apparmor preventing virtlibd from starting.

Hi,

Discovered today that the kvm plugin was broken. Long story short, the virtlibd service was not running and wouldn't restart with systemctl restart libvirtd.

Tried again looking at the journal and saw this:

Feb 19 18:58:53 omv7-dell systemd[1]: Starting libvirtd.service - Virtualization daemon...
Feb 19 18:58:53 omv7-dell audit[569901]: AVC apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 profile="libvirtd" pid=569901 comm="libvirtd" family="unix" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create" addr=none
Feb 19 18:58:53 omv7-dell libvirtd[569901]: libvirt:  error : An error occurred, but the cause is unknown
Feb 19 18:58:53 omv7-dell systemd[1]: libvirtd.service: Main process exited, code=exited, status=1/FAILURE

So apparmor seems to be preventing libvirtd from creating a socket?

I tried adding the following to /etc/apparmor.d/usr.sbin.libvirtd

network unix dgram,
network unix stream,

and restarting apparmor and virtlibd but it made no difference. I don't really know much about apparmor. Normally it just works.

I tried aa-complain libvirtd and that allowed me to start virtlibd and by the time I got back to the open browser the KVM plugin had my virtual machines listed again.

I know i've done updates since I last knew the plugin worked but can't say when.

Any ideas? It's a pretty vanilla install of omv7 with a wordpress and emoncms webserver in docker.

Thanks,

Andy.

Sorry, omv7 version is 7.0-32 but I think it was upgraded from 6 following the guide. So not a fresh from scratch omv7 install...

But the kvm plugin installed and worked straight up without any issue that I can recall.

A.

Zitat von ryecoaaron

You just need to remove the apparmor package. I really don't want to get into the apparmor rule writing business but maybe I will look at it.

Hi yes thanks.

Just got into this this morning. After a restart none of my dockers restarted either.

I didn't intentionally (knowingly) install apparmor.

The rabbit hole all started migrating an omv4 system which uses the letsencrypt plugin.

I tried a docker of certbot which worked but couldn't restart the host nginx instance without more faff so like an idiot I looked at installing certbot natively on the host (omv7 install).

I believe because I was daft enough to install certbot using snapd like they suggested and snapd installs apparmor?

However, I stumbled across dehydrated.io which is a one script certbot alternative that rocks compared to the baggage certbot requires... I uninstalled snapd but its left apparmor running so I assumed that was part of omv7.

I since found a thread feb 2023 here trying to fix docker and realised apparmor has come from somewhere else. So i'm currently purging it...

I'll let you know how it goes.

Thanks,

Andy.

Hi ryecoaaron,

Apparmor removed, reboot and the dockers all auto restarted like they should.

And kvm is working still.

Zitat von ryecoaaron

...I really don't want to get into the apparmor rule writing business but maybe I will look at it.

Life's too short, If it was production storage on a corporate bank network maybe ...

thanks,

Andy

Zitat von chente

Why not use a reverse proxy like Swag or NPM (Nginx Proxy Manager) for this?

The certs are the only "complicated" bit. The rev-proxy is a couple of server blocks in an nginx.conf on the host omv so Swag/NPM seemed like overkill at the time.

As I mentioned I set up certbot in docker which worked a treat but the hook couldn't straightforwardly restart the host nginx service.

So now I have dehydrated renewing the certs and a dozen lines in an nginx.conf doing the rev-proxy.

Longer term I'd prefer to move these functions off omv to the firewall box IPFire which has plugins for both dehydrated and nginx-reverse-proxy where, arguably, they belong...

Andy.