Siduction Forum
Siduction Forum => Upgrade Warnings => Topic started by: dibl on 2019/08/11, 13:17:15
-
After installing kernel 5.2.8-towo.3-siduction-amd64, libvirtd will not start.
from journalctl -xe:
-- A stop job for unit libvirtd.service has finished.
--
-- The job identifier is 2378 and the job result is done.
Aug 11 07:02:37 dibl-patience systemd[1]: libvirtd.service: Start request repeated too quickly.
Aug 11 07:02:37 dibl-patience systemd[1]: libvirtd.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- The unit libvirtd.service has entered the 'failed' state with result 'exit-code'.
Aug 11 07:02:37 dibl-patience systemd[1]: Failed to start Virtualization daemon.
-- Subject: A start job for unit libvirtd.service has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- A start job for unit libvirtd.service has finished with a failure.
--
-- The job identifier is 2378 and the job result is failed.
libvirtd runs correctly with 5.2.7-towo.1.
-
Please start your system with apparmor=0 as kernel parameter and try again.
-
here thunderbird (60.8.0-1) did not start with 5.2.8-towo.3.
No problem with 5.2.8-towo.2
/usr/bin/thunderbird %u
Unable to init server: Socket kann nicht angelegt werden: Keine Berechtigung
Error: cannot open display: :0
-
Please start your system with apparmor=0 as kernel parameter and try again.
Good! This solves the problem with libvirtd -- thank you.
-
So this is a bug with apparmor?
-
So this is a bug with apparmor?
One of many, I think. When I ran journalctl to look for the libvirtd problem, I saw multiple other apparmor-related error messages, pertaining to dbus and cupsbrowsd and others. The libvirtd error didn't mention apparmor -- apparently @towo knows about that one.
-
After the upgrade yesterday I could not use my printer or cups via localhost. Using the apparmor=0 kernel parameter fixed the problem
-
My I ask. Is the problem still there?
If yes my opinion is that it's not solved then. We have a workaround but that's not the same as solved. So I wouldn't put solved in the head.
-
Sure it's solved and not a workaround. I would bet you all have apparmor installed on your system. Since our FrOScon meeting i have applyed apparmor-next security patch to our kernel. With this new version, apparmor even can operate on network stack. Without configuring apparmor, it restricting nearly anything, apparmor=0 disables the whole apparmor.
-
I'm sorry if I am being obtuse here, but why add apparmor to the kernel if we need to disable it on boot? Or is apparmor-next different from apparmor and the former is still running if disabling the latter? If not, being a security feature, is it wise to disable it?
-
apparmor was allways in kernel and allways enabled as default security option.
On FrOScon we had questions about restricting userspace applications on network stack.
That would be only possible with apparmor-next, which was only available on opensuse and ubuntu.
So i added apparmor-next to our kernel, to make such users happy, who needs that functionality.
If you have no interest in apparmor, easy apt purge apparmor.
-
apparmor was allways in kernel and allways enabled as default security option.
On FrOScon we had questions about restricting userspace applications on network stack.
That would be only possible with apparmor-next, which was only available on opensuse and ubuntu.
So i added apparmor-next to our kernel, to make such users happy, who needs that functionality.
If you have no interest in apparmor, easy apt purge apparmor.
Thanks for explanation, towo!
Is it fair to say that the "average user" (like yours truly) does not need apparmor and can safely purge it?
-
apparmor is releative useles, if it is not fine granuated configured for security rules.
This applies in particular for that new version which is now available from kernel side.
The apparmor user space tools in debian are the old ones, maybe the problems with
default configured apparmor rules will be gone, when apparmor 2.14 becomes available in debian.
-
OK, thank you towo for explaining. For me I solve it then by purging apparmor.
-
@towo, can I just purge apparmor and you say as it is not needed? Having too many cups problems at the moment related to denies from apparmor.
-
you say as it is not needed?
He's already answered several times. Short form: currently yes.
-
Thanks!
-
The newly uploaded kernel should solve such problems without workarouds.