debian buster brings apparmor. apparmor brings problems – eg it’s too restrictive for libvirt KVM guests and does not allow KVM to create snapshot-related files in VM’s folders.
root@virt1:~# virsh snapshot-create-as --domain rtr0b -name backup-rtr0 --no-metadata --atomic --disk-only --diskspec vda,snapshot=external --diskspec vdb,snapshot=external error: internal error: unable to execute QEMU command 'transaction': Could not create file: Permission denied
so far i did not find a clean and generic way to address it so i had to disable apparmor for libvirt by adding security_driver = “none” in /etc/libvirt/qemu.conf ; vm-specific solutions that i’ve found are described here and here.
i hope to eventually find a proper way of relaxing security settings so apparmor is still on for libvirt yet snapshot files can be created.