[Bug 1026404] Re: attaching rbd fails because apparmor forbids access to ceph.conf

Wed, 25 Jul 2012 05:11:06 -0700 

** Description changed:

+ ==============================
+ SRU Justification:
+ 1. Impact: ceph volumes cannot be used in libvirt-qemu
+ 2. Development fix: update apparmor policy to allow qemu under libvirt access 
to ceph.conf
+ 3. Stable fix: same as development fix
+ 4. test case: see comment #4
+ 5. Regression potential: if ceph.conf was deemed to have sensitive 
information, qemu under libvirt could now read that.  No functionality 
regression should result from simply allowing read access to a configuration 
file.
+ ==============================
+ 
  I've been doing a little work with openstack, using ceph as a backend
  for nova-volume.
  
  When I attempt to attach an RBD volume to a running instance, it fails
  (with some delightfully unhelpful errors on the nova side).  The
  following is logged in the instance's libvirt log file
  
  unable to find any monitors in conf. please specify monitors via -m
  monaddr or -c ceph.conf
  
  and in dmesg we find
  
  type=1400 audit(1342656681.070:52): apparmor="DENIED" operation="open"
  parent=1 profile="libvirt-732fc0e8-5a8b-46d0-9689-f0c3e8f619f2"
  name="/etc/ceph/ceph.conf" pid=27601 comm="kvm" requested_mask="r"
  denied_mask="r" fsuid=110 ouid=0
  
  Adding the following to /etc/apparmor.d/abstractions/libvirt-qemu seems
  to be sufficient, at least for my no-cephx (i.e., no authentication and
  therefore no key material) testing environment.  For a cephx environment
  things are more complex, because a keyring file will also need to be
  read by the qemu process.
  
  === modified file 'apparmor.d/abstractions/libvirt-qemu'
  --- apparmor.d/abstractions/libvirt-qemu        2012-07-18 23:37:13 +0000
  +++ apparmor.d/abstractions/libvirt-qemu        2012-07-19 00:10:18 +0000
  @@ -123,3 +123,6 @@
-    /etc/pki/CA/* r,
-    /etc/pki/libvirt/ r,
-    /etc/pki/libvirt/** r,
+    /etc/pki/CA/* r,
+    /etc/pki/libvirt/ r,
+    /etc/pki/libvirt/** r,
  +
  +  # for rbd
  +  /etc/ceph/ceph.conf r,

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1026404

Title:
  attaching rbd fails because apparmor forbids access to ceph.conf

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1026404/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to