virsh 启动虚拟机报错

sudo virsh start 107-debian12
error: 启动域 '107-debian12' 失败
error: 内部错误：连接监控的过程中进程退出: 2025-11-22T11:42:17.483457Z qemu-system-x86_64: -blockdev {"driver":"file","filename":"/var/lib/libvirt/images/107/vm-107-disk-1.qcow2","node-name":"libvirt-2-storage","auto-read-only":true,"discard":"unmap"}: Could not open '/var/lib/libvirt/images/107/vm-107-disk-1.qcow2': Permission denied

查看apparmor的配置和状态

# AppArmor 策略由 内核模块 (apparmor.ko) 强制执行
# apparmor.service 只负责加载/卸载 profile
# aa-teardown 或 apparmor_parser -R 才能移除策略
# 手动 systemctl stop apparmor 不 unload 内核模块 → 残留策略继续生效
sudo systemctl enable --now apparmor.service
sudo systemctl reload libvirtd

sudo dmesg | grep -i "apparmor\|denied" | tail -5
sudo journalctl -k --since "10 minutes ago" | grep -i denied

# 临时禁用 AppArmor（仅测试用）卸载所有 profile（立即解除限制）
sudo aa-teardown
# 禁用内核模块（彻底关闭）
sudo systemctl stop apparmor
sudo rmmod apparmor   # 若报 busy，先 aa-teardown

# 手动扩展 libvirt AppArmor 策略（精准修复）
# 编辑全局 libvirt 模板
sudo nano /etc/apparmor.d/abstractions/libvirt-qemu
# Allow access to custom image directories
/var/lib/libvirt/images/107/** rwk,
# rwk = 读+写+加锁（主磁盘需要）

# 重载策略
sudo apparmor_parser -r /etc/apparmor.d/abstractions/libvirt-*

# 确认 AppArmor 真正关闭（若选方案 2）
sudo aa-status | grep "apparmor module"
# 检查是否还有 DENIED
sudo dmesg -T | grep -i "denied.*qcow2"
# 临时解决方案：禁用特定配置文件
sudo aa-complain /etc/apparmor.d/libvirt-f681fad3-a70e-44c7-b91b-98a111906d5a
sudo aa-disable /etc/apparmor.d/libvirt-f681fad3-a70e-44c7-b91b-98a111906d5a