Hi, I want to take a Live-snapshot. The instances are not switched off. Ubuntu 20.04 # Ansible managed DISTRIB_ID="OSA" DISTRIB_RELEASE="25.2.0" DISTRIB_CODENAME="Yoga" DISTRIB_DESCRIPTION="OpenStack-Ansible" nova-25.0.2.dev8.dist-info Compiled against library: libvirt 8.0.0 Using library: libvirt 8.0.0 Using API: QEMU 8.0.0 Running hypervisor: QEMU 4.2.1 ii apparmor 2.13.3-7ubuntu5.1 amd64 user-space parser utility for AppArmor I've also Adjusted virt-aa-helper: #include <tunables/global> profile virt-aa-helper /usr/lib/libvirt/virt-aa-helper flags=(complain) { #include <abstractions/base> #include <abstractions/openssl> # needed for searching directories capability dac_override, capability dac_read_search, # needed for when disk is on a network filesystem network inet, network inet6, deny @{PROC}/[0-9]*/mounts r, @{PROC}/[0-9]*/net/psched r, owner @{PROC}/[0-9]*/status r, @{PROC}/filesystems r, # Used when internally running another command (namely apparmor_parser) @{PROC}/@{pid}/fd/ r, # allow reading libnl's classid file /etc/libnl{,-3}/classid r, # for gl enabled graphics /dev/dri/{,*} r, # for hostdev /sys/devices/ r, /sys/devices/** r, /sys/bus/usb/devices/ r, deny /dev/sd* r, deny /dev/vd* r, deny /dev/dm-* r, deny /dev/drbd[0-9]* r, deny /dev/dasd* r, deny /dev/nvme* r, deny /dev/zd[0-9]* r, deny /dev/mapper/ r, deny /dev/mapper/* r, /usr/lib/libvirt/virt-aa-helper mr, /{usr/,}sbin/apparmor_parser Ux, /etc/apparmor.d/libvirt/* r, /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, # for backingstore -- allow access to non-hidden files in @{HOME} as well # as storage pools audit deny @{HOME}/.* mrwkl, audit deny @{HOME}/.*/ rw, audit deny @{HOME}/.*/** mrwkl, audit deny @{HOME}/bin/ rw, audit deny @{HOME}/bin/** mrwkl, @{HOME}/ r, @{HOME}/** r, /var/lib/libvirt/images/ rw, /var/lib/libvirt/images/** rw, # nova base images (LP: #907269 https://bugs.launchpad.net/bugs/907269 ) /var/lib/nova/images/** rw, /var/lib/nova/instances/_base/** rw, # nova snapshots (LP: #1244694 https://bugs.launchpad.net/bugs/1244694 ) /var/lib/nova/instances/snapshots/** rw, } Filesystem: OCFS2 [keystone_authtoken] insecure = False auth_type = password auth_url = www_authenticate_uri = project_domain_id = default user_domain_id = default project_name = service username = nova password = region_name = RegionOne service_token_roles_required = False service_token_roles = service service_type = compute memcached_servers = token_cache_time = 300 [libvirt] inject_partition = -2 inject_password = False inject_key = False virt_type = kvm live_migration_with_native_tls = true live_migration_scheme = tls live_migration_inbound_addr = xxx.xxx.xxx.xxx hw_disk_discard = ignore disk_cachemodes = iscsi_use_multipath = True Jan 25 09:46:07 bc2bl13 libvirtd[154472]: internal error: Child process (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -r -u libvirt-c6aa0368-8ae5-4fe4-8ae5-93a92329aa74) unexpected exit status 1: 2023-01-25 09:46:07.871+0000: 376129: info : libvirt version: 8.0.0, package: 1ubuntu7.1~cloud0 (Openstack Ubuntu Testing Bot <openstack-testing-bot@ubuntu.com> Wed, 25 May 2022 14:51:12 +0000) 2023-01-25 09:46:07.871+0000: 376129: info : hostname: bc2bl13 2023-01-25 09:46:07.871+0000: 376129: error : virDomainDiskDefMirrorParse:8800 : unsupported configuration: unknown mirror job type '' virt-aa-helper: error: could not parse XML virt-aa-helper: error: could not get VM definition Jan 25 09:46:07 bc2bl13 libvirtd[154472]: internal error: cannot update AppArmor profile 'libvirt-c6aa0368-8ae5-4fe4-8ae5-93a92329aa74' Jan 25 09:46:07 bc2bl13 libvirtd[154472]: Unable to restore security label on /var/lib/nova/instances/snapshots/tmpej9y72fr/c8d4bb94296746d6bff6b747386b4a90.delta