[Bug 1762769] Re: missing entry at apparmor profile for nova instances

Stefan Hoffmann 1762769 at bugs.launchpad.net
Fri Apr 20 13:34:53 UTC 2018


Hi,

thanks for your answer. Here the files (id of instance has changed
because of reproduction).

/etc/apparmor.d/libvirt/libvirt-88917d0e-c873-4a73-9ec1-a458d64a1df9 :

#
# This profile is for the domain whose UUID matches this file.
#

#include <tunables/global>

profile libvirt-88917d0e-c873-4a73-9ec1-a458d64a1df9 {
  #include <abstractions/libvirt-qemu>
  #include <libvirt/libvirt-88917d0e-c873-4a73-9ec1-a458d64a1df9.files>

}

/etc/apparmor.d/libvirt/libvirt-
88917d0e-c873-4a73-9ec1-a458d64a1df9.files :

# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
  "/var/log/libvirt/**/instance-00000014.log" w,
  "/var/lib/libvirt/qemu/domain-instance-00000014/monitor.sock" rw,
  "/var/lib/libvirt/qemu/domain-1-instance-00000014/*" rw,
  "/var/lib/libvirt/qemu/channel/target/domain-1-instance-00000014/*" rw,
  "/var/run/libvirt/**/instance-00000014.pid" rwk,
  "/run/libvirt/**/instance-00000014.pid" rwk,
  "/var/run/libvirt/**/*.tunnelmigrate.dest.instance-00000014" rw,
  "/run/libvirt/**/*.tunnelmigrate.dest.instance-00000014" rw,
  "/var/lib/nova/instances/88917d0e-c873-4a73-9ec1-a458d64a1df9/disk" rwk,
  "/var/lib/nova/instances/_base/a384e02b9e9b6097573a68b9e7ade76432f819a0" rk,
  /dev/vhost-net rw,
  "/dev/net/tun" rwk,

The instance is deleted at virsh after failure, so the dumpxml has also
an different id, but the same failure.

** Attachment added: "output of virsh dumpxml"
   https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1762769/+attachment/5123786/+files/virsh.out

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1762769

Title:
  missing entry at apparmor profile for nova instances

Status in Ubuntu Cloud Archive:
  New
Status in libvirt package in Ubuntu:
  Incomplete

Bug description:
  My nova instances can't start, because no access to
  /var/lib/nova/instances/b952cef8-7a7a-
  4d45-a7a9-e4b15b2aae5c/console.log

  The apparmor profile is created at /etc/apparmor.d/libvirt/libvirt-
  f146b809-e393-48c9-b325-5c2ae6c20e39.files, but at this profile an
  enty for console.log is missing

  The apparmor profile says: "# DO NOT EDIT THIS FILE DIRECTLY. IT IS
  MANAGED BY LIBVIRT." I have no idea, how to configure libvirt, to
  expand the profile.

  I'm working on
  Ubuntu 16.04,
  libvirtd (libvirt) 3.6.0
  nova 9.1.0
  apparmor 2.10.95

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1762769/+subscriptions



More information about the Ubuntu-openstack-bugs mailing list