Public bug reported: The OpenStack charm nova-compute sets up rbd with hardcoded paths which libvirt has no access too when confined by AppArmor
The charm sets up 'admin socket': '/var/run/ceph/rbd-client-$pid.asok' via https://github.com/openstack/charm-nova-compute/blob/c744e052347d8ddfae88804a0ad0bdfdf4f5ae0d/hooks/nova_compute_context.py#L320 But libvirt has no exception for this path in the AppArmor profile. Please add /run/ceph/rbd-client-*.asok rw, to /etc/apparmor.d/abstractions/libvirt-qemu to allow access to that file. Log file excerpt: May 23 10:06:38 var0tf1a-cmp3s40d2yl-hr nova-compute: 2018-05-23 10:06:38.972 55598 WARNING nova.compute.manager [req-40e3686c-d70b-4d0b-8e65-9b6ec1847903 - - - - -] [instance: c364f41a-a2df-40e5-be43-1e47dd4e4fd7] Instance shutdown by itself. Calling the stop API. Current vm_state: active, current task_state: None, original DB power_state: 1, current VM power_state: 4 May 23 10:06:46 var0tf1a-cmp3s40d2yl-hr /usr/share/filebeat/bin/filebeat[10378]: log.go:91: Harvester started for file: /var/log/upstart/nova-compute.log May 23 10:06:46 var0tf1a-cmp3s40d2yl-hr /usr/share/filebeat/bin/filebeat[10378]: log.go:91: Harvester started for file: /var/log/nova/nova-compute.log May 23 10:06:50 var0tf1a-cmp3s40d2yl-hr kernel: [10110228.305439] audit: type=1400 audit(1527070010.408:172758): apparmor="STATUS" operation="profile_load" profile="unconfined" name="libvirt-c364f41a-a2df-40e5-be43-1e47dd4e4fd7" pid=24777 comm="apparmor_parser" May 23 10:06:50 var0tf1a-cmp3s40d2yl-hr kernel: [10110228.305762] audit: type=1400 audit(1527070010.408:172759): apparmor="STATUS" operation="profile_load" profile="unconfined" name="libvirt-c364f41a-a2df-40e5-be43-1e47dd4e4fd7//qemu_bridge_helper" pid=24777 comm="apparmor_parser" May 23 10:06:50 var0tf1a-cmp3s40d2yl-hr qemu-system-x86_64: 2018-05-23 10:06:50.530151 7f5c1da45ac0 -1 asok(0x561ffd079ee0) AdminSocketConfigObs::init: failed: AdminSocket::bind_and_listen: failed to bind the UNIX domain socket to '/var/run/ceph/rbd-client-24780.asok': (13) Permission denied May 23 10:06:50 var0tf1a-cmp3s40d2yl-hr kernel: [10110228.421988] audit: type=1400 audit(1527070010.524:172760): apparmor="DENIED" operation="mknod" profile="libvirt-c364f41a-a2df-40e5-be43-1e47dd4e4fd7" name="/run/ceph/rbd-client-24780.asok" pid=24780 comm="qemu-system-x86" requested_mask="c" denied_mask="c" fsuid=64055 ouid=64055 May 23 10:06:50 var0tf1a-cmp3s40d2yl-hr qemu-system-x86_64: 2018-05-23 10:06:50.531159 7f5c1da45ac0 -1 auth: unable to find a keyring on /etc/ceph/ceph.client.nova-compute-ext.keyring: (13) Permission denied ** Affects: libvirt (Ubuntu) Importance: Undecided Assignee: Christian Ehrhardt (paelzer) Status: New ** Tags: 4010 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1779674 Title: AppArmor does not permitt access to rbd admin socket hardcoded in OpenStack charms To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1779674/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
