** Description changed: I enable https://wiki.debian.org/ReadonlyRoot on my computer for security hardening. After rebooting, most other applications work. Many system settings become uneditable, good. However, *running* virt-manager VMs stop working. It only works when the VM is started when I `sudo mount -o remount,rw /`. $ lsb_release -rd Description: Ubuntu 25.10 Release: 25.10 $ apt-cache policy libvirt0 libvirt0: - Installé : 11.6.0-1ubuntu3.2 - Candidat : 11.6.0-1ubuntu3.3 - Table de version : - 11.6.0-1ubuntu3.3 500 (en phase 40%) - 500 https://gpl.savoirfairelinux.net/pub/mirrors/ubuntu questing-updates/main amd64 Packages - *** 11.6.0-1ubuntu3.2 500 - 500 https://gpl.savoirfairelinux.net/pub/mirrors/ubuntu questing-security/main amd64 Packages - 100 /var/lib/dpkg/status - 11.6.0-1ubuntu3 500 - 500 https://gpl.savoirfairelinux.net/pub/mirrors/ubuntu questing/main amd64 Packages + Installé : 11.6.0-1ubuntu3.2 + Candidat : 11.6.0-1ubuntu3.3 + Table de version : + 11.6.0-1ubuntu3.3 500 (en phase 40%) + 500 https://gpl.savoirfairelinux.net/pub/mirrors/ubuntu questing-updates/main amd64 Packages + *** 11.6.0-1ubuntu3.2 500 + 500 https://gpl.savoirfairelinux.net/pub/mirrors/ubuntu questing-security/main amd64 Packages + 100 /var/lib/dpkg/status + 11.6.0-1ubuntu3 500 + 500 https://gpl.savoirfairelinux.net/pub/mirrors/ubuntu questing/main amd64 Packages $ apt-cache policy libvirt-daemon libvirt-daemon: - Installé : 11.6.0-1ubuntu3.2 - Candidat : 11.6.0-1ubuntu3.3 - Table de version : - 11.6.0-1ubuntu3.3 500 (en phase 40%) - 500 https://gpl.savoirfairelinux.net/pub/mirrors/ubuntu questing-updates/main amd64 Packages - *** 11.6.0-1ubuntu3.2 500 - 500 https://gpl.savoirfairelinux.net/pub/mirrors/ubuntu questing-security/main amd64 Packages - 100 /var/lib/dpkg/status - 11.6.0-1ubuntu3 500 - 500 https://gpl.savoirfairelinux.net/pub/mirrors/ubuntu questing/main amd64 Packages + Installé : 11.6.0-1ubuntu3.2 + Candidat : 11.6.0-1ubuntu3.3 + Table de version : + 11.6.0-1ubuntu3.3 500 (en phase 40%) + 500 https://gpl.savoirfairelinux.net/pub/mirrors/ubuntu questing-updates/main amd64 Packages + *** 11.6.0-1ubuntu3.2 500 + 500 https://gpl.savoirfairelinux.net/pub/mirrors/ubuntu questing-security/main amd64 Packages + 100 /var/lib/dpkg/status + 11.6.0-1ubuntu3 500 + 500 https://gpl.savoirfairelinux.net/pub/mirrors/ubuntu questing/main amd64 Packages # What you expected to happen The VM should start when Play is clicked in virt-manager. # What happened instead Error starting domain: internal error: cannot load AppArmor profile 'libvirt-b0d3fef7-2877-48ab-8449-ab5200efb869' Traceback (most recent call last): - File "/usr/share/virt-manager/virtManager/asyncjob.py", line 67, in cb_wrapper - callback(asyncjob, *args, **kwargs) - ~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^ - File "/usr/share/virt-manager/virtManager/asyncjob.py", line 101, in tmpcb - callback(*args, **kwargs) - ~~~~~~~~^^^^^^^^^^^^^^^^^ - File "/usr/share/virt-manager/virtManager/object/libvirtobject.py", line 57, in newfn - ret = fn(self, *args, **kwargs) - File "/usr/share/virt-manager/virtManager/object/domain.py", line 1446, in startup - self._backend.create() - ~~~~~~~~~~~~~~~~~~~~^^ - File "/usr/lib/python3/dist-packages/libvirt.py", line 1379, in create - raise libvirtError('virDomainCreate() failed') + File "/usr/share/virt-manager/virtManager/asyncjob.py", line 67, in cb_wrapper + callback(asyncjob, *args, **kwargs) + ~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^ + File "/usr/share/virt-manager/virtManager/asyncjob.py", line 101, in tmpcb + callback(*args, **kwargs) + ~~~~~~~~^^^^^^^^^^^^^^^^^ + File "/usr/share/virt-manager/virtManager/object/libvirtobject.py", line 57, in newfn + ret = fn(self, *args, **kwargs) + File "/usr/share/virt-manager/virtManager/object/domain.py", line 1446, in startup + self._backend.create() + ~~~~~~~~~~~~~~~~~~~~^^ + File "/usr/lib/python3/dist-packages/libvirt.py", line 1379, in create + raise libvirtError('virDomainCreate() failed') libvirt.libvirtError: internal error: cannot load AppArmor profile 'libvirt-b0d3fef7-2877-48ab-8449-ab5200efb869' # Workaround libvirt wants to, only when running, have /etc/apparmor.d/libvirt-b0d3fef7-2877-48ab-8449-ab5200efb869.files. Symlinking that to a /var subdirectory doesn't work, perhaps due to itself virt-aa-helper/apparmor-parser being confined by AppArmor profiles. Bindmounting it works. + + AppArmor should allow symlinking, or like systemd, have something in + /run. ProblemType: Bug DistroRelease: Ubuntu 25.10 Package: libvirt0 11.6.0-1ubuntu3.2 ProcVersionSignature: Ubuntu 6.17.0-14.14-generic 6.17.9 Uname: Linux 6.17.0-14-generic x86_64 ApportVersion: 2.33.1-0ubuntu3 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: KDE Date: Fri Feb 27 22:15:38 2026 InstallationDate: Installed on 2022-11-05 (1211 days ago) InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Release amd64 (20221020) SourcePackage: libvirt UpgradeStatus: Upgraded to questing on 2025-10-04 (146 days ago)
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2142924 Title: Cannot load AppArmor profile with ReadonlyRoot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2142924/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
