This is normal. When a VM is created a new app armor profile is created for it so it can be confined. The small time the VM was up (trying to boot) that profile existed.<br><br><div class="gmail_quote">On Fri, Jun 22, 2012 at 8:49 AM, Jan Benadik <span dir="ltr"><<a href="mailto:jan.benadik@atos.net" target="_blank">jan.benadik@atos.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
When I set:<br>
<small><a href="mailto:root@tyan-host:/etc/apparmor.d/local#" target="_blank">root@tyan-host:/etc/apparmor.d/local#</a> /etc/init.d/apparmor
stop<br>
<a href="mailto:root@tyan-host:/etc/apparmor.d/local#" target="_blank">root@tyan-host:/etc/apparmor.d/local#</a> /etc/init.d/apparmor
teardown<br>
<a href="mailto:root@tyan-host:/etc/apparmor.d/local#" target="_blank">root@tyan-host:/etc/apparmor.d/local#</a> apparmor_status <br>
apparmor module is loaded.<br>
0 profiles are loaded.<br>
0 profiles are in enforce mode.<br>
0 profiles are in complain mode.<br>
0 processes have profiles defined.<br>
0 processes are in enforce mode :<br>
0 processes are in complain mode.<br>
0 processes are unconfined but have a profile defined.<br>
<br>
</small>nothing changed. <br>
<br>
But - during the resubmit process - apparmor status was changed for
a while (a few seconds - when VM is in state "BOOT", until fall down
to "FAILED") to:<br>
<small><a href="mailto:root@tyan-host:/etc/apparmor.d/local#" target="_blank">root@tyan-host:/etc/apparmor.d/local#</a> apparmor_status <br>
apparmor module is loaded.<br>
1 profiles are loaded.<br>
1 profiles are in enforce mode.<br>
libvirt-b0bc94b8-588c-ad63-6367-45d1fc9c16d5<br>
0 profiles are in complain mode.<br>
0 processes have profiles defined.<br>
0 processes are in enforce mode :<br>
0 processes are in complain mode.<br>
0 processes are unconfined but have a profile defined.</small><br>
<br>
When in oned.log a message appears:<br>
<small>Thu Jun 21 16:41:17 2012 [VMM][I]: Successfully execute
network driver operation: pre.</small><br>
<br>
immedialtely after that in /var/log/syslog appears:<br>
<small>Jun 22 10:46:09 tyan-host kernel: [60470.749192] type=1505
audit(1340354769.603:49): operation="profile_load" pid=14286
name="libvirt-b0bc94b8-588c-ad63-6367-45d1fc9c16d5"<br>
Jun 22 10:46:09 tyan-host libvirtd: 10:46:09.624: error :
qemuDomainSetFileOwnership:2222 : cannot set ownership on
/var/lib/one/1/images/disk.0: Permission denied<br>
</small><br>
When in oned-log the messages appears:<br>
<small>Thu Jun 21 16:41:48 2012 [VMM][I]: Command execution fail:
cat << EOT | /var/tmp/one/vmm/kvm/deploy
/var/lib/one/1/images/deployment.4 tyan 1 tyan<br>
Thu Jun 21 16:41:48 2012 [VMM][I]: error: Failed to create domain
from /var/lib/one/1/images/deployment.4<br>
Thu Jun 21 16:41:48 2012 [VMM][I]: error: cannot set ownership on
/var/lib/one/1/images/disk.1: Permission denied<br>
Thu Jun 21 16:41:48 2012 [VMM][E]: Could not create domain from
/var/lib/one/1/images/deployment.4<br>
Thu Jun 21 16:41:48 2012 [VMM][I]: ExitCode: 255<br>
Thu Jun 21 16:41:48 2012 [VMM][I]: Failed to execute
virtualization driver operation: deploy.<br>
Thu Jun 21 16:41:48 2012 [VMM][E]: Error deploying virtual
machine: Could not create domain from
/var/lib/one/1/images/deployment.4<br>
Thu Jun 21 16:41:49 2012 [DiM][I]: New VM state is FAILED</small><br>
<br>
at the same time in syslog appears:<br>
<small>Jun 22 10:46:39 tyan-host libvirtd: 10:46:39.636: error :
qemuMonitorOpenUnix:268 : monitor socket did not show up.: No such
file or directory<br>
Jun 22 10:46:39 tyan-host libvirtd: 10:46:39.636: error :
qemuConnectMonitor:822 : Failed to connect monitor for one-1#012<br>
Jun 22 10:46:39 tyan-host kernel: [60500.950824] type=1505
audit(1340354799.805:50): operation="profile_remove" pid=14299
name="libvirt-b0bc94b8-588c-ad63-6367-45d1fc9c16d5"
namespace="root"<br>
Jun 22 10:46:39 tyan-host libvirtd: 10:46:39.818: error :
