Если возникает ошибка libvirt destroy lxc permission denied , при попытке остановить контейнер:
_x000D_# virsh -c lxc:/// destroy test-ubuntu_x000D_error: Failed to destroy domain test-ubuntu_x000D_error: Failed to kill process test-ubuntu: Permission deniedТо это значит, что libvirtd не может уничтожить процессы, запущенные в контейнере, в частности процесс /sbin/dhclient
Чтобы узнать конкретную ошибку, выполните tail -n 4 /var/log/syslog
_x000D_Dec 16 23:39:06 alfabook kernel: [38705.576041] audit: type=1400 audit(1513445946.303:206): apparmor="DENIED" operation="signal" profile="/sbin/dhclient" pid=18321 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/sbin/libvirtd"_x000D_Dec 16 23:40:43 alfabook libvirtd[18314]: 2017-12-16 17:40:43.193+0000: 18321: error : virCgroupKillInternal:3597 : Failed to kill process 20299: Permission denied_x000D_Dec 16 23:40:43 alfabook kernel: [38802.469210] audit: type=1400 audit(1513446043.192:207): apparmor="DENIED" operation="signal" profile="/sbin/dhclient" pid=18321 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/sbin/libvirtd"_x000D_Dec 16 23:40:44 alfabook libvirtd[18314]: 2017-12-16 17:40:44.650+0000: 18321: error : virCgroupKillInternal:3597 : Failed to kill process 20299: Permission deniedВ данном случае peer=»/usr/sbin/libvirtd» Не может(DENIED) отправить сигнал signal=term процесу profile=»/sbin/dhclient» pid=18321
Это можно решить двумя методами.
Метод 1:
Нужно в файл /etc/apparmor.d/sbin.dhclient добавить строчку:
_x000D_signal (receive) peer=/usr/sbin/libvirtd,Перезагружаем правило:
_x000D_cat /etc/apparmor.d/sbin.dhclient | sudo apparmor_parser -rМетод 2:
Более сложный.
Перевести в режим обучения apparmor для dhclient:
_x000D_sudo aa-complain /etc/apparmor.d/sbin.dhclientЗатем уничтожить контейнер:
_x000D_virsh -c lxc:/// destroy test-ubuntuПроанализируйте логи коммандой aa-logprof
_x000D_Reading log entries from /var/log/syslog._x000D_Updating AppArmor profiles in /etc/apparmor.d._x000D_Complain-mode changes:_x000D__x000D_Profile: /sbin/dhclient_x000D_Access mode: receive_x000D_Signal: term_x000D_Peer: /usr/sbin/libvirtd_x000D__x000D_ [1 - #include <abstractions/libvirt-qemu>]_x000D_ 2 - #include <abstractions/lxc/container-base>_x000D_ 3 - #include <abstractions/lxc/start-container>_x000D_ 4 - signal receive set=term peer=/usr/sbin/libvirtd,_x000D_(A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inish_x000D_Adding #include <abstractions/libvirt-qemu> to profile._x000D_Deleted 2 previous matching profile entries._x000D__x000D_Profile: /{usr/,}bin/ping_x000D_Capability: dac_override_x000D_Severity: 9_x000D_ [1 - #include <abstractions/libvirt-qemu>]_x000D_ 2 - #include <abstractions/lxc/container-base>_x000D_ 3 - #include <abstractions/lxc/start-container>_x000D_ 4 - capability dac_override,_x000D_(A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inish_x000D_Adding #include <abstractions/libvirt-qemu> to profile._x000D_Deleted 1 previous matching profile entries._x000D__x000D_Enforce-mode changes__x000D_= Changed Local Profiles =_x000D__x000D_The following local profiles were changed. Would you like to save them? [1 - /sbin/dhclient]_x000D_ 2 - /{usr/,}bin/ping_x000D_(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t_x000D_Writing updated profile for /sbin/dhclient._x000D_Writing updated profile for /{usr/,}bin/ping.Востановить защиту:
_x000D_aa-enforce /etc/apparmor.d/sbin.dhclient
