error: internal error: unable to execute QEMU command ‘block-commit’: Could not reopen file: Permission denied

The default security driver in Ubuntu is apparmor.

Could you please show the output of

cat /etc/*-release
ls -l /etc/apt/sources.list.d
cat /etc/apt/sources.list.d/*
dpkg -l | egrep -e '(libvirt|qemu)'

and show any relevant DENIED messages in syslog (grep DENIED /var/log/syslog)

Your libvirt version, 1.2.12, is not in any support release of Ubuntu.

PFB outputs

$ cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.4 LTS"
NAME="Ubuntu"
VERSION="14.04.4 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.4 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"

$ ls -l /etc/apt/sources.list.d
total 4
-rw-r--r-- 1 root root 78 Feb 23 05:51 cloudarchive-kilo.list

$ cat /etc/apt/sources.list.d/*
deb http://ubuntu-cloud.archive.canonical.com/ubuntu trusty-updates/kilo main

$ dpkg -l | egrep -e '(libvirt|qemu)'
ii ipxe-qemu 1.0.0+git-20131111.c3d1e78-2ubuntu1.1 all PXE boot firmware - ROM images for qemu
ii libvirt-bin 1.2.12-0ubuntu14.2~cloud0 amd64 programs for the libvirt library
ii libvirt0 1.2.12-0ubuntu14.2~cloud0 amd64 library for interfacing with different virtualization systems
ii nova-compute-libvirt 1:2015.1.2-0ubuntu2~cloud0 all OpenStack Compute - compute node libvirt support
ii python-libvirt 1.2.2-0ubuntu2 amd64 libvirt Python bindings
ii qemu 1:2.2+dfsg-5expubuntu9.6~cloud0 amd64 fast processor emulator
ii qemu-slof 20140630+dfsg-1ubuntu1~14.04 all Slimline Open Firmware -- QEMU PowerPC version
ii qemu-system 1:2.2+dfsg-5expubuntu9.6~cloud0 amd64 QEMU full system emulation binaries
ii qemu-system-arm 1:2.2+dfsg-5expubuntu9.6~cloud0 amd64 QEMU full system emulation binaries (arm)
ii qemu-system-common 1:2.2+dfsg-5expubuntu9.6~cloud0 amd64 QEMU full system emulation binaries (common files)
ii qemu-system-mips 1:2.2+dfsg-5expubuntu9.6~cloud0 amd64 QEMU full system emulation binaries (mips)
ii qemu-system-misc 1:2.2+dfsg-5expubuntu9.6~cloud0 amd64 QEMU full system emulation binaries (miscelaneous)
ii qemu-system-ppc 1:2.2+dfsg-5expubuntu9.6~cloud0 amd64 QEMU full system emulation binaries (ppc)
ii qemu-system-sparc 1:2.2+dfsg-5expubuntu9.6~cloud0 amd64 QEMU full system emulation binaries (sparc)
ii qemu-system-x86 1:2.2+dfsg-5expubuntu9.6~cloud0 amd64 QEMU full system emulation binaries (x86)
ii qemu-user 1:2.2+dfsg-5expubuntu9.6~cloud0 amd64 QEMU user mode emulation binaries
ii qemu-user-binfmt 1:2.2+dfsg-5expubuntu9.6~cloud0 amd64 QEMU user mode binfmt registration for qemu-user
ii qemu-utils 1:2.2+dfsg-5expubuntu9.6~cloud0 amd64 QEMU utilities

Getting below DENIED stat in syslog

Mar 7 07:41:19 ubuntu-kilo kernel: [604860.586630] audit: type=1400 audit(1457354479.040:171): apparmor="DENIED" operation="open" profile="libvirt-4aba58...

We have updated libvirt version from support release version

With support release version also getting same error

So the error message itself comes from qemu, in block/raw-posix.c:

error_setg_errno(errp, errno, "Could not reopen file")

strace shows:

5082 open("/var/lib/uvtool/libvirt/images/x-uvt-b64-Y29tLnVidW50dS5jbG91ZDpzZXJ2ZXI6MTYuMDQ6YW1kNjQgMjAxNjAxMjU=", O_RDWR|O_CLOEXEC) = -1 EACCES (Permission denied)

The apparmor profile (libvirt-uuid.files) includes:

  "/var/lib/uvtool/libvirt/images/x-uvt-b64-Y29tLnVidW50dS5jbG91ZDpzZXJ2ZXI6MTYuMDQ6YW1kNjQgMjAxNjAxMjU=" r,
  # don't audit writes to readonly files
  deny "/var/lib/uvtool/libvirt/images/x-uvt-b64-Y29tLnVidW50dS5jbG91ZDpzZXJ2ZXI6MTYuMDQ6YW1kNjQgMjAxNjAxMjU=" w,
  "/var/lib/uvtool/libvirt/images/docker-ds.qcow" rw,
  /dev/vhost-net rw,
  "/var/lib/uvtool/libvirt/images/x-uvt-b64-Y29tLnVidW50dS5jbG91ZDpzZXJ2ZXI6MTYuMDQ6YW1kNjQgMjAxNjAxMjU=" rw,

That long filename is the (readonly) backing file for the root disk.

sudo qemu-img info docker.qcow
image: docker.qcow
file format: qcow2
virtual size: 30G (32212254720 bytes)
disk size: 7.0G
cluster_size: 65536
backing file: /var/lib/uvtool/libvirt/images/x-uvt-b64-Y29tLnVidW50dS5jbG91ZDpzZXJ2ZXI6MTYuMDQ6YW1kNjQgMjAxNjAxMjU=
backing file format: qcow2
Format specific information:
    compat: 0.10
    refcount bits: 16

So it would seem we could consider this (a) a bug in qemu for requiring write access to a readonly backing file, or (b) a bug in libvirt for denying that write access.

So what would be best way to fix this issue
As of now we fixes this by setting security_driver = "none"
But this is worst fix
what can be done to fix this bug rightway

ok, actually I think this is simply an error in virt-aa-helper. apparmor's load_profile() should be being called before the blockcommit begins, to add rw access to the base image. Which is why the rw rule is there. But the 'deny' rule is for some reason still there.

so what we can do in code before blockcommit to change rw

I have a test package building in ppa:serge-hallyn/virt.

This is virt-manager or libvirt package
Where is that package in your ppa

This is fixed in 1.3.1-1ubuntu7

Can see 1.3.1-1ubuntu8 not found 1.3.1-1ubuntu7

Do we need all deb packages to reinstall libvirt
or just reinstalling libvirt-bin deb sufficient

Quoting Jignasha (<email address hidden>):
> Do we need all deb packages to reinstall libvirt
> or just reinstalling libvirt-bin deb sufficient

you need libvirt0 as well.

But please get it from the archive, not my ppa. I'm using my ppa for other
tests now.