qemuDomainSetFileOwnership:2222 : cannot set ownership on
/var/lib/one/1/images/disk.1: Permission denied<br>
Jun 22 10:46:39 tyan-host libvirtd: 10:46:39.819: warning :
qemudShutdownVMDaemon:2703 : Failed to restore all device
ownership for one-1<br>
</small><br>
When I set:<br>
<small>aa-complain libvirtd</small><br>
<br>
nothing changed, the same result and messages in logs. I things the
issue is not in apparmor - something in permissions is wrong
(oneadmin is a member of sudoers, of course). Everything mentioned
here is on host (not on ONE server).<br>
<br>
Permissions of folders and files:<br>
<tt><small>oneadmin@tyan-host:~/images$ pwd<br>
/var/lib/one/images<br>
oneadmin@tyan-host:~/images$ ls -la<br>
total 19326692<br>
drwxrwx--T 2 oneadmin root 4096 Jun 21 16:01 .<br>
drwxr-xr-x 11 oneadmin root 4096 Jun 22 08:44 ..<br>
-rw-rw---- 1 oneadmin root 927989760 Jun 20 10:57
46440b43448202b4ee69b4b541f5eeab<br>
-rw-rw---- 1 oneadmin cloud 2996799488 Jun 21 16:01
5bc39d96de8b79c5154c12d534359460<br>
-rw-rw---- 1 oneadmin root 10737418241 Jun 20 10:57
9c52b90a79dba7c26a912d05ff5190b8<br>
-rw-rw---- 1 oneadmin cloud 15728640001 Jun 21 16:05
a1a5f9b12659a78bdc54e9fe9c6ecb79</small><br>
<br>
<small>oneadmin@tyan-host:~$ pwd<br>
/var/lib/one<br>
oneadmin@tyan-host:~$ ls -la<br>
total 168<br>
drwxr-xr-x 11 oneadmin root 4096 Jun 22 08:44 .<br>
drwxr-xr-x 38 root root 4096 Jun 21 17:30 ..<br>
-rw------- 1 oneadmin cloud 3375 Jun 22 08:41 .bash_history<br>
drwx------ 3 oneadmin cloud 4096 Jun 21 09:35 .cache<br>
drwx------ 3 oneadmin cloud 4096 Jun 21 09:35 .config<br>
drwx------ 3 oneadmin cloud 4096 Jun 21 09:35 .local<br>
drwx------ 2 oneadmin cloud 4096 Jun 20 09:49 .one<br>
drwx------ 2 oneadmin root 4096 Jun 20 17:43 .ssh<br>
-rw------- 1 oneadmin cloud 3977 Jun 21 09:49 .viminfo<br>
drwxrwxrwx 3 oneadmin cloud 4096 Jun 21 16:18 0<br>
drwxrwxrwx 3 oneadmin cloud 4096 Jun 22 08:44 1<br>
-rw-r--r-- 1 oneadmin cloud 1738 Jun 21 08:50 config<br>
drwxrwx--T 2 oneadmin root 4096 Jun 21 16:01 images<br>
-rw-r--r-- 1 oneadmin cloud 91136 Jun 22 08:44 one.db<br>
-rw-r--r-- 1 oneadmin cloud 16384 Jun 20 16:28 oneacct.db<br>
drwxr-xr-x 8 root root 4096 Jun 20 09:33 remotes</small><br>
<br>
</tt><small><tt>oneadmin@tyan-host:~/1$ pwd<br>
/var/lib/one/1<br>
oneadmin@tyan-host:~/1$ ls -la<br>
total 164<br>
drwxrwxrwx 3 oneadmin cloud 4096 Jun 22 08:44 .<br>
drwxr-xr-x 11 oneadmin root 4096 Jun 22 08:44 ..<br>
-rw-r--r-- 1 oneadmin cloud 723 Jun 22 08:44 deployment.12<br>
drwxrwxrwx 2 oneadmin cloud 4096 Jun 22 08:44 images<br>
-rw-r--r-- 1 oneadmin cloud 201 Jun 22 08:42
transfer.12.prolog<br>
<br>
oneadmin@tyan-host:~/1/images$ pwd<br>
/var/lib/one/1/images<br>
oneadmin@tyan-host:~/1/images$ ls -la<br>
total 2926580<br>
drwxrwxrwx 2 oneadmin cloud 4096 Jun 22 08:44 .<br>
drwxrwxrwx 3 oneadmin cloud 4096 Jun 22 08:44 ..<br>
-rw-r--r-- 1 oneadmin cloud 724 Jun 22 08:44
deployment.12<br>
-rw-rw-rw- 1 oneadmin cloud 2996799488 Jun 22 08:43 disk.0<br>
lrwxrwxrwx 1 oneadmin cloud 52 Jun 22 08:43 disk.1 ->
/var/lib/one/images/a1a5f9b12659a78bdc54e9fe9c6ecb79<br>
<br>
</tt><br>
</small>Perhaps this helps to analyze the issue.<br>
<br>
Jan<br>
<br>
Dňa <a href="tel:21.06.2012%2016" value="+12106201216" target="_blank">21.06.2012 16</a>:46, Jaime Melis wrote / napísal(a):
<div><div class="h5"><blockquote type="cite">
Hello Jan,
<div><br>
</div>
<div>have you tried disabling apparmor in this one?</div>
<div><br>
</div>
<div>cheers,<br>
Jaime<br>
<br>
<div class="gmail_quote">On Thu, Jun 21, 2012 at 4:34 PM, Jan
Benadik <span dir="ltr"><<a href="mailto:jan.benadik@atos.net" target="_blank">jan.benadik@atos.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <small><big>Hi all,<br>
<br>
I tried to install another host (Ubuntu 10.04 Server)
and error message in oned.log is a little bit
different (see $SUBJ), error message in
/var/log/syslog is different too<br>
