Charm sets up rbd cache in a way that doesn't allow libvirt to access the admin socket
Bug #1779676 reported by
Tilman Baumann
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Cinder-Ceph charm |
Invalid
|
Undecided
|
Unassigned | ||
OpenStack Nova Compute Charm |
Fix Released
|
Low
|
Unassigned |
Bug Description
The charm sets up rbd cache with hard-coded values and file permissions that don't work with libvirt and AppArmor
https:/
The admin socket file is not accessible to libvirt via AppArmor. There is a bug for that in libvirt. https:/
The other problem is, that quemu libvirt doesn't have access to the directory created in the same code block as it only belongs to root.
Changed in charm-nova-compute: | |
status: | New → Triaged |
importance: | Undecided → Low |
Changed in charm-nova-compute: | |
milestone: | none → 19.04 |
Changed in charm-nova-compute: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
There is the possibility that this causes rbd cache not to work. But it's likely just the admin socket that fails.
May 23 10:06:38 var0tf1a- cmp3s40d2yl- hr nova-compute: 2018-05-23 10:06:38.972 55598 WARNING nova.compute. manager [req-40e3686c- d70b-4d0b- 8e65-9b6ec18479 03 - - - - -] [instance: c364f41a- a2df-40e5- be43-1e47dd4e4f d7] Instance shutdown by itself. Calling the stop API. Current vm_state: active, current task_state: None, original DB power_state: 1, current VM power_state: 4 cmp3s40d2yl- hr /usr/share/ filebeat/ bin/filebeat[ 10378]: log.go:91: Harvester started for file: /var/log/ upstart/ nova-compute. log cmp3s40d2yl- hr /usr/share/ filebeat/ bin/filebeat[ 10378]: log.go:91: Harvester started for file: /var/log/ nova/nova- compute. log cmp3s40d2yl- hr kernel: [10110228.305439] audit: type=1400 audit(152707001 0.408:172758) : apparmor="STATUS" operation= "profile_ load" profile= "unconfined" name="libvirt- c364f41a- a2df-40e5- be43-1e47dd4e4f d7" pid=24777 comm="apparmor_ parser" cmp3s40d2yl- hr kernel: [10110228.305762] audit: type=1400 audit(152707001 0.408:172759) : apparmor="STATUS" operation= "profile_ load" profile= "unconfined" name="libvirt- c364f41a- a2df-40e5- be43-1e47dd4e4f d7//qemu_ bridge_ helper" pid=24777 comm="apparmor_ parser" cmp3s40d2yl- hr qemu-system-x86_64: 2018-05-23 10:06:50.530151 7f5c1da45ac0 -1 asok(0x561ffd07 9ee0) AdminSocketConf igObs:: init: failed: AdminSocket: :bind_and_ listen: failed to bind the UNIX domain socket to '/var/run/ ceph/rbd- client- 24780.asok' : (13) Permission denied cmp3s40d2yl- hr kernel: [10110228.421988] audit: type=1400 audit(152707001 0.524:172760) : apparmor="DENIED" operation="mknod" profile= "libvirt- c364f41a- a2df-40e5- be43-1e47dd4e4f d7" name="/ run/ceph/ rbd-client- 24780.asok" pid=24780 comm="qemu- system- x86" requested_mask="c" denied_mask="c" fsuid=64055 ouid=64055 cmp3s40d2yl- hr qemu-system-x86_64: 2018-05-23 10:06:50.531159 7f5c1da45ac0 -1 auth: unable to find a keyring on /etc/ceph/ ceph.client. nova-compute- ext.keyring: (13) Permission denied
May 23 10:06:46 var0tf1a-
May 23 10:06:46 var0tf1a-
May 23 10:06:50 var0tf1a-
May 23 10:06:50 var0tf1a-
May 23 10:06:50 var0tf1a-
May 23 10:06:50 var0tf1a-
May 23 10:06:50 var0tf1a-
Needs confirmation. Not sure how to test...