AppArmor denies libvirt to use the virtual functions allocated by nova
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Nova Compute Charm |
Invalid
|
High
|
Unassigned |
Bug Description
When deploying nova-compute and neutron-openvswitch with the following configuration:
nova-compute-kvm:
charm: cs:nova-compute
num_units: 1
bindings:
"": *oam-space
internal: *internal-space
options:
openstack
enable-
enable-
migration
use-
libvirt-
restrict-
aa-
virt-type: kvm
pci-
to:
- 1
neutron-
charm: cs:neutron-
num_units: 0
bindings:
data: *overlay-space
options:
bridge-
prevent-
firewall-
enable-
data-port: *data-port
enable-sriov: True
sriov-
sriov-numvfs: "eth0:8"
And trying to create an instance with the following commands:
openstack network create --provider-
openstack subnet create --network sriov --subnet-range 192.168.1.0/24 sriov-subnet
openstack port create --vnic-type direct --network sriov sriov-port
openstack server create --port sriov-port --image bionic --flavor m1.small test-sriov
Nova-compute, on the host where the instance is supposed to be deployed, fails because AppArmor denies libvirt to use the virtual functions.
The work-around is to disable AppArmor:
juju config nova-compute-kvm aa-profile-
Changed in charm-nova-compute: | |
milestone: | 19.07 → 19.10 |
Changed in charm-nova-compute: | |
milestone: | 19.10 → 20.01 |
Changed in charm-nova-compute: | |
status: | New → Triaged |
Changed in charm-nova-compute: | |
importance: | Critical → High |
Changed in charm-nova-compute: | |
milestone: | 20.01 → 20.05 |
Changed in charm-nova-compute: | |
assignee: | nobody → Liam Young (gnuoy) |
Changed in charm-nova-compute: | |
milestone: | 20.05 → 20.08 |
Nicolas,
I have marked this as critical as I think this is an important bug. However, we could use more information and logs to help the investigation.
Can you please provide a juju crashdump or at least pertinent logs that show exactly where the failure occurs? A bundle would also be helpful.
What version of Ubuntu and OpenStack did you see this on?
PRE-TRIAGE:
We have some investigation to do for SRIOV and App Armor profiles