[Bug 1762769] Re: missing entry at apparmor profile for nova instances

ChristianEhrhardt 1762769 at bugs.launchpad.net
Tue Apr 24 07:39:32 UTC 2018 

You log contains:
  qemu-system-x86_64: -chardev pty,id=charserial0,logfile=/var/lib/nova/instances/2691027e-9d67-4f78-841f-01e6c809e8fc/console.log,logappend=off

Which is the older style where qemu itself opens the file instead of the
more modern example I posted above where it is pre-opened and passed as
fd.

All that is fine, for a version like that you'll likely need the apparmor rule to allow it indeed.
Could you report the dmesg entry showing the deny as well?

With an older libvirt 1.3.1 and an "old style" XML entry you get the old behavior.
All this is for the switch of openstack to virtlogd btw - see more in bug 1667033 (not needed, but if you are interested).

So you should essentially have one of two potential behaviors:

A) Old as in Xenial which means libvirt 1.3.1 qemu 2.5 and openstack 2:13.1.4-0ubuntu4.2
This uses direct file paths which means:
A1) Old XMl style
    <serial type='file'>
      <source path='/var/lib/nova/instances/consoletest/console.log'/>
      <target port='0'/>
    </serial>
    <console type='file'>
      <source path='/var/lib/nova/instances/consoletest/console.log'/>
      <target type='serial' port='0'/>
    </console>
A2) apparmor entries
  "/var/lib/nova/instances/consoletest/console.log" rw,
  "/var/lib/nova/instances/consoletest/console.log" rw,
A3) chardev with path on qemu
   -chardev file,id=charserial0,path=/var/lib/nova/instances/consoletest/console.log
A*) Qemu will open the file under the apparmor profile, but since it is defined as source path it was added to its per guest apparmor profile and is working.

B) New style with virtlogd as in >=Zesty / Ocata which means libvirt >=2.5 qemu >=2.8 and OpenStack >=15
B1) New style XML syntax
    <serial type='pty'>
      <log file='/var/lib/nova/instances/testlp1762769/console.log' append='off'/>
      <target port='0'/>
    </serial>
    <console type='pty'>
      <log file='/var/lib/nova/instances/testlp1762769/console.log' append='off'/>
      <target type='serial' port='0'/>
    </console>
B2) no apparmor entries (none needed)
B3) console with fdset passed
  -add-fd set=1,fd=28 -chardev pty,id=charserial0,logfile=/dev/fdset/1,logappend=on -device isa-serial,chardev=charserial0,id=serial0
B*) libvirt/virtlogd will open the files and pass FD's to be used to qemu as needed

You should have A OR B, but not a mix (as it seems in the bug so far).
A and B work, but a mix might not.

You might report your dmesg, but I assume to know what I see there.
I'd ask you to really sort out if you have any external repositories or configuration that pushes you into the dead zone.

For a try without Openstack you can do this:
$ apt install uvtool-libvirt
$ uvt-simplestreams-libvirt --verbose sync --source http://cloud-images.ubuntu.com/daily arch=amd64 release=bionic label=daily
$ uvt-kvm create --password ubuntu consoletest arch=amd64 release=bionic label=daily
# That is a kvm guest based on the cloud image, you can shut it down edit it's xml to the example above (if on Xenial as-is A, if later B) and start the guest again.

Really if there is an issue I'd need the full set of how A or B breaks
for you with all mentioned logs. If you happen to find why you seem to
be somewhere in between A/B let me know here as well.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1762769

Title:
  missing entry at apparmor profile for nova instances

Status in Ubuntu Cloud Archive:
  New
Status in libvirt package in Ubuntu:
  Incomplete

Bug description:
  My nova instances can't start, because no access to
  /var/lib/nova/instances/b952cef8-7a7a-
  4d45-a7a9-e4b15b2aae5c/console.log

  The apparmor profile is created at /etc/apparmor.d/libvirt/libvirt-
  f146b809-e393-48c9-b325-5c2ae6c20e39.files, but at this profile an
  enty for console.log is missing

  The apparmor profile says: "# DO NOT EDIT THIS FILE DIRECTLY. IT IS
  MANAGED BY LIBVIRT." I have no idea, how to configure libvirt, to
  expand the profile.

  I'm working on
  Ubuntu 16.04,
  libvirtd (libvirt) 3.6.0
  nova 9.1.0
  apparmor 2.10.95

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1762769/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list