<div dir="ltr"><div><div>While I couldn't test on newer Ubuntu versions due to lack a spare box, I think I found a solution / work-around to this: disabling virt-aa-helper. Before I start, here's some background information about it, taken from the AppArmor documentation: <br>
<br>"When a VM is started, libvirtd decides whether to ask virt-aa-helper to
create a new profile or modify an existing one. If no profile exists,
libvirtd asks virt-aa-helper to generate the new base profile, in this
case
/etc/apparmor.d/libvirt/libvirt-a22e3930-d87a-584e-22b2-1d8950212bac,
which it does based on /etc/apparmor.d/libvirt/TEMPLATE. Notice, the new
profile has a profile name that is based on the guest’s UUID. Once the
base profile is created, virt-aa-helper works the same for create and
modify: virt-aa-helper will determine what files are required for the
guest to run (eg kernel, initrd, disk, serial, etc), updates
/etc/apparmor.d/libvirt/libvirt-a22e3930-d87a-584e-22b2-1d8950212bac.files,
then loads the profile into the kernel."<br><br><br>Disabling it is pretty simple: you just have to set the security driver in /etc/libvirtd/qemu.conf to "none". Like this:<br>security_driver = "none"<br>
<br><br></div>After that, restart libvirt:<br>
/etc/init.d/libvirt-bin restart<br><br></div><div>Now it starts without calling virt-aa-helper:<br></div><div><div><br>virsh # start 'ubuntu_12_04 with spaces'<br>Domain ubuntu_12_04 with spaces started<br><br></div>
<div>You may want to add that information to the documentation about this ... With a note that this may decrease the system's security.<br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jan 23, 2014 at 11:00 PM, Otavio Rodolfo Piske <span dir="ltr"><<a href="mailto:angusyoung@gmail.com" target="_blank">angusyoung@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div class="gmail_extra"><br><div class="gmail_quote"><div><div>On Thu, Jan 23, 2014 at 10:40 PM, Aline Manera <span dir="ltr"><<a href="mailto:alinefm@linux.vnet.ibm.com" target="_blank">alinefm@linux.vnet.ibm.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div>
<div>On 01/23/2014 08:57 PM, Otavio Rodolfo
Piske wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>I see your point. I did a quick research and it seems to be
a limitation on virt-aa-helper: <br>
<br>
root@orpiske:/etc/libvirt/qemu# cat ubuntu_12_04\ with\
spaces.xml | /usr/lib/libvirt/virt-aa-helper -d -p 0 -r -u
libvirt-61d77fad-bb1f-49fa-93e1-2b70a5cb8f4c ; echo $?<br>
virt-aa-helper: error: bad name<br>
virt-aa-helper: error: could not get VM definition<br>
1<br>
<br>
Whereas, this works:<br>
<br>
root@orpiske:/etc/libvirt/qemu# cat ubuntu_12_04.xml |
/usr/lib/libvirt/virt-aa-helper -d -p 0 -r -u
libvirt-d020c07a-b8d5-40f3-b02b-3df5ed6d06b3 ; echo $?<br>
virt-aa-helper:<br>
/etc/apparmor.d/libvirt/libvirt-d020c07a-b8d5-40f3-b02b-3df5ed6d06b3.files<br>
virt-aa-helper:<br>
"/var/log/libvirt/**/ubuntu_12_04.log" w,<br>
"/var/lib/libvirt/**/ubuntu_12_04.monitor" rw,<br>
"/var/run/libvirt/**/ubuntu_12_04.pid" rwk,<br>
"/run/libvirt/**/ubuntu_12_04.pid" rwk,<br>
"/var/run/libvirt/**/*.tunnelmigrate.dest.ubuntu_12_04" rw,<br>
"/run/libvirt/**/*.tunnelmigrate.dest.ubuntu_12_04" rw,<br>
"/var/lib/libvirt/images/d020c07a-b8d5-40f3-b02b-3df5ed6d06b3-0.img"
rw,<br>
"/home/orpiske/vms/isos/ubuntu-12.04.3-desktop-i386.iso" r,<br>
# don't audit writes to readonly files<br>
deny
"/home/orpiske/vms/isos/ubuntu-12.04.3-desktop-i386.iso" w,<br>
<br>
0<br>
<br>
</div>
<div>I decided to dig further and I took a look at
virt-aa-helper source code and it does, indeed, check if the
name does not contain spaces (as well as one of /, [, ] and
*). Because of that, it seems that it's unable to
load/recreate (?) the profile.<br>
</div>
<div><br>
</div>
</div>
</blockquote>
<br></div>
Do you mean libvirt blocks domain name with those characters?<br></div></blockquote><div><br></div></div></div><div>More specifically: I mean that virt-aa-helper does. <br></div><div><div><br> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<br>
As Cristian mentioned, it seems to be a Ubuntu only problem.<br></div></blockquote><div><br></div></div><div>I couldn't check on other distros, as I only have Ubuntu at hand, but I believe this might be the case. <br>
</div><div>
<div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000">
<br>
Which Ubuntu version are you using?<br>
What is the libvirt version?<br></div></blockquote><div><br></div></div><div>I am running Ubuntu 12.10 with libvirt 0.9.13:<br><br># orpiske at orpiske in ~/code/foss/libvirt [20:44:08]<div><br>$ libvirtd --version<br>
libvirtd (libvirt) 0.9.13<br>
<br></div></div><div>I am using Ubuntu's libvirtd. This might explain why it works on your system and not on mine. For instance, this is what happens when I try to do the same here: <br><br>virsh # start 'ubuntu_12_04 with spaces'<br>
error: Failed to start domain ubuntu_12_04 with spaces<br>error: internal error cannot load AppArmor profile 'libvirt-d020c07a-b8d5-40f3-b02b-3df5ed6d06b3'<br><br></div><div>So, my understanding is that this is specific to Ubuntu with the system's default libvirt. I'll try to setup another system using a newer Ubuntu version, using the system's default libvirt and check what happens. <br>
<br></div><div><div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000">
<br>
I find this problem on Ubuntu 12.10 and libvirt 0.9.13<br>
<br>
alinefm@alinefm:~/libvirt$ libvirtd --version<br>
libvirtd (libvirt) 0.9.13<br>
<br>
But I've just checked the latest libvirt (from source code) on same
Ubuntu node and I was able to create and start a domain (which name
contains spaces)<br>
The current upstream version is 1.2.1<br>
<br>
alinefm@alinefm:~/libvirt$ sudo ./daemon/libvirtd -d<br>
alinefm@alinefm:~/libvirt$ sudo tools/virsh -c qemu:///system<br>
Welcome to lt-virsh, the virtualization interactive terminal.<br>
<br>
Type: 'help' for help with commands<br>
'quit' to quit<br>
<br>
virsh # list --all<br>
Id Name State<br>
----------------------------------------------------<br>
- fedora18-iso-stream shut off<br>
- Fedora19 shut off<br>
- openSUSE-13-1 shut off<br>
- RHEL6.5 shut off<br>
- Ubuntu13-10 shut off<br>
- with spaces shut off<br>
<br>
virsh # start 'with spaces'<br>
Domain with spaces started<br>
<br>
virsh # destroy 'with spaces'<br>
Domain with spaces destroyed<div><br>
<br>
<br>
<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>Does it make sense to you? And, if yes, what would you
suggest as an appropriate work-around in this case?<br>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Thu, Jan 23, 2014 at 5:48 PM, Aline
Manera <span dir="ltr"><<a href="mailto:alinefm@linux.vnet.ibm.com" target="_blank">alinefm@linux.vnet.ibm.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>On 01/22/2014 07:19 PM, Crístian Viana
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
As I added to the GitHub issue page (<a href="https://github.com/kimchi-project/kimchi/issues/306#issuecomment-33068988" target="_blank">https://github.com/kimchi-project/kimchi/issues/306#issuecomment-33068988</a>),
I don't think having a space in a VM's name is a
problem. I am able to create a VM named "hello world"
using Kimchi and virsh.<br>
<br>
We should not add a limitation like this one to Kimchi
(i.e. restricting the VM name) if there's not a real
reason to.<br>
</blockquote>
<br>
</div>
Agree.<br>
<br>
Seems this problem is on a deeper layer.<br>
In a quick search on the internet I found a lot of forums
related to "libvirtError: internal error cannot load
AppArmor profile"<br>
We need to investigate more to find the root cause.<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<br>
Am 22-01-2014 19:01, schrieb Otavio R. Piske:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
From: "Otavio R. Piske" <<a href="mailto:angusyoung@gmail.com" target="_blank">angusyoung@gmail.com</a>><br>
<br>
Kimchi fails to start the guest OS if the user names
it with spaces. As pointed in the issue #306, other VM
management interfaces prevent the user from creating a
guest OS if the name contain invalid characters.<br>
<br>
This patch adds a validation logic that prevents the
user from naming a Guest OS with anything other than
alphanumeric chars, '-', '.' or '_'.<br>
<br>
Signed-off-by: Otavio R. Piske <<a href="mailto:angusyoung@gmail.com" target="_blank">angusyoung@gmail.com</a>><br>
</blockquote>
<br>
</div>
_______________________________________________<br>
Kimchi-devel mailing list<br>
<a href="mailto:Kimchi-devel@ovirt.org" target="_blank">Kimchi-devel@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/kimchi-devel" target="_blank">http://lists.ovirt.org/mailman/listinfo/kimchi-devel</a><br>
<br>
</blockquote>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
Otavio R. Piske<br>
<a href="http://orpiske.net" target="_blank">http://orpiske.net</a><br>
</div>
</blockquote>
<br>
</div></div>
</blockquote></div></div></div><div><div><br><br clear="all"><br>-- <br>Otavio R. Piske<br><a href="http://orpiske.net" target="_blank">http://orpiske.net</a><br>
</div></div></div></div></div>
</blockquote></div><br><br clear="all"><br>-- <br>Otavio R. Piske<br><a href="http://orpiske.net" target="_blank">http://orpiske.net</a><br>
</div></div>