ci: disable AppArmor security driver for qemu in CI

dmacvicar · dmacvicar · commit f0f8e0bb9b39 · 2026-03-08T17:42:12.000+01:00
Ubuntu's libvirt uses virt-aa-helper to generate per-VM AppArmor
profiles that restrict which paths QEMU can access. This blocks
volumes in non-default pool paths (e.g. subdirectories of
/var/lib/libvirt/images/) even when DAC permissions are correct.
Disable the security driver entirely in CI since confinement is
not needed for acceptance tests.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -98,6 +98,9 @@ jobs:
           sudo sed -i 's/^#\?user = .*/user = "root"/' /etc/libvirt/qemu.conf
           sudo sed -i 's/^#\?group = .*/group = "root"/' /etc/libvirt/qemu.conf
           sudo sed -i 's/^#\?dynamic_ownership = .*/dynamic_ownership = 0/' /etc/libvirt/qemu.conf
+          # Disable AppArmor confinement for QEMU so that VMs can access
+          # volumes in non-default pool paths during acceptance tests.
+          echo 'security_driver = "none"' | sudo tee -a /etc/libvirt/qemu.conf
           sudo systemctl restart libvirtd
           # Add runner to libvirt group
           sudo usermod -a -G libvirt runner
