar xf "apparmor-$APPARMOR_VERSION.tar.gz"
    sudo apt-get install swig
    export PYTHON=/usr/bin/python3
    export PYTHON_VERSION=3
    export PYTHON_VERSIONS=python3

    cd "apparmor-$APPARMOR_VERSION/parser/"

    USE_SYSTEM=1 make -j"$(nproc)"
    USE_SYSTEM=1 checkinstall -D --pkgname=apparmor-parser --default --install=no

    apt-get -y -o Dpkg::Options::="--force-overwrite" install ./apparmor-parser_*_amd64.deb

    sudo ldconfig
}

1reaction

doomedravencommented, Sep 12, 2021

ok do you want to try guys ? https://github.com/doomedraven/Tools/commit/26fa7ee26fb7447d2796f2575174a4cc72e11a49 i didn’t link it yet to libvirt install, but it worked for me, so few more confirmations would be good