libvirt
version: 3.4.0
architecture: x86_64 ubuntu16.04-server
hypervisor: kvm,qemu
When migrate vm, I encounter error:
"Migrate VM virt21 failed unsupported configuration: Unable to find
security driver for model apparmor"
but two host are same environment.before this error, migrate can be success.
the source host seclabel configure is this :
<seclabel type='dynamic' model='apparmor'
relabel='yes'>
<label>libvirt-8e4ec209-17ca-4b59-abb7-72f3984244f3</label>
<imagelabel>libvirt-8e4ec209-17ca-4b59-abb7-72f3984244f3</imagelabel>
</seclabel>
I create a vm on the destination host ,the vm configure not seclabel congfigure.
I reinstall libvirt on the destination host and migrate same vm, this error
disappear.vm seclabel configure is default.
I recreate a vm on the destination host ,the vm configure has the seclabel
configure , I don't known the reason.
Another question:
I configure a vm xml's seclabel like this:
<seclabel type='none' model='none'/>
and then call virDomainCreate create the vm, call virsh dumpxml, the vm
xml's seclabel is this:
<seclabel type='none' model='none'/>
<seclabel type='dynamic' model='dac'
relabel='yes'>
<label>+0:+0</label>
<imagelabel>+0:+0</imagelabel>
</seclabel>
I don't the reason.
Is a vm seclabel configure dynamic change when it running?
Thanks
Michal Privoznik
2017-Jul-25 11:43 UTC
Re: [libvirt-users] About seclabel configure,Migrate error
On 07/25/2017 04:16 AM, 露露 wrote:> libvirt > version: 3.4.0 > architecture: x86_64 ubuntu16.04-server > hypervisor: kvm,qemu > > When migrate vm, I encounter error: > "Migrate VM virt21 failed unsupported configuration: Unable to find security driver for model apparmor" > but two host are same environment.before this error, migrate can be success. > the source host seclabel configure is this : > <seclabel type='dynamic' model='apparmor' relabel='yes'> > <label>libvirt-8e4ec209-17ca-4b59-abb7-72f3984244f3</label> > <imagelabel>libvirt-8e4ec209-17ca-4b59-abb7-72f3984244f3</imagelabel> > </seclabel> > I create a vm on the destination host ,the vm configure not seclabel congfigure.You mean, there's no apparmor seclabel when you run the domain on the destination? Well, then the two hosts are not identical in configuration. What's the output of `aa-status` ran on the destination?> I reinstall libvirt on the destination host and migrate same vm, this error disappear.vm seclabel configure is default. > I recreate a vm on the destination host ,the vm configure has the seclabel configure , I don't known the reason.Is this the latest release? If not, can you try it because the bug might have been fixed.> > Another question: > I configure a vm xml's seclabel like this: > <seclabel type='none' model='none'/>Not quite sure what are you trying to achieve with this.> and then call virDomainCreate create the vm, call virsh dumpxml, the vm xml's seclabel is this: > <seclabel type='none' model='none'/> > <seclabel type='dynamic' model='dac' relabel='yes'> > <label>+0:+0</label> > <imagelabel>+0:+0</imagelabel> > </seclabel> > I don't the reason.This is because DAC security driver is enabled by default. Therefore when libvirt is starting new domain it changes ownership of files qemu is going to touch (again, by default). If you want to suppress this behaviour you can: <seclabel type='none' model='dac' relabel='no'/> Michal