[Bug 1988270] Re: AppArmor fails to start with Yoga UCA libvirt profile on Focal

Christian Ehrhardt  1988270 at bugs.launchpad.net
Wed Oct 5 16:29:05 UTC 2022 

Focal: 
- apparmor  2.13.3-7ubuntu5.1
- kernel    5.4.0-109-generic
- libvirt:
  a) base 6.0.0-0ubuntu8.16
  b) server-backport 8.0.0-1ubuntu7.2~backport20.04.202210042317~ubuntu20.04.1
  c) UCA Yoga 8.0.0-1ubuntu7.1~cloud0

With none did a restart trigger an issue as reported.
libvirtd is reported to be in enforce mode by aa-status

Something must be different on the affected systems, any idea what it
might be?

But also bpf is not present in that file for any of those versions.
For me this is always empty:
  $ grep bpf /etc/apparmor.d/usr.sbin.libvirtd

The reason is (and that explains why it felt known to me) that I have resolved that in march.
 https://git.launchpad.net/~canonical-server/ubuntu/+source/libvirt/commit/?h=backport-libvirt-focal&id=21eb63454433d7b2c2b75f197b7064c96cf7d1e8

Since it is a conffile it might not be updated on upgrades, so I have checked that.
Server backports was fine as expected.

Yoga is indeed still having bpf when purging and re-installing (to force
the default conffile in the pachage).

And then I can see it:
Oct 05 16:27:58 f apparmor.systemd[48796]: AppArmor parser error for /etc/apparmor.d/usr.sbin.libvirtd in /etc/apparmor.d/usr.sbin.libvirtd at line 29: Invalid capability bpf.

Oct 05 16:27:58 f apparmor.systemd[48720]: Error: At least one profile failed to load
Oct 05 16:27:58 f systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Oct 05 16:27:58 f systemd[1]: apparmor.service: Failed with result 'exit-code'.
Oct 05 16:27:58 f systemd[1]: Failed to start Load AppArmor profiles.

And indeed it is missing here:
https://git.launchpad.net/~ubuntu-cloud-archive/ubuntu/+source/ca-patches/tree/yoga/libvirt.patch

So UCA needs to pick up the patch I referenced above.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1988270

Title:
  AppArmor fails to start with Yoga UCA libvirt profile on Focal

Status in Ubuntu Cloud Archive:
  Confirmed
Status in apparmor package in Ubuntu:
  Invalid
Status in apparmor source package in Focal:
  New

Bug description:
  On a fully patched Ubuntu Focal with Yoga UCA enabled, after
  installation of libvirt-daemon-system, restarting apparmor would fail
  with error:

  Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Restarting AppArmor
  Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Reloading AppArmor profiles
  Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6341]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
  Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6348]: AppArmor parser error for /etc/apparmor.d in /etc/apparmor.d/usr.sbin.libvirtd at line 29: Invalid capability bpf.
  Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6413]: AppArmor parser error for /etc/apparmor.d/usr.sbin.libvirtd in /etc/apparmor.d/usr.sbin.libvirtd at line 29: Invalid capability bpf.
  Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6418]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
  Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Error: At least one profile failed to load
  Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
  Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: apparmor.service: Failed with result 'exit-code'.
  Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: Failed to start Load AppArmor profiles.

  In addition to bpf, perfmon capability, which is also enabled in
  /etc/apparmor.d/usr.sbin.libvirtd profile, would lead to the same
  error.

  System information:
  root at ubuntu2004:~# uname -a
  Linux ubuntu2004.localdomain 5.4.0-125-generic #141-Ubuntu SMP Wed Aug 10 13:42:03 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
  root at ubuntu2004:~# dpkg -l libvirt\*
  Desired=Unknown/Install/Remove/Purge/Hold
  | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
  |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
  ||/ Name                                       Version                 Architecture Description
  +++-==========================================-=======================-============-=============================================================
  ii  libvirt-clients                            8.0.0-1ubuntu7.1~cloud0 amd64        Programs for the libvirt library
  ii  libvirt-daemon                             8.0.0-1ubuntu7.1~cloud0 amd64        Virtualization daemon
  ii  libvirt-daemon-config-network              8.0.0-1ubuntu7.1~cloud0 all          Libvirt daemon configuration files (default network)
  ii  libvirt-daemon-config-nwfilter             8.0.0-1ubuntu7.1~cloud0 all          Libvirt daemon configuration files (default network filters)
  un  libvirt-daemon-driver-lxc                  <none>                  <none>       (no description available)
  ii  libvirt-daemon-driver-qemu                 8.0.0-1ubuntu7.1~cloud0 amd64        Virtualization daemon QEMU connection driver
  un  libvirt-daemon-driver-storage-gluster      <none>                  <none>       (no description available)
  un  libvirt-daemon-driver-storage-iscsi-direct <none>                  <none>       (no description available)
  un  libvirt-daemon-driver-storage-rbd          <none>                  <none>       (no description available)
  un  libvirt-daemon-driver-storage-zfs          <none>                  <none>       (no description available)
  un  libvirt-daemon-driver-vbox                 <none>                  <none>       (no description available)
  un  libvirt-daemon-driver-xen                  <none>                  <none>       (no description available)
  ii  libvirt-daemon-system                      8.0.0-1ubuntu7.1~cloud0 amd64        Libvirt daemon configuration files
  ii  libvirt-daemon-system-systemd              8.0.0-1ubuntu7.1~cloud0 all          Libvirt daemon configuration files (systemd)
  un  libvirt-daemon-system-sysv                 <none>                  <none>       (no description available)
  un  libvirt-login-shell                        <none>                  <none>       (no description available)
  un  libvirt-sanlock                            <none>                  <none>       (no description available)
  ii  libvirt0:amd64                             8.0.0-1ubuntu7.1~cloud0 amd64        library for interfacing with different virtualization systems
  root at ubuntu2004:~# dpkg -l apparmor\*
  Desired=Unknown/Install/Remove/Purge/Hold
  | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
  |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
  ||/ Name                    Version           Architecture Description
  +++-=======================-=================-============-======================================
  ii  apparmor                2.13.3-7ubuntu5.1 amd64        user-space parser utility for AppArmor
  un  apparmor-profiles-extra <none>            <none>       (no description available)
  un  apparmor-utils          <none>            <none>       (no description available)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1988270/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list