App armor preventing access to volumes
virsh error
virsh # start m-0 error: Failed to start domain 'm-0' error: internal error: process exited while connecting to monitor: 2024-02-13T00:26:01.090892Z qemu-system-x86_64: -blockdev {"driver":"host_device","filename":"/dev/VM_01/m-l9z6luzxb7t3pti","node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}: Could not open '/dev/VM_01/m-l9z6luzxb7t3pti': Permission denied
terraform error
│ Error: error creating libvirt domain: internal error: process exited while connecting to monitor: 2024-02-13T00:15:54.995072Z qemu-system-x86_64: -blockdev {"driver":"host_device","filename":"/dev/VM_01/m-l9z6luzxb7t3pti","node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}: Could not open '/dev/VM_01/m-l9z6luzxb7t3pti': Permission denied │ │ with libvirt_domain.m[0], │ on main.tf line 19, in resource "libvirt_domain" "m": │ 19: resource "libvirt_domain" "m" {
Corresponding dmesg error message
[16608084.698492] audit: type=1400 audit(1707783354.166:93): apparmor="STATUS" operation="profile_load" profile="unconfined" name="libvirt-0c8ddcf2-dc91-4a2c-b088-d382529755a1" pid=1936661 comm="apparmor_parser" [16608084.774851] audit: type=1400 audit(1707783354.242:94): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-2517697a-a236-420b-baae-a9fc52f84c6e" pid=1936664 comm="apparmor_parser" [16608084.852289] audit: type=1400 audit(1707783354.318:95): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-32b217e9-5167-4df8-81ce-61fc766524e9" pid=1936668 comm="apparmor_parser"
Root cause is Apparmor
denying access to the path, being that path to block device file, or a file on the file system.
Solution is to allow particular paths in the file /etc/apparmor.d/local/abstractions/libvirt-qemu
(replace with a correct paths, below is an LVM example and the corresponding symlinks):
/dev/VM_01/* rwk, /dev/dm-* rwk,
SPICE error
Terraform error:
│ Error: error creating libvirt domain: internal error: qemu unexpectedly closed the monitor: 2024-02-13T00:10:05.568801Z qemu-system-x86_64: warning: Spice: ../server/reds. cpp:2551:reds_init_socket: getaddrinfo(127.0.0.1,5902): Address family for hostname not supported │ 2024-02-13T00:10:05.568822Z qemu-system-x86_64: warning: Spice: ../server/reds.cpp:3442:do_spice_init: Failed to open SPICE sockets │ 2024-02-13T00:10:05.568828Z qemu-system-x86_64: failed to initialize spice server │ │ with libvirt_domain.m[0], │ on main.tf line 19, in resource "libvirt_domain" "m": │ 19: resource "libvirt_domain" "m" {
Root cause is that by default SPICE binds to 127.0.0.1. That setup won’t work for some reason if there is no IPv4 configured on the interfaces, even though lo has 120.0.0.1 configured.
Suction is to listen ::1
localhost IPv6:
#spice_listen = "0.0.0.0" spice_listen = "::1"
then restart Apparmor:
systemctl restart apparmor