Support my work ♥

Unable to start KVM virtual machines with libvirt and AppArmor

Today, I had a weird error. After a reboot without any configuration changes some of the VMs would not start anymore.

virsh list --all would still report the machines, but starting them is no longer possible.

# virsh start ${NAME}
error: Failed to start domain ${NAME}
error: internal error: Process exited prior to exec: libvirt:  error : unable to set AppArmor profile 'libvirt-abcdef01-2345-6789-0abc-def012345678' for '/usr/bin/kvm-spice': No such file or directory

Solving the problem

There appears to be a bug in libvirt. If there is a server or daemon crash during the start or creation of the VMs, the generated AppArmor profiles sometimes are empty.

When we restart the system later libvirt tries to reuse the generated policy and fails if the file is empty. So we have to check for these files:

sudo -i # become root
cd /etc/apparmor.d/libvirt
ls -asl

The listing should look something like this:

4 drwxr-xr-x  2 root root 4096 Dec 21 19:41 .
4 drwxr-xr-x 10 root root 4096 May 22  2020 ..
0 -rw-r--r--  1 root root    0 Dec 21 18:52 libvirt-abcdef01-2345-6789-0abc-def012345678
4 -rw-r--r--  1 root root  430 Dec 21 19:41 libvirt-abcdef01-2345-6789-0abc-def012345678.files
4 -rw-r--r--  1 root root  293 Dec 21 19:41 libvirt-abcdef01-2345-6789-0abc-def012345678
4 -rw-r--r--  1 root root  739 Dec 21 19:41 libvirt-abcdef01-2345-6789-0abc-def012345678.files
0 -rw-r--r--  1 root root    0 Dec 21 18:57 libvirt-abcdef01-2345-6789-0abc-def012345678
4 -rw-r--r--  1 root root  499 Dec 21 19:45 libvirt-abcdef01-2345-6789-0abc-def012345678.files
4 -rw-r--r--  1 root root  265 Aug 10  2016 libvirt-abcdef01-2345-6789-0abc-def012345678
4 -rw-r--r--  1 root root  499 Feb  8  2018 libvirt-abcdef01-2345-6789-0abc-def012345678.files

...

4 -rw-r--r--  1 root root  342 Aug 28  2018 TEMPLATE.lxc
4 -rw-r--r--  1 root root  192 Aug 28  2018 TEMPLATE.qemu

We can see here that there are some newer and some older empty files. The next step is to simply delete the files like this:

rm libvirt-abcdef01-2345-6789-0abc-def012345678

Now we are able to start the VMs with virsh, virt-manager or any other interface:

sudo virsh start ${NAME}

Don't forget to close the root shell by giving it the command exit.

What you should not do

There are some people that disable apparmor. This is a bad idea because it reduces the security of your system.

Make sure that the file /etc/libvirt/qemu.conf either is on the default value or set to apparmor and selinux as a fallback:

#security_driver = "apparmor"
security_driver = [ "apparmor", "selinux" ]

links

social