If the charm-nova-compute has the aa-profile-mode set to "enforce" and the package gir1.2-libosinfo-1.0 is installed in the nova-compute node, then VM creation fails with the following errors:
2023-02-14 11:54:31.094 3490324 ERROR nova.compute.manager [req-d8c21949-4edb-4ae8-859e-bdc407402446 919173c1ba5b04004ac4c467c678e6e842b90f5206a224168ba0d3d83c398dfb fd686745c7724189bb02e5f62020a1b2 - 7078ee187a1c42c2a798707b9ca4cd68 7078ee187a1c42c2a798707b9ca4cd68] [instance: ae35c62d-3f91-4e76-8274-9a7893b9627d] Failure prepping block device: gi.repository.GLib.GError: g-io-error-quark: Error opening directory '/usr/share/osinfo': Permission denied (14)
2023-02-14 11:54:39.637 3490324 ERROR nova.compute.manager [req-d8c21949-4edb-4ae8-859e-bdc407402446 919173c1ba5b04004ac4c467c678e6e842b90f5206a224168ba0d3d83c398dfb fd686745c7724189bb02e5f62020a1b2 - 7078ee187a1c42c2a798707b9ca4cd68 7078ee187a1c42c2a798707b9ca4cd68] [instance: ae35c62d-3f91-4e76-8274-9a7893b9627d] Build of instance ae35c62d-3f91-4e76-8274-9a7893b9627d aborted: Failure prepping block device.: nova.exception.BuildAbortException: Build of instance ae35c62d-3f91-4e76-8274-9a7893b9627d aborted: Failure prepping block device.
In syslog:
Feb 14 13:38:21 node08 kernel: [8429548.493837] audit: type=1400 audit(1676381901.354:59854): apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/usr/share/osinfo/" pid=3490324 comm="nova-compute" requested_mask="r" denied_mask="r" fsuid=64060 ouid=0
This is due to the code path [1] in Nova that performs extra operations to detect OS-related stuff, if the package gir1.2-libosinfo-1.0 is installed. Considering this is a Nova feature, the feature should be supported in the charm as well with an App Armor rule that allows osinfo to run and detect the OS features.
[1] https://github.com/openstack/nova/blob/master/nova/virt/osinfo.py#L41
Apparently the only rules that need to be added to /etc/apparmor. d/usr.bin. nova-compute for it to work are
/usr/ share/osinfo/ {,**} r, share/misc/ pci.ids r, lib/usbutils/ usb.ids r,
/usr/
/var/
(add them below " /usr/share/ qemu/firmware/ {,**} r,")