MicroStack

Unable to import new qcow2 image into Glance

Bug #1980993 reported by Jason C. Nucciarone
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MicroStack
In Progress
Undecided
Unassigned

Bug Description

# Microstack installation command

Here is how I installed microstack on my system:

$ sudo snap install microstack --beta

Since I did not pass the --devmode flag, microstack is running in strict confinement.

# The issue

When trying to import a new Ubuntu cloud image into Glance, I am receiving a permission denied errors when trying to read in the image:

$ microstack.openstack image create --public --container-format bare --disk-format qcow2 --file focal-server-cloudimg-amd64-disk-kvm.img focal-amd64

Reading the resulting stacktrace (in logs.tar.gz), it looks like OpenStack does not have permission to read the file.

# Probable cause and potential solution

Looking at the output of `sudo dmesg | grep 'apparmor="DENIED"'`, I can see a bunch of denials by apparmor when trying to connect to various services on the system such as libvirtd, systemctl, and my image file located in documents. Building off of my prior experience with snap, I believe the issue is that the confined snap (--devmode not enabled) lacks the required interfaces necessary to access the system files it needs. Here are the current interfaces enabled on the confined snap:

$ snap connections microstack
Interface Plug Slot Notes
block-devices microstack:block-devices :block-devices -
firewall-control microstack:firewall-control :firewall-control -
hardware-observe microstack:hardware-observe :hardware-observe -
hugepages-control microstack:hugepages-control :hugepages-control -
kernel-module-observe microstack:kernel-module-observe :kernel-module-observe -
kvm microstack:kvm :kvm -
libvirt microstack:libvirt :libvirt -
log-observe microstack:log-observe :log-observe -
microstack-support microstack:microstack-support :microstack-support -
mount-observe microstack:mount-observe :mount-observe -
netlink-audit microstack:netlink-audit :netlink-audit -
netlink-connector microstack:netlink-connector - -
network microstack:network :network -
network-bind microstack:network-bind :network-bind -
network-control microstack:network-control :network-control -
network-observe microstack:network-observe - -
opengl microstack:opengl :opengl -
openvswitch-support microstack:openvswitch-support :openvswitch-support -
process-control microstack:process-control :process-control -
raw-usb microstack:raw-usb :raw-usb -
ssh-keys microstack:ssh-keys - -
system-observe microstack:system-observe :system-observe -
system-trace microstack:system-trace :system-trace -

From the looks of it, I am think that if we add the home and system-files interface to the snapcraft.yaml file, it should resolve the permission denied error received when trying to import a new image into Glance.

Revision history for this message
Jason C. Nucciarone (nuccitheboss) wrote :
Revision history for this message
Jason C. Nucciarone (nuccitheboss) wrote (last edit ):

Adding --devmode fixes the permission denied error, so I am pretty certain that it is an issue with a missing interface in strict confinement.

OpenStack Infra (hudson-openstack)
Changed in microstack:
status: New → In Progress
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.