On 03/14/2017 05:03 PM, Michael Ströder wrote: > Michal Privoznik wrote: >> On 03/14/2017 10:51 AM, Michael Ströder wrote: >>> HI! >>> >>> After the last OS update (openSUSE Tumbleweed) with libvirt being updated from 3.0.0 to >>> 3.1.0 starting the VMs (qemu-kvm) does not work anymore: >>> >>> error: internal error: child reported: Kernel does not provide mount namespace: >>> Permission denied >> >> Hey, this is definitely a libvirt bug. Since 3.1.0 libvirt spawns each >> qemu in its own mount namespace so that it can have private /dev mount. >> I've heard that there are some issues with AppArmor - is that what are >> you using? > > Hmm, yes. I was using AppArmor. Disabling it helped. I will point the author of the > AppArmor profiles in this direction. Yeah, I still know that AppArmor is preventing our namespaces code from working properly. Unfortunately, I don't know much about it, and certainly not enough to fix it. But maybe I can find somebody who does. > >> Meanwhile, you can disable namespaces by setting: >> >> namespaces=[] >> >> in qemu.conf. > > Only setting this did not help. Have you restarted libvirtd afterwards? Maybe I should have written that explicitly instead of assuming it. Also, this is meant as a temporary workaround. Disabling namespaces does not enable the full security features. Ideally, users would use namespaces without even noticing it. Michal _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
