I've been doing a little work with openstack, using ceph as a backend for nova-volume.
When I attempt to attach an RBD volume to a running instance, it fails (with some delightfully unhelpful errors on the nova side). The following is logged in the instance's libvirt log file
unable to find any monitors in conf. please specify monitors via -m monaddr or -c ceph.conf
Adding the following to /etc/apparmor.d/abstractions/libvirt-qemu seems to be sufficient, at least for my no-cephx (i.e., no authentication and therefore no key material) testing environment. For a cephx environment things are more complex, because a keyring file will also need to be read by the qemu process.
I've been doing a little work with openstack, using ceph as a backend for nova-volume.
When I attempt to attach an RBD volume to a running instance, it fails (with some delightfully unhelpful errors on the nova side). The following is logged in the instance's libvirt log file
unable to find any monitors in conf. please specify monitors via -m monaddr or -c ceph.conf
and in dmesg we find
type=1400 audit(134265668 1.070:52) : apparmor="DENIED" operation="open" parent=1 profile= "libvirt- 732fc0e8- 5a8b-46d0- 9689-f0c3e8f619 f2" name="/ etc/ceph/ ceph.conf" pid=27601 comm="kvm" requested_mask="r" denied_mask="r" fsuid=110 ouid=0
Adding the following to /etc/apparmor. d/abstractions/ libvirt- qemu seems to be sufficient, at least for my no-cephx (i.e., no authentication and therefore no key material) testing environment. For a cephx environment things are more complex, because a keyring file will also need to be read by the qemu process.
=== modified file 'apparmor. d/abstractions/ libvirt- qemu' d/abstractions/ libvirt- qemu 2012-07-18 23:37:13 +0000 d/abstractions/ libvirt- qemu 2012-07-19 00:10:18 +0000 pki/libvirt/ r, pki/libvirt/ ** r,
--- apparmor.
+++ apparmor.
@@ -123,3 +123,6 @@
/etc/pki/CA/* r,
/etc/
/etc/
+
+ # for rbd
+ /etc/ceph/ceph.conf r,