:strip_icc():strip_exif()/u/3961/crop5db704370db74.jpeg?f=community)
Ik probeer KVM werkend te krijgen maar de Virtualization daemon will maar niet starten, ik zie niet in wat ik fout doe. Kan iemand mij een zetje in de juiste richting geven? Ligt het mogelijk aan AppArmor?
Ik heb deze instructies gevolgd
root@vault13:/# uname -a
root@vault13:/# apt install qemu-kvm libvirt-clients libvirt-daemon-system
root@vault13:/# virsh list --all
root@vault13:/# systemctl status libvirtd
root@vault13:/# ifconfig
Na wat onderzoek zag ik dit:
root@vault13:/# dmesg
root@vault13:/# aa-audit /usr/sbin/libvirtd
root@vault13:/# systemctl restart libvirtd
root@vault13:/# dmesg
root@vault13:/# cat /etc/apparmor.d/usr.sbin.libvirtd
Ik heb deze instructies gevolgd
root@vault13:/# uname -a
code:
1
| Linux vault13.eu 4.13.13-6-pve #1 SMP PVE 4.13.13-41 (Wed, 21 Feb 2018 10:07:54 +0100) x86_64 GNU/Linux |
root@vault13:/# apt install qemu-kvm libvirt-clients libvirt-daemon-system
code:
1
2
3
4
5
6
7
| Reading package lists... Done Building dependency tree Reading state information... Done libvirt-clients is already the newest version (3.0.0-4+deb9u2). libvirt-daemon-system is already the newest version (3.0.0-4+deb9u2). qemu-kvm is already the newest version (1:2.8+dfsg-6+deb9u3). 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. |
root@vault13:/# virsh list --all
code:
1
2
| error: failed to connect to the hypervisor error: Failed to connect socket to '/var/run/libvirt/libvirt-sock': No such file or directory |
root@vault13:/# systemctl status libvirtd
code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| ● libvirtd.service - Virtualization daemon
Loaded: loaded (/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Thu 2018-03-15 10:21:10 CET; 1s ago
Docs: man:libvirtd(8)
http://libvirt.org
Process: 6874 ExecStart=/usr/sbin/libvirtd $libvirtd_opts (code=exited, status=0/SUCCESS)
Main PID: 6874 (code=exited, status=0/SUCCESS)
CPU: 95ms
Mar 15 10:21:10 vault13.eu systemd[1]: Starting Virtualization daemon...
Mar 15 10:21:10 vault13.eu systemd[1]: Started Virtualization daemon.
Mar 15 10:21:10 vault13.eu libvirtd[6874]: 2018-03-15 09:21:10.915+0000: 6899: info : libvirt version: 3.0.0, package: 4+deb9u2 (Guido Günther <agx@sigxcpu.org> Sat, 20 Jan 2018 17:51:39 +0100)
Mar 15 10:21:10 vault13.eu libvirtd[6874]: 2018-03-15 09:21:10.915+0000: 6899: info : hostname: vault13.eu
Mar 15 10:21:10 vault13.eu libvirtd[6874]: 2018-03-15 09:21:10.915+0000: 6899: error : netcfStateInitialize:93 : internal error: failed to initialize netcf
Mar 15 10:21:10 vault13.eu libvirtd[6874]: 2018-03-15 09:21:10.915+0000: 6899: error : virStateInitialize:775 : Initialization of netcf state driver failed: internal error: failed to initialize netcf
Mar 15 10:21:10 vault13.eu libvirtd[6874]: 2018-03-15 09:21:10.915+0000: 6899: error : daemonRunStateInit:892 : Driver state initialization failed |
root@vault13:/# ifconfig
code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
| br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.240 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::d250:99ff:fe09:98ae prefixlen 64 scopeid 0x20<link>
ether d0:50:99:09:98:ae txqueuelen 1000 (Ethernet)
RX packets 1810533 bytes 992632742 (946.6 MiB)
RX errors 0 dropped 2 overruns 0 frame 0
TX packets 1026583 bytes 2586426243 (2.4 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 0.0.0.0
ether 02:42:89:d8:1c:69 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether d0:50:99:09:98:ae txqueuelen 1000 (Ethernet)
RX packets 1900628 bytes 1030615918 (982.8 MiB)
RX errors 0 dropped 25 overruns 0 frame 0
TX packets 2515621 bytes 2698165288 (2.5 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 20 memory 0xf0700000-f0720000
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 1185402 bytes 301884581 (287.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1185402 bytes 301884581 (287.8 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 |
Na wat onderzoek zag ik dit:
root@vault13:/# dmesg
code:
1
| [74712.167657] audit: type=1400 audit(1521105670.915:30): apparmor="DENIED" operation="create" profile="/usr/sbin/libvirtd" pid=6874 comm="libvirtd" family="inet" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" |
root@vault13:/# aa-audit /usr/sbin/libvirtd
root@vault13:/# systemctl restart libvirtd
root@vault13:/# dmesg
code:
1
2
3
4
5
6
7
8
9
10
