Comment 0 for bug 1026404

I've been doing a little work with openstack, using ceph as a backend for nova-volume.

When I attempt to attach an RBD volume to a running instance, it fails (with some delightfully unhelpful errors on the nova side). The following is logged in the instance's libvirt log file

unable to find any monitors in conf. please specify monitors via -m monaddr or -c ceph.conf

and in dmesg we find

type=1400 audit(1342656681.070:52): apparmor="DENIED" operation="open" parent=1 profile="libvirt-732fc0e8-5a8b-46d0-9689-f0c3e8f619f2" name="/etc/ceph/ceph.conf" pid=27601 comm="kvm" requested_mask="r" denied_mask="r" fsuid=110 ouid=0

Adding the following to /etc/apparmor.d/abstractions/libvirt-qemu seems to be sufficient, at least for my no-cephx (i.e., no authentication and therefore no key material) testing environment. For a cephx environment things are more complex, because a keyring file will also need to be read by the qemu process.

=== modified file 'apparmor.d/abstractions/libvirt-qemu'
--- apparmor.d/abstractions/libvirt-qemu 2012-07-18 23:37:13 +0000
+++ apparmor.d/abstractions/libvirt-qemu 2012-07-19 00:10:18 +0000
@@ -123,3 +123,6 @@
   /etc/pki/CA/* r,
   /etc/pki/libvirt/ r,
   /etc/pki/libvirt/** r,
+
+ # for rbd
+ /etc/ceph/ceph.conf r,