ubuntu16.04 下libvirtd调用ovs-vsctl被apparmor拒绝

项目需求,编译ovs最新的代码。相关的工具,ovs-vsctl、ovs-dpctl等被安装到/usr/local/bin目录下。安装编译完成后,使用virtmanager启动虚拟机失败。查看syslog发现如下的日志:

1
2
3
4
May  9 18:22:50 liuyao kernel: [ 2450.261787] audit: type=1400 audit(1525861370.039:65): apparmor="DENIED" operation="exec" profile="/usr/sbin/libvirtd" name="/usr/local/bin/ovs-vsctl" pid=7631 comm="libvirtd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
May 9 18:22:50 liuyao libvirtd[5499]: internal error: Unable to add port fw2_0 to OVS bridge internal
May 9 18:22:50 liuyao kernel: [ 2450.588343] audit: type=1400 audit(1525861370.367:66): apparmor="STATUS" operation="profile_remove" profile="unconfined" name="libvirt-fcb1ae08-94a6-4cc0-bf9c-e561f3b8585f" pid=7641 comm="apparmor_parser"
May 9 18:22:50 liuyao libvirtd[5499]: internal error: Unable to delete port fw2_0 from OVS

上面的信息显示,libvirtd在调用ovs-vsctl命令时被apparmor阻止。默认该权限控制文件为/etc/apparmor.d/usr.sbin.libvirtd。在该文件中添加

1
/usr/local/bin/* PUx,

然后执行下面的命令,虚拟机即可正常启动。

1
2
3
4
sudo  apparmor_parser -R /etc/apparmor.d/usr.sbin.libvirtd
sudo apparmor_parser -R /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper
sudo systemctl stop apparmor
sudo systemctl status apparmor