Today, I had a weird error. After a reboot without any configuration changes some of the VMs would not start anymore.
virsh list --all
would still report the machines, but starting them is no longer possible.
# virsh start ${NAME}
error: Failed to start domain ${NAME}
error: internal error: Process exited prior to exec: libvirt: error : unable to set AppArmor profile 'libvirt-abcdef01-2345-6789-0abc-def012345678' for '/usr/bin/kvm-spice': No such file or directory
Solving the problem
There appears to be a bug in libvirt. If there is a server or daemon crash during the start or creation of the VMs, the generated AppArmor profiles sometimes are empty.
When we restart the system later libvirt tries to reuse the generated policy and fails if the file is empty. So we have to check for these files:
sudo -i # become root
cd /etc/apparmor.d/libvirt
ls -asl
The listing should look something like this:
4 drwxr-xr-x 2 root root 4096 Dec 21 19:41 .
4 drwxr-xr-x 10 root root 4096 May 22 2020 ..
0 -rw-r--r-- 1 root root 0 Dec 21 18:52 libvirt-abcdef01-2345-6789-0abc-def012345678
4 -rw-r--r-- 1 root root 430 Dec 21 19:41 libvirt-abcdef01-2345-6789-0abc-def012345678.files
4 -rw-r--r-- 1 root root 293 Dec 21 19:41 libvirt-abcdef01-2345-6789-0abc-def012345678
4 -rw-r--r-- 1 root root 739 Dec 21 19:41 libvirt-abcdef01-2345-6789-0abc-def012345678.files
0 -rw-r--r-- 1 root root 0 Dec 21 18:57 libvirt-abcdef01-2345-6789-0abc-def012345678
4 -rw-r--r-- 1 root root 499 Dec 21 19:45 libvirt-abcdef01-2345-6789-0abc-def012345678.files
4 -rw-r--r-- 1 root root 265 Aug 10 2016 libvirt-abcdef01-2345-6789-0abc-def012345678
4 -rw-r--r-- 1 root root 499 Feb 8 2018 libvirt-abcdef01-2345-6789-0abc-def012345678.files
...
4 -rw-r--r-- 1 root root 342 Aug 28 2018 TEMPLATE.lxc
4 -rw-r--r-- 1 root root 192 Aug 28 2018 TEMPLATE.qemu
We can see here that there are some newer and some older empty files. The next step is to simply delete the files like this:
rm libvirt-abcdef01-2345-6789-0abc-def012345678
Now we are able to start the VMs with virsh
, virt-manager
or any other interface:
sudo virsh start ${NAME}
Don't forget to close the root shell by giving it the command exit
.
What you should not do
There are some people that disable apparmor
.
This is a bad idea because it reduces the security of your system.
Make sure that the file /etc/libvirt/qemu.conf
either is on the default value or set to apparmor
and selinux
as a fallback:
#security_driver = "apparmor"
security_driver = [ "apparmor", "selinux" ]