> Do you intend to once create a VM and keep it for the lifetime of your systems or does your usecase include creating VMs again and again?
For the purpose of this bug, pretend that I only intend to create 1 VM for the lifetime of my system. The more detailed answer is that I create 1 VM for each supported Ubuntu version, so I create 1 VM every 6 months. This week, I've only used my "ubuntuserver24.04" VM, mostly for testing commands. > Just propose an update to https://wiki.debian.org/ReadonlyRoot to describe > what is needed for libvirt. > Not following symlinks is part of the apparmor security philosophy since its > beginnings I'll mark this closed for apparmor but left open for libvirt. I should NOT need to apply the bind mount as a workaround. It should "just work". libvirt should get fixed. > apparmor_parser can be used to load apparmor profiles dynamically. I wonder why libvirt is not using dynamic loading instead of writing files in /etc/apparmor.d It does do that dynamically, just wrongly in `/etc/apparmor.d` instead of the better `/run`: ```console # strace -ff /usr/lib/libvirt/virt-aa-helper -a -u libvirt-b0d3fef7-2877-48ab-8449-ab5200efb869 |& grep execve execve("/usr/lib/libvirt/virt-aa-helper", ["/usr/lib/libvirt/virt-aa-helper", "-a", "-u", "libvirt-b0d3fef7-2877-48ab-8449-"...], 0x7fff237306e0 /* 27 vars */) = 0 [pid 17327] execve("/sbin/apparmor_parser", ["/sbin/apparmor_parser", "-a", "/etc/apparmor.d/libvirt/libvirt-"...], 0x5e5041b3f030 /* 2 vars */) = 0 ``` Here are the relevant files: ```console home@daniel-desktop3:/var/local/linuxenv-apparmor-libvirt$ cat libvirt-b0d3fef7-2877-48ab-8449-ab5200efb869 # # This profile is for the domain whose UUID matches this file. # #include <tunables/global> profile libvirt-b0d3fef7-2877-48ab-8449-ab5200efb869 flags=(attach_disconnected) { #include <abstractions/libvirt-qemu> #include if exists <libvirt/libvirt-b0d3fef7-2877-48ab-8449-ab5200efb869.files> } home@daniel-desktop3:/var/local/linuxenv-apparmor-libvirt$ cat libvirt-b0d3fef7-2877-48ab-8449-ab5200efb869.files # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT. "/var/log/libvirt/**/ubuntuserver24.04.log" w, "/var/lib/libvirt/qemu/domain-ubuntuserver24.04/monitor.sock" rw, "/var/lib/libvirt/qemu/domain-2-ubuntuserver24.04/*" rw, "/run/libvirt/**/ubuntuserver24.04.pid" rwk, "/run/libvirt/**/*.tunnelmigrate.dest.ubuntuserver24.04" rw, "/home/qcow2/ubuntuserver24.04.qcow2" rwk, "/dev/vhost-net" rw, "/var/lib/libvirt/qemu/domain-2-ubuntuserver24.04/{,**}" rwk, "/run/libvirt/qemu/channel/2-ubuntuserver24.04/{,**}" rwk, "/var/lib/libvirt/qemu/ram/2-ubuntuserver24.04/{,**}" rwk, "/var/lib/libvirt/qemu/domain-2-ubuntuserver24.04/master-key.aes" rwk, "/dev/net/tun" rwk, "/dev/userfaultfd" rwk, ``` `libvirt-b0d3fef7-2877-48ab-8449-ab5200efb869.files` is being deleted upon VM shutdown, and recreated on VM startup. At first glance, this appears cacheable. But upon relaunch, the md5sum change and a `diff` shows that the `2-` changed to `3-`. Hmm... ** Changed in: apparmor (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2142924 Title: Cannot load AppArmor profile with ReadonlyRoot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2142924/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