(one-1 is name of VM instance):<br>
</big><tt><br>
Jun 21 18:46:18 tyan-host kernel: [ 2879.259739]
type=1505 audit(1340297178.115:19):
operation="profile_load" pid=2267
name="libvirt-1eda663e-1510-f50b-daf1-97c089f7872c"<br>
Jun 21 18:46:18 tyan-host libvirtd: 18:46:18.135:
error : qemuDomainSetFileOwnership:2222 : cannot set
ownership on /var/lib/one/1/images/disk.0: Permission
denied<br>
Jun 21 18:46:48 tyan-host libvirtd: 18:46:48.146:
error : qemuMonitorOpenUnix:268 : monitor socket did
not show up.: No such file or directory<br>
Jun 21 18:46:48 tyan-host libvirtd: 18:46:48.146:
error : qemuConnectMonitor:822 : Failed to connect
monitor for one-1#012<br>
Jun 21 18:46:48 tyan-host kernel: [ 2909.461423]
type=1505 audit(1340297208.315:20):
operation="profile_remove" pid=2276
name="libvirt-1eda663e-1510-f50b-daf1-97c089f7872c"
namespace="root"<br>
Jun 21 18:46:48 tyan-host libvirtd: 18:46:48.329:
error : qemuDomainSetFileOwnership:2222 : cannot set
ownership on /var/lib/one/1/images/disk.1: Permission
denied<br>
Jun 21 18:46:48 tyan-host libvirtd: 18:46:48.329:
warning : qemudShutdownVMDaemon:2703 : Failed to
restore all device ownership for one-1<br>
</tt> <br>
</small><br>
Any idea?<span><font color="#888888"><br>
<br>
<div>-- <br>
<font color="black" face="Verdana" size="3"> <img alt="" src="cid:part2.06080201.05040405@atos.net" height="15" width="252"><br>
<b>Ján Beňadik</b><br>
<font face="Verdana"> Managed Services - Solution
Design Architect<br>
<a href="tel:%2B421%2046%205151%20332" value="+421465151332" target="_blank">+421 46
5151 332</a><br>
<a href="tel:%2B421%20903%20691%20634" value="+421903691634" target="_blank">+421 903
691 634</a><br>
<a href="mailto://jan.benadik@atos.net" target="_blank">jan.benadik@atos.net</a><br>
Vinohradnícka 6, 971 01 Prievidza<br>
<a href="http://www.sk.atos.net" target="_blank">www.sk.atos.net</a><br>
__________________________________<br>
<br>
<img alt="" src="cid:part7.03010202.02090608@atos.net" height="58" width="261"><br>
</font> </font></div>
</font></span></div>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opennebula.org" target="_blank">Users@lists.opennebula.org</a><br>
<a href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org" target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
Jaime Melis<br>
Project Engineer<br>
OpenNebula - The Open Source Toolkit for Cloud Computing<br>
<a href="http://www.OpenNebula.org" target="_blank">www.OpenNebula.org</a> | <a href="mailto:jmelis@opennebula.org" target="_blank">jmelis@opennebula.org</a><br>
</div>
</blockquote>
<br>
<div>-- <br>
<font color="black" face="Verdana" size="3"> <img alt="" src="cid:part12.00080109.03000803@atos.net" height="15" width="252"><br>
<b>Ján Beňadik</b><br>
<font face="Verdana"> Managed Services - Solution
Design Architect<br>
<a href="tel:%2B421%2046%205151%20332" value="+421465151332" target="_blank">+421 46 5151 332</a><br>
<a href="tel:%2B421%20903%20691%20634" value="+421903691634" target="_blank">+421 903 691 634</a><br>
<a href="mailto://jan.benadik@atos.net" target="_blank">jan.benadik@atos.net</a><br>
Vinohradnícka 6, 971 01 Prievidza<br>
<a href="http://www.sk.atos.net" target="_blank">www.sk.atos.net</a><br>
__________________________________<br>
<br>
<img alt="" src="cid:part15.01090906.09010405@atos.net" height="58" width="261"><br>
</font> </font></div>
</div></div></div>
<br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opennebula.org">Users@lists.opennebula.org</a><br>
<a href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org" target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>Javier Fontán Muiños<br>Project Engineer<br>OpenNebula - The Open Source Toolkit for Data Center Virtualization<br><a href="http://www.OpenNebula.org" target="_blank">www.OpenNebula.org</a> | <a href="mailto:jfontan@opennebula.org" target="_blank">jfontan@opennebula.org</a> | @OpenNebula<br>