Ok thanks for the data. That looks like the "normal" openstack double console entry to have an attachable console that logs to a file at the same time.
I made a new dir: $ mkdir -p /var/lib/nova/instances/testlp1762769 And added the following to a libvirt 3.6 guest <serial type='pty'> <log file='/var/lib/nova/instances/testlp1762769/console.log' append='off'/> <target port='0'/> </serial> <console type='pty'> <log file='/var/lib/nova/instances/testlp1762769/console.log' append='off'/> <target type='serial' port='0'/> </console> But the log is working fine at that path and the guest starts without issues. Three are two important details on this now: 1. the guest has no individual rule for the console (I implemented that later in libvirt >=4.0 as In Ubuntu 18.04) - so for the initial report of "the entry is missing" I have to say "it is working still and only latter releases have the individual entry. 2. Lets check why it actually works for me to then check this for your case. This is how the console is specified at the guest: -add-fd set=1,fd=28 -chardev pty,id=charserial0,logfile=/dev/fdset/1,logappend=on -device isa-serial,chardev=charserial0,id=serial0 Now this works by libvirt opening the files and passing the file descriptors. Libvirt itself has a very open apparmor profile and can do so, and this is a common pattern for non-privileged guests. I'd assume if anything in your case it either follows completely different code paths (we have to find why) or your setup is broken in regard to the rules for libvirtd. Could you please: 1. check on a running guest if the arguments for the console on qemu are similar to my examples above? 2. while triggering the issue catch more logs what fails for you. It is important to minimize this to just the action that triggers the issue. So not a full create, deploy, kill guest - but instead do all you need to do in openstack so that the failing guest is defined on the node and just not starting. Then just run "virsh start <instanc....>". If that is not possible try to minimize on your own as much as you can. 2a. check dmesg -w while doing so and report the exact apparmor DENY line? 2b. check the libvirtd logfile that you can run with debug enabled per [1] (right at the end) Attach both logs, so that we might spot something together why it fails in your case. [1]: https://libvirt.org/logging.html -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1762769 Title: missing entry at apparmor profile for nova instances To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1762769/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs