October 2014 – Peter Kieser

libvirt 1.2.9 KVM qemu AppArmor support

October 24, 2014October 24, 2014 Peter

If you want to use AppArmor support in libvirt 1.2.9, you will need to copy the following files over from the source:

cp libvirt-1.2.9/examples/apparmor/libvirt-lxc /etc/apparmor.d/abstractions
cp libvirt-1.2.9/examples/apparmor/TEMPLATE.lxc /etc/apparmor.d/libvirt
cp libvirt-1.2.9/examples/apparmor/TEMPLATE.qemu /etc/apparmor.d/libvirt
ln -s /etc/apparmor.d/libvirt/TEMPLATE.qemu /etc/apparmor.d/libvirt/TEMPLATE.kvm

This is due to the fact that libvirt looks for both TEMPLATE.lxc and TEMPLATE.qemu instead of just TEMPLATE to enable AppArmor support.

You may encounter the following error when trying to a KVM guest with AppArmor support enabled:

error: Failed to start domain test-domain
error: internal error: cannot load AppArmor profile 'libvirt-598505b5-1549-4164-97bd-d1d37fdd8995'

If you look at /var/log/libvirtd.log you may see the following error message:

2014-10-24 18:00:52.280+0000: 4468: error : virCommandWait:2533 : internal error: Child process (/usr/lib/libvirt/virt-aa-helper -p 0 -c -u libvirt-598505b5-1549-4164-97bd-d1d37fdd8995) unexpected exit status 1: virt-aa-helper: error: template does not exist
virt-aa-helper: error: could not create profile

2014-10-24 18:00:52.280+0000: 4468: error : AppArmorGenSecurityLabel:468 : internal error: cannot load AppArmor profile 'libvirt-598505b5-1549-4164-97bd-d1d37fdd8995'

This is due to the fact there is a bug in libvirt 1.2.9 which looks for /etc/apparmor.d/libvirt/TEMPLATE.kvm instead of /etc/apparmor.d/libvirt/TEMPLATE.qemu. This has been fixed via a patch which has not been integrated in a release upstream as of this post. You may symlink TEMPLATE.kvm to TEMPLATE.qemu to resolve this issue until it is resolved upstream.

Linux 3.17 KVM, qemu 2.1, libvirt 1.2.9 experiences (and how to cleanly disable TCP checksum offload in libvirt)

October 20, 2014November 1, 2015 Peter 4 Comments

Update: This issue has been resolved in kernel 3.18.10 release. The below instructions are no longer required if your distribution has updated the kernel or backported the fix.

Due to latency issues that I was having with KVM and Windows 2008 R2 with Linux 3.10, I decided to update to Linux 3.17 series despite the TCP checksuming issue that I had been encountering (eg. virtio-net not working at all between guests due to the CHECKSUM_PARTIAL bug in 3.11 and above.)

I updated to Linux 3.17.1, and kept qemu at 2.0 (included in Ubuntu 14.04) and libvirt 1.2.2. Unfortunately, the TCP checksuming bug still exists. However, this resolved my Windows 2008 R2 latency issues. I am no longer seeing latency jumps to 1500ms or packet loss under load, this was using SRV-IO passthrough of a NIC.

Due to the issues I was experiencing with TCP checksuming, virtio-net and openvswitch I decided to update to libvirt 1.2.9 which includes new support for tuning guest network interfaces. This allows me to cleanly turn off TCP checksuming on an interface using the following interface definition (and thus allows all my guests to function properly):

<interface type='network'>
  <model type='virtio'/>
  <driver name='vhost'>
    <guest csum='off' tso4='off' tso6='off'/>
  </driver>
</interface>

Additionally, my Sophos UTM 9 guest (which is my firewall) no longer halts cleanly so I tried updating to qemu 2.1 – but this did not solve the issue. I have decided to leave the newer releases in place, as they have improved performance with the Windows guests as well.

For those interested, pre-built packages for Ubuntu 14.04 amd64 are available here.