Can't start domain after creating snapshot due to apparmor
Software environment
- Operating system: Ubuntu 20.04.6
- Architecture: amd64
- kernel version: 5.15.0-76-generic
- libvirt version: 8.0.0-1ubuntu7.7
- Hypervisor and version: qemu / 1:6.2+dfsg-2ubuntu6.11
Description of problem
I have a domain that is not running and whose disk is chained, meaning the qcow2 image is backed by another base qcow2 image. The chain looks like:
MAIN
-> B
-> A
MAIN being the disk image configured as the domain's root disk, in slot vda
. B
being the image that MAIN
is based on. And A
being the image B
is based on.
The vm also has a disk in vdz
that I am not snapshotting
I created a snapshot with:
virsh snapshot-create-as --domain VMNAME overlay1 --diskspec vda,file=/var/kvm/vms/VMNAME.qcow2-temp --diskspec vdz,snapshot=no --disk-only
But if I then try to start the domain:
# virsh start VMNAME
error: Failed to start domain 'VMNAME'
error: internal error: process exited while connecting to monitor: 2023-09-29T22:45:54.941649Z qemu-system-x86_64: -blockdev {"driver":"file","filename":"/var/kvm/vms/templates/focalminimal_20220209.qcow2","node-name":"libvirt-5-storage","auto-read-only":true,"discard":"unmap"}: Could not open '/var/kvm/vms/templates/focalminimal_20220209.qcow2': Permission denied
focalminimal_20220209.qcow2
is A
in the chain described above.
There are several other domains on the host that are also based on the B
-> A
image chain, and they have no problems being stopped/started while the snapshot is present on VMNAME
. Clearly, the image is able to be read so I am not sure why Permission denied would come up here.
All disks are attached via virtio.
Steps to reproduce
- Create a domain with a 3-layer chain of qcow2 disks
- Create a snapshot of the domain's disk as above, adding another link to the chain
- Attempt to start the vm
Additional information
Edit: seems apparmor related. If I disable it on my system (systemctl disable apparmor
and reboot), this issue does not occur.
System log messages:
Sep 29 22:55:30 vm08 audit[2876]: AVC apparmor="DENIED" operation="open" profile="libvirt-7dcb1197-be69-4f40-a593-c6466d666db2" name="/var/kvm/vms/templates/focalminimal_20220209.qcow2" pid=2876 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=64055
Sep 29 22:55:30 vm08 kernel: audit: type=1400 audit(1696028130.084:97): apparmor="DENIED" operation="open" profile="libvirt-7dcb1197-be69-4f40-a593-c6466d666db2" name="/var/kvm/vms/templates/focalminimal_20220209.qcow2" pid=2876 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=64055