OpenStack Compute (nova)

  1. Series newton
  2. Bug #1665698
  3. Comment #0

Comment 0 for bug 1665698

Revision history for this message
Logan V (loganv) wrote :

I have VMs failing to start with 2017-02-17 15:38:44.458 264015 ERROR nova.compute.manager [instance: 0c97ab16-2d30-43fa-b0e4-a064a842b5ed] libvirtError: internal error: process exited while connecting to monitor: 2017-02-17T15:38:43.907222Z qemu-system-x86_64: -netdev tap,ifname=tapf34ef99e-18,id=hostnet0,vhost=on,vhostfd=28: network script /etc/qemu-ifup failed with status 256

Log excerpt:
http://cdn.pasteraw.com/b3tw4cjefomfi3e9k09hvodrfun85z

Seems to be that /etc/qemu-ifup is being blocked by apparmor:
type=AVC msg=audit(1487347189.015:28536): apparmor="DENIED" operation="exec" profile="libvirt-4a03fea7-e966-48e4-80ac-aa138db67243" name="/etc/qemu-ifup" pid=285438 comm="qemu-system-x86" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
type=PATH msg=audit(1487347189.015:28536): item=0 name="/etc/qemu-ifup" inode=66403 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL

root@ubuntu-trusty-5773:/etc/apparmor.d/abstractions# cat /etc/apparmor.d/libvirt/