[Bug 1762769] Re: missing entry at apparmor profile for nova instances

Mon Apr 23 09:06:55 UTC 2018

Ok thanks for the data.
That looks like the "normal" openstack double console entry to have an attachable console that logs to a file at the same time.

I made a new dir:
$ mkdir -p /var/lib/nova/instances/testlp1762769

And added the following to a libvirt 3.6 guest
    <serial type='pty'>
      <log file='/var/lib/nova/instances/testlp1762769/console.log' append='off'/>
      <target port='0'/>
    </serial>
    <console type='pty'>
      <log file='/var/lib/nova/instances/testlp1762769/console.log' append='off'/>
      <target type='serial' port='0'/>
    </console>

But the log is working fine at that path and the guest starts without
issues.

Three are two important details on this now:
1. the guest has no individual rule for the console (I implemented that later in libvirt >=4.0 as In Ubuntu 18.04) - so for the initial report of "the entry is missing" I have to say "it is working still and only latter releases have the individual entry.

2. Lets check why it actually works for me to then check this for your case.
This is how the console is specified at the guest:
-add-fd set=1,fd=28 -chardev pty,id=charserial0,logfile=/dev/fdset/1,logappend=on -device isa-serial,chardev=charserial0,id=serial0

Now this works by libvirt opening the files and passing the file descriptors.
Libvirt itself has a very open apparmor profile and can do so, and this is a common pattern for non-privileged guests.

I'd assume if anything in your case it either follows completely
different code paths (we have to find why) or your setup is broken in
regard to the rules for libvirtd.

Could you please:
1. check on a running guest if the arguments for the console on qemu are similar to my examples above?
2. while triggering the issue catch more logs what fails for you. It is important to minimize this to just the action that triggers the issue. So not a full create, deploy, kill guest - but instead do all you need to do in openstack so that the failing guest is defined on the node and just not starting. Then just run "virsh start <instanc....>". If that is not possible try to minimize on your own as much as you can.
2a. check dmesg -w while doing so and report the exact apparmor DENY line?
2b. check the libvirtd logfile that you can run with debug enabled per [1] (right at the end)

Attach both logs, so that we might spot something together why it fails
in your case.

[1]: https://libvirt.org/logging.html

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1762769

Title:
  missing entry at apparmor profile for nova instances

Status in Ubuntu Cloud Archive:
  New
Status in libvirt package in Ubuntu:
  Incomplete

Bug description:
  My nova instances can't start, because no access to
  /var/lib/nova/instances/b952cef8-7a7a-
  4d45-a7a9-e4b15b2aae5c/console.log

  The apparmor profile is created at /etc/apparmor.d/libvirt/libvirt-
  f146b809-e393-48c9-b325-5c2ae6c20e39.files, but at this profile an
  enty for console.log is missing

  The apparmor profile says: "# DO NOT EDIT THIS FILE DIRECTLY. IT IS
  MANAGED BY LIBVIRT." I have no idea, how to configure libvirt, to
  expand the profile.

  I'm working on
  Ubuntu 16.04,
  libvirtd (libvirt) 3.6.0
  nova 9.1.0
  apparmor 2.10.95

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1762769/+subscriptions