Hi,
I want to take a Live-snapshot.

 The instances are  not switched off.

Ubuntu 20.04

# Ansible managed

DISTRIB_ID="OSA"
DISTRIB_RELEASE="25.2.0"
DISTRIB_CODENAME="Yoga"
DISTRIB_DESCRIPTION="OpenStack-Ansible"

nova-25.0.2.dev8.dist-info

Compiled against library: libvirt 8.0.0
Using library: libvirt 8.0.0
Using API: QEMU 8.0.0
Running hypervisor: QEMU 4.2.1

ii apparmor 2.13.3-7ubuntu5.1 amd64 user-space parser utility for AppArmor

I've also
Adjusted virt-aa-helper:

#include <tunables/global>

profile virt-aa-helper /usr/lib/libvirt/virt-aa-helper flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/openssl>

  # needed for searching directories
  capability dac_override,
  capability dac_read_search,

  # needed for when disk is on a network filesystem
  network inet,
  network inet6,

  deny @{PROC}/[0-9]*/mounts r,
  @{PROC}/[0-9]*/net/psched r,
  owner @{PROC}/[0-9]*/status r,
  @{PROC}/filesystems r,

  # Used when internally running another command (namely apparmor_parser)
  @{PROC}/@{pid}/fd/ r,

  # allow reading libnl's classid file
  /etc/libnl{,-3}/classid r,

  # for gl enabled graphics
  /dev/dri/{,*} r,

  # for hostdev
  /sys/devices/ r,
  /sys/devices/** r,
  /sys/bus/usb/devices/ r,
  deny /dev/sd* r,
  deny /dev/vd* r,
  deny /dev/dm-* r,
  deny /dev/drbd[0-9]* r,
  deny /dev/dasd* r,
  deny /dev/nvme* r,
  deny /dev/zd[0-9]* r,
  deny /dev/mapper/ r,
  deny /dev/mapper/* r,

  /usr/lib/libvirt/virt-aa-helper mr,
  /{usr/,}sbin/apparmor_parser Ux,

  /etc/apparmor.d/libvirt/* r,
  /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,

  # for backingstore -- allow access to non-hidden files in @{HOME} as well
  # as storage pools
  audit deny @{HOME}/.* mrwkl,
  audit deny @{HOME}/.*/ rw,
  audit deny @{HOME}/.*/** mrwkl,
  audit deny @{HOME}/bin/ rw,
  audit deny @{HOME}/bin/** mrwkl,
  @{HOME}/ r,
  @{HOME}/** r,
  /var/lib/libvirt/images/ rw,
  /var/lib/libvirt/images/** rw,
  # nova base images (LP: #907269)
  /var/lib/nova/images/** rw,
  /var/lib/nova/instances/_base/** rw,
  # nova snapshots (LP: #1244694)
  /var/lib/nova/instances/snapshots/** rw,

}

Filesystem: OCFS2

[keystone_authtoken]
insecure = False
auth_type = password
auth_url =
www_authenticate_uri =
project_domain_id = default
user_domain_id = default
project_name = service
username = nova
password =
region_name = RegionOne
service_token_roles_required = False
service_token_roles = service
service_type = compute
memcached_servers =
token_cache_time = 300

[libvirt]
inject_partition = -2
inject_password = False
inject_key = False
virt_type = kvm
live_migration_with_native_tls = true
live_migration_scheme = tls
live_migration_inbound_addr = xxx.xxx.xxx.xxx
hw_disk_discard = ignore
disk_cachemodes =
iscsi_use_multipath = True

 

 

Jan 25 09:46:07 bc2bl13 libvirtd[154472]: internal error: Child process (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -r -u libvirt-c6aa0368-8ae5-4fe4-8ae5-93a92329aa74) unexpected exit status 1: 2023-01-25 09:46:07.871+0000: 376129: info : libvirt version: 8.0.0, package: 1ubuntu7.1~cloud0 (Openstack Ubuntu Testing Bot <openstack-testing-bot@ubuntu.com> Wed, 25 May 2022 14:51:12 +0000)
2023-01-25 09:46:07.871+0000: 376129: info : hostname: bc2bl13
2023-01-25 09:46:07.871+0000: 376129: error : virDomainDiskDefMirrorParse:8800 : unsupported configuration: unknown mirror job type ''
virt-aa-helper: error: could not parse XML
virt-aa-helper: error: could not get VM definition
Jan 25 09:46:07 bc2bl13 libvirtd[154472]: internal error: cannot update AppArmor profile 'libvirt-c6aa0368-8ae5-4fe4-8ae5-93a92329aa74'
Jan 25 09:46:07 bc2bl13 libvirtd[154472]: Unable to restore security label on /var/lib/nova/instances/snapshots/tmpej9y72fr/c8d4bb94296746d6bff6b747386b4a90.delta