Comment 3 for bug 1656254

Revision history for this message
Tyler Hicks (tyhicks) wrote :

There are several other filesystem locations that the virt-aa-helper profile supports. I just checked Ubuntu 16.04 and the virt-aa-helper profile allows you to set instances-path to a location underneath any of these directories:

/home/*/ (except for hidden directories)
/root/ (except for hidden directories)
/var/lib/nova/instances/_base/
/media/
/mnt/
/opt/
/srv/

There are a few more that I didn't list because they were specific to certain tools.

Is it possible to move your instances-path under one of those directories?

If you can't move your instances-path to one of those locations, there's one other option. The virt-aa-helper profile could be updated to include the following line:

  #include <local/usr.lib.libvirt.virt-aa-helper>

Then the nova-compute charm could drop a rule, granting read access to the custom instances-path, into /etc/apparmor.d/local/usr.lib.libvirt.virt-aa-helper. The charm would then need to reload the virt-aa-helper profile.