virsh snapshot-create-as gives "unable to execute QEMU command `transaction`"

I have an Ubuntu 12.04 Server that hosts several virtual machines. I want to make backups of these VM's using the snapshot mechanism.
The purpose of these snapshots is to have a backup on an external device. I am currently trying to simply create the backup in /var/tmp.

When I type

sudo virsh snapshot-create-as test-vm --memspec /var/tmp/test-vm-snapshot

I get the message

error: internal error: unable to execute QEMU command 'transaction': Could not open '/var/lib/libvirt/images/test-vm.img': Permission denied

I tried to solve this by temporarily giving read/write permissions (chmod og+rw) but then I get the same message.

I read that this is due to AppArmor, and this seems to be confirmed by the syslog. However, if I temporarily stop AppArmor, I still get the same error message, and the same entries in the syslog.

How can I create an internal backup of a VM to a specific file?

Solution 1:

To get AppArmor (temporarily) out of the picture, I used aa-complain, which tells AppArmor to not enforce it's policy on some processes, but still make an entry in the log. This required sudo apt-get install apparmor-utils.

First, I used sudo aa-status to see which processes were in "enforced" mode. These relevant processes were libvirtd and the VM. Then I set these to "complain" mode and made the snapshot:

sudo aa-complain /usr/sbin/libvirtd
sudo aa-complain /etc/apparmor.d/libvirt/libvirt-20683be9-691f-42f2-9fd7-7f44ab423c1e
sudo virsh snapshot-create-as test-vm --memspec /var/tmp/test-vm-snapshot

In this way, a file "test-vm-snapshot" was created in /var/tmp.

Afterwards, I used sudo aa-enforce to put these processes back in "enforce" mode.

But why /etc/init.d/apparmor stop didn't help, while the much more subtle aa-complain did, is still beyond me...