[Bug 1762769] Re: missing entry at apparmor profile for nova instances
Stefan Hoffmann
1762769 at bugs.launchpad.net
Fri Apr 20 13:34:53 UTC 2018
Hi,
thanks for your answer. Here the files (id of instance has changed
because of reproduction).
/etc/apparmor.d/libvirt/libvirt-88917d0e-c873-4a73-9ec1-a458d64a1df9 :
#
# This profile is for the domain whose UUID matches this file.
#
#include <tunables/global>
profile libvirt-88917d0e-c873-4a73-9ec1-a458d64a1df9 {
#include <abstractions/libvirt-qemu>
#include <libvirt/libvirt-88917d0e-c873-4a73-9ec1-a458d64a1df9.files>
}
/etc/apparmor.d/libvirt/libvirt-
88917d0e-c873-4a73-9ec1-a458d64a1df9.files :
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
"/var/log/libvirt/**/instance-00000014.log" w,
"/var/lib/libvirt/qemu/domain-instance-00000014/monitor.sock" rw,
"/var/lib/libvirt/qemu/domain-1-instance-00000014/*" rw,
"/var/lib/libvirt/qemu/channel/target/domain-1-instance-00000014/*" rw,
"/var/run/libvirt/**/instance-00000014.pid" rwk,
"/run/libvirt/**/instance-00000014.pid" rwk,
"/var/run/libvirt/**/*.tunnelmigrate.dest.instance-00000014" rw,
"/run/libvirt/**/*.tunnelmigrate.dest.instance-00000014" rw,
"/var/lib/nova/instances/88917d0e-c873-4a73-9ec1-a458d64a1df9/disk" rwk,
"/var/lib/nova/instances/_base/a384e02b9e9b6097573a68b9e7ade76432f819a0" rk,
/dev/vhost-net rw,
"/dev/net/tun" rwk,
The instance is deleted at virsh after failure, so the dumpxml has also
an different id, but the same failure.
** Attachment added: "output of virsh dumpxml"
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1762769/+attachment/5123786/+files/virsh.out
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1762769
Title:
missing entry at apparmor profile for nova instances
Status in Ubuntu Cloud Archive:
New
Status in libvirt package in Ubuntu:
Incomplete
Bug description:
My nova instances can't start, because no access to
/var/lib/nova/instances/b952cef8-7a7a-
4d45-a7a9-e4b15b2aae5c/console.log
The apparmor profile is created at /etc/apparmor.d/libvirt/libvirt-
f146b809-e393-48c9-b325-5c2ae6c20e39.files, but at this profile an
enty for console.log is missing
The apparmor profile says: "# DO NOT EDIT THIS FILE DIRECTLY. IT IS
MANAGED BY LIBVIRT." I have no idea, how to configure libvirt, to
expand the profile.
I'm working on
Ubuntu 16.04,
libvirtd (libvirt) 3.6.0
nova 9.1.0
apparmor 2.10.95
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1762769/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list