[PKG-Openstack-devel] Bug#892431: AppArmor denies access for libvirt to nova instances directory
intrigeri
intrigeri at debian.org
Sun Mar 18 16:00:18 UTC 2018
Control: reassign -1 libvirt-daemon-system
Control: affects -1 nova-compute
Control: tag -1 + upstream
Control: tag -1 + moreinfo
Hi,
aradian at tma-0.net:
> When launching a QEMU KVM instance, an error occurs immediately upon launching the
> qemu process:
> Could not open backing file: Could not open
> '/var/lib/nova/instances/_base/affe96668a4c64ef380ff1c71b4caec17039080e': Permission
> denied
> This is caused because the AppArmor profile for libvirt does not include access to
> nova's instances directory (/var/lib/nova/instances).
> This error was fixed by adding the following lines to
> /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper:
> /var/lib/nova/instances/_base/ r,
> /var/lib/nova/instances/_base/* r,
> /var/lib/nova/instances/** rw,
> and running:
> sudo apparmor_parser -r /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper
Thanks for the bug report + debugging + solution!
I'm reassigning to the package that ships the faulty profile.
Let's submit this to libvirt upstream
(https://www.redhat.com/mailman/listinfo/libvir-list). Do you want to
do it yourself or shall I?
Now, one question before we move this upstream: does virt-aa-helper
really need write access to /var/lib/nova/instances/**?
Knowing a little bit what this helper does, I can't imagine why it
would; and in your logs I see only denied_mask="r".
> Probably it would be more appropriate to put that in a separate profile?
I think it's fine to add these lines to usr.lib.libvirt.virt-aa-helper.
Cheers,
--
intrigeri
More information about the Openstack-devel
mailing list