Comment 9 for bug 619843

To summarize the IRC discussion:

libvirt uses a stacked security driver. The one at the bottom is always on and is the DAC driver. MAC drivers such as the AppArmor one used in Ubuntu sit on top of the DAC driver. The DAC driver looks at /etc/libvirt/qemu.conf for the user and group to run qemu/kvm as and as of libvirt 0.8.3 the DAC driver will consistently chown files to the user and group as defined in /etc/libvirt/qemu.conf. The DAC driver changes started to appear in earlier releases of the 0.8 series, and Debian started to use them during the Lucid cycle. Since Karmic, libvirt uses the AppArmor security driver and therefore qemu/kvm is confined more thoroughly by AppArmor than with the DAC driver and it was deemed too risky to run kvm/qemu as non-root since the libvirt code was not as well tested. So in Lucid, we changed qemu.conf back to running as root. Now because of 0.8.3's behavior of unconditionally chowning what qemu/kvm needs access to, disks and the console.log are chowned to 'root:root', which is why the euca user doesn't have access to the console.log.

The proper fix is to drop the 9008-run-as-root-by-default.patch patch and adding eucalyptus to the 'kvm' group. In addition to fixing this bug, it has the side benefits of reducing the Debian delta slightly and providing better protection for when the AppArmor driver is turned off.