attaching rbd fails because apparmor forbids access to ceph.conf
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Fix Released
|
Medium
|
Serge Hallyn | ||
Precise |
Fix Released
|
Medium
|
Unassigned |
Bug Description
=======
SRU Justification:
1. Impact: ceph volumes cannot be used in libvirt-qemu
2. Development fix: update apparmor policy to allow qemu under libvirt access to ceph.conf
3. Stable fix: same as development fix
4. test case: see comment #4
5. Regression potential: if ceph.conf was deemed to have sensitive information, qemu under libvirt could now read that. No functionality regression should result from simply allowing read access to a configuration file.
=======
I've been doing a little work with openstack, using ceph as a backend for nova-volume.
When I attempt to attach an RBD volume to a running instance, it fails (with some delightfully unhelpful errors on the nova side). The following is logged in the instance's libvirt log file
unable to find any monitors in conf. please specify monitors via -m monaddr or -c ceph.conf
and in dmesg we find
type=1400 audit(134265668
Adding the following to /etc/apparmor.
=== modified file 'apparmor.
--- apparmor.
+++ apparmor.
@@ -123,3 +123,6 @@
/etc/pki/CA/* r,
/etc/
/etc/
+
+ # for rbd
+ /etc/ceph/ceph.conf r,
summary: |
- attaching rbd fails because apparmor forbids access to ceph.conf, etc. + attaching rbd fails because apparmor forbids access to ceph.conf |
Changed in libvirt (Ubuntu): | |
assignee: | nobody → Serge Hallyn (serge-hallyn) |
description: | updated |
Changed in libvirt (Ubuntu Precise): | |
status: | Triaged → In Progress |
Changed in libvirt (Ubuntu Precise): | |
milestone: | precise-updates → ubuntu-12.04.1 |
Hi Paul
Makes sense - I can see why this blocks.
Marking Triaged - this does not really need Confirmation.