[Bug 1762769] Re: missing entry at apparmor profile for nova instances

Stefan Hoffmann 1762769 at bugs.launchpad.net
Mon Apr 23 14:45:27 UTC 2018 

Thanks for your reply.

Actually I use libvirt 1.3. There an entry for the instance console.log is createt at apparmor.d.
/etc/apparmor.d/libvirt/libvirt-4612b952-1df7-4f30-a6af-8af2616b41a4.files:

# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
  "/var/log/libvirt/**/instance-00000004.log" w,
  "/var/lib/libvirt/qemu/domain-instance-00000004/monitor.sock" rw,
  "/var/run/libvirt/**/instance-00000004.pid" rwk,
  "/run/libvirt/**/instance-00000004.pid" rwk,
  "/var/run/libvirt/**/*.tunnelmigrate.dest.instance-00000004" rw,
  "/run/libvirt/**/*.tunnelmigrate.dest.instance-00000004" rw,
  "/var/lib/nova/instances/4612b952-1df7-4f30-a6af-8af2616b41a4/disk" rw,
  "/var/lib/nova/instances/_base/a384e02b9e9b6097573a68b9e7ade76432f819a0" r,
  "/var/lib/nova/instances/4612b952-1df7-4f30-a6af-8af2616b41a4/console.log" rw,
  "/var/lib/nova/instances/4612b952-1df7-4f30-a6af-8af2616b41a4/console.log" rw,
  # for qemu guest agent channel
  owner "/var/lib/libvirt/qemu/channel/target/domain-instance-00000004/**" rw,
  /dev/vhost-net rw,
  "/dev/net/tun" rw,

Has this changed with version 3? I can't find any entry at apparmor.d that allows all (or one) instances access to the /var/lib/nova/instances/{id}/console.log at libvirt version 3.
Is there any way to configure libvirt to change the apparmor profiles?

The other informations you wanted i will provide soon.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1762769

Title:
  missing entry at apparmor profile for nova instances

Status in Ubuntu Cloud Archive:
  New
Status in libvirt package in Ubuntu:
  Incomplete

Bug description:
  My nova instances can't start, because no access to
  /var/lib/nova/instances/b952cef8-7a7a-
  4d45-a7a9-e4b15b2aae5c/console.log

  The apparmor profile is created at /etc/apparmor.d/libvirt/libvirt-
  f146b809-e393-48c9-b325-5c2ae6c20e39.files, but at this profile an
  enty for console.log is missing

  The apparmor profile says: "# DO NOT EDIT THIS FILE DIRECTLY. IT IS
  MANAGED BY LIBVIRT." I have no idea, how to configure libvirt, to
  expand the profile.

  I'm working on
  Ubuntu 16.04,
  libvirtd (libvirt) 3.6.0
  nova 9.1.0
  apparmor 2.10.95

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1762769/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list