UEFI - Forbid access to /usr/share/OVMF/OVMF_CODE.fd
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Libvirt will use AppArmor for security in some distributions such as ubuntu.
AppArmor profile is manipulated by virt-aa-helper.
If user want to boot in uefi, they need to specify uefi loader path.
But currently nova will only access to /usr/share/
However libvirt forbid access to /usr/share before following patch.
https:/
The patch was merged since livirt 1.2.19.
Default package for older os release such as ubuntu trusty didn't merge the patch yet.
Therefore those vm will created failed with following logs.
Those logs occurred in compute log.
libvirtError: internal error: cannot load AppArmor profile 'libvirt-
Those logs occurred in libvirtd log
2016-04-25 06:49:42.902+0000: 26078: error : virCommandWait:2532 : internal error: Child process (/usr/lib/
virt-aa-helper: error: skipped restricted file
virt-aa-helper: error: invalid VM definition
Maybe we should add one uefi option for uefi loader path instead of static code in following link.
https:/
Changed in nova: | |
assignee: | nobody → Chung Chih, Hung (lyanchih) |
description: | updated |
Fix proposed to branch: master /review. openstack. org/309930
Review: https:/