There are several other filesystem locations that the virt-aa-helper profile supports. I just checked Ubuntu 16.04 and the virt-aa-helper profile allows you to set instances-path to a location underneath any of these directories:
/home/*/ (except for hidden directories)
/root/ (except for hidden directories)
/var/lib/nova/instances/_base/
/media/
/mnt/
/opt/
/srv/
There are a few more that I didn't list because they were specific to certain tools.
Is it possible to move your instances-path under one of those directories?
If you can't move your instances-path to one of those locations, there's one other option. The virt-aa-helper profile could be updated to include the following line:
#include <local/usr.lib.libvirt.virt-aa-helper>
Then the nova-compute charm could drop a rule, granting read access to the custom instances-path, into /etc/apparmor.d/local/usr.lib.libvirt.virt-aa-helper. The charm would then need to reload the virt-aa-helper profile.
There are several other filesystem locations that the virt-aa-helper profile supports. I just checked Ubuntu 16.04 and the virt-aa-helper profile allows you to set instances-path to a location underneath any of these directories:
/home/*/ (except for hidden directories) nova/instances/ _base/
/root/ (except for hidden directories)
/var/lib/
/media/
/mnt/
/opt/
/srv/
There are a few more that I didn't list because they were specific to certain tools.
Is it possible to move your instances-path under one of those directories?
If you can't move your instances-path to one of those locations, there's one other option. The virt-aa-helper profile could be updated to include the following line:
#include <local/ usr.lib. libvirt. virt-aa- helper>
Then the nova-compute charm could drop a rule, granting read access to the custom instances-path, into /etc/apparmor. d/local/ usr.lib. libvirt. virt-aa- helper. The charm would then need to reload the virt-aa-helper profile.