Решение ошибки libvirt destroy lxc permission denied

Если возникает ошибка libvirt destroy lxc permission denied, при попытке остановить контейнер:

# virsh -c lxc:/// destroy test-ubuntu
error: Failed to destroy domain test-ubuntu
error: Failed to kill process test-ubuntu: Permission denied

То это значит, что libvirtd не может уничтожить процессы, запущенные в контейнере, в частности процесс /sbin/dhclient

Чтобы узнать конкретную ошибку, выполните tail -n 4 /var/log/syslog

Dec 16 23:39:06 alfabook kernel: [38705.576041] audit: type=1400 audit(1513445946.303:206): apparmor="DENIED" operation="signal" profile="/sbin/dhclient" pid=18321 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/sbin/libvirtd"
Dec 16 23:40:43 alfabook libvirtd[18314]: 2017-12-16 17:40:43.193+0000: 18321: error : virCgroupKillInternal:3597 : Failed to kill process 20299: Permission denied
Dec 16 23:40:43 alfabook kernel: [38802.469210] audit: type=1400 audit(1513446043.192:207): apparmor="DENIED" operation="signal" profile="/sbin/dhclient" pid=18321 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/sbin/libvirtd"
Dec 16 23:40:44 alfabook libvirtd[18314]: 2017-12-16 17:40:44.650+0000: 18321: error : virCgroupKillInternal:3597 : Failed to kill process 20299: Permission denied

В данном случае peer="/usr/sbin/libvirtd" Не может(DENIED) отправить сигнал signal=term процесу  profile="/sbin/dhclient" pid=18321

Это можно решить двумя методами.

Метод 1:

Нужно в файл /etc/apparmor.d/sbin.dhclient добавить строчку:

signal (receive) peer=/usr/sbin/libvirtd,

Перезагружаем правило:

cat /etc/apparmor.d/sbin.dhclient | sudo apparmor_parser -r

Метод 2:

Более сложный.

Перевести в режим обучения apparmor для dhclient:

sudo aa-complain /etc/apparmor.d/sbin.dhclient

Затем уничтожить контейнер:

virsh -c lxc:/// destroy test-ubuntu

Проанализируйте логи коммандой aa-logprof

Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Complain-mode changes:

Profile:     /sbin/dhclient
Access mode: receive
Signal:      term
Peer:        /usr/sbin/libvirtd

 [1 - #include <abstractions/libvirt-qemu>]
  2 - #include <abstractions/lxc/container-base>
  3 - #include <abstractions/lxc/start-container>
  4 - signal receive set=term peer=/usr/sbin/libvirtd,
(A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inish
Adding #include <abstractions/libvirt-qemu> to profile.
Deleted 2 previous matching profile entries.

Profile:    /{usr/,}bin/ping
Capability: dac_override
Severity:   9
 [1 - #include <abstractions/libvirt-qemu>]
  2 - #include <abstractions/lxc/container-base>
  3 - #include <abstractions/lxc/start-container>
  4 - capability dac_override,
(A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inish
Adding #include <abstractions/libvirt-qemu> to profile.
Deleted 1 previous matching profile entries.

Enforce-mode changes:
= Changed Local Profiles =

The following local profiles were changed. Would you like to save them?  [1 - /sbin/dhclient]
  2 - /{usr/,}bin/ping
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t
Writing updated profile for /sbin/dhclient.
Writing updated profile for /{usr/,}bin/ping.

Востановить защиту:

aa-enforce /etc/apparmor.d/sbin.dhclient