canonical
apparmor blocks ptrace from multipass to libvirtd
Describe the bug I set up my multipass to use the libvirt backend and was using it successfully until today.
I moved my multipass storage to a different location (following these instructions: https://multipass.run/docs/configure-multipass-storage) and then found that I was not able to create new VMs using multipass launch.
I'm really not sure if moving the storage location had something to do with it, but I mention it for completeness' sake. Note that with the new location, my pre-existing VMs still worked.
Using journalctl, I found the following appeared to be the most promising entry:
Jul 03 01:13:07
Using this information, I amended the apparmor profile for libvirtd (/etc/apparmor.d/usr.sbin.libvirtd) and added:
ptrace (read,trace) peer=snap.multipass.multipassd,
This resolved the error and allowed multipass to create/launch the VM as I expected.
To Reproduce How, and what happened?
- Move multipass storage to a location in $HOME
- Try to create a new VM - multipass launch ...
- Determine that interaction between multipass and libvirtd is blocked by apparmor
Expected behavior Even with storage outside of /var/snap, I can create VMs
Logs Refer to description.
Additional info
- OS: Ubuntu 20.04.6
-
multipass version-> 1.13.1 -
multipass info-> TMI -
multipass get local.driver-> libvirt
Additional context Add any other context about the problem here.
@maarten256 Thanks for the investigation and a possible workaround of this. It looks like a permission thing between AppArmor and libvirtd, so I am not sure Multipass has control of that. At the same time, libvirt is becoming a deprecated backend in the Multipass ecosystem, so it is becoming a lower priority of the team.
I would suggest using other backends like qemu which is more robust and long-term supported. Thanks again for your contribution.