| [77762.665141] audit: type=1400 audit(1521108721.414:33): apparmor="AUDIT" operation="open" profile="/usr/sbin/libvirtd" name="/etc/ld.so.cache" pid=30225 comm="libvirtd" requested_mask="r" fsuid=0 ouid=0 [77762.665145] audit: type=1400 audit(1521108721.414:34): apparmor="AUDIT" operation="getattr" profile="/usr/sbin/libvirtd" name="/etc/ld.so.cache" pid=30225 comm="libvirtd" requested_mask="r" fsuid=0 ouid=0 [77762.665258] audit: type=1400 audit(1521108721.414:35): apparmor="AUDIT" operation="open" profile="/usr/sbin/libvirtd" name="/usr/lib/libvirt-admin.so.0.3000.0" pid=30225 comm="libvirtd" requested_mask="r" fsuid=0 ouid=0 [77762.665283] audit: type=1400 audit(1521108721.414:36): apparmor="AUDIT" operation="getattr" profile="/usr/sbin/libvirtd" name="/usr/lib/libvirt-admin.so.0.3000.0" pid=30225 comm="libvirtd" requested_mask="r" fsuid=0 ouid=0 [77762.665300] audit: type=1400 audit(1521108721.414:37): apparmor="AUDIT" operation="file_mmap" profile="/usr/sbin/libvirtd" name="/usr/lib/libvirt-admin.so.0.3000.0" pid=30225 comm="libvirtd" requested_mask="r" fsuid=0 ouid=0 [77762.665416] audit: type=1400 audit(1521108721.414:38): apparmor="AUDIT" operation="open" profile="/usr/sbin/libvirtd" name="/usr/lib/libvirt.so.0.3000.0" pid=30225 comm="libvirtd" requested_mask="r" fsuid=0 ouid=0 [77762.665441] audit: type=1400 audit(1521108721.414:39): apparmor="AUDIT" operation="getattr" profile="/usr/sbin/libvirtd" name="/usr/lib/libvirt.so.0.3000.0" pid=30225 comm="libvirtd" requested_mask="r" fsuid=0 ouid=0 [77762.665458] audit: type=1400 audit(1521108721.414:40): apparmor="AUDIT" operation="file_mmap" profile="/usr/sbin/libvirtd" name="/usr/lib/libvirt.so.0.3000.0" pid=30225 comm="libvirtd" requested_mask="r" fsuid=0 ouid=0 [77762.665651] audit: type=1400 audit(1521108721.414:41): apparmor="AUDIT" operation="open" profile="/usr/sbin/libvirtd" name="/usr/lib/x86_64-linux-gnu/libnl-route-3.so.200.22.0" pid=30225 comm="libvirtd" requested_mask="r" fsuid=0 ouid=0 [77762.665674] audit: type=1400 audit(1521108721.414:42): apparmor="AUDIT" operation="getattr" profile="/usr/sbin/libvirtd" name="/usr/lib/x86_64-linux-gnu/libnl-route-3.so.200.22.0" pid=30225 comm="libvirtd" requested_mask="r" fsuid=0 ouid=0 |
root@vault13:/# cat /etc/apparmor.d/usr.sbin.libvirtd
code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
| # Last Modified: Mon Apr 5 15:03:58 2010
#include <tunables/global>
@{LIBVIRT}="libvirt"
/usr/sbin/libvirtd flags=(attach_disconnected,audit) {
#include <abstractions/base>
#include <abstractions/dbus>
capability kill,
capability net_admin,
capability net_raw,
capability setgid,
capability sys_admin,
capability sys_module,
capability sys_ptrace,
capability sys_pacct,
capability sys_nice,
capability sys_chroot,
capability setuid,
capability dac_override,
capability dac_read_search,
capability fowner,
capability chown,
capability setpcap,
capability mknod,
capability fsetid,
capability audit_write,
capability ipc_lock,
# Needed for vfio
capability sys_resource,
network inet stream,
network inet dgram,
network inet6 stream,
network inet6 dgram,
network packet dgram,
network packet raw,
# Very lenient profile for libvirtd since we want to first focus on confining
# the guests. Guests will have a very restricted profile.
/ r,
/** rwmkl,
/bin/* PUx,
/sbin/* PUx,
/usr/bin/* PUx,
/usr/sbin/virtlogd pix,
/usr/sbin/* PUx,
/{usr/,}lib/udev/scsi_id PUx,
/usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
/usr/{lib,lib64}/xen/bin/* Ux,
# force the use of virt-aa-helper
audit deny /{usr/,}sbin/apparmor_parser rwxl,
audit deny /etc/apparmor.d/libvirt/** wxl,
audit deny /sys/kernel/security/apparmor/features rwxl,
audit deny /sys/kernel/security/apparmor/matching rwxl,
audit deny /sys/kernel/security/apparmor/.* rwxl,
/sys/kernel/security/apparmor/profiles r,
/usr/{lib,lib64}/libvirt/* PUxr,
/usr/{lib,lib64}/libvirt/libvirt_parthelper ix,
/usr/{lib,lib64}/libvirt/libvirt_iohelper ix,
/etc/libvirt/hooks/** rmix,
/etc/xen/scripts/** rmix,
# allow changing to our UUID-based named profiles
change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
# child profile for bridge helper process
profile qemu_bridge_helper {
#include <abstractions/base>
capability setuid,
capability setgid,
capability setpcap,
capability net_admin,
network inet stream,
/dev/net/tun rw,
/etc/qemu/** r,
owner @{PROC}/*/status r,
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
}
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.libvirtd>
} |
[ Voor 38% gewijzigd door Simkin op 15-03-2018 11:52 . Reden: AppArmor ]
/u/125506/link-8bit.png?f=community)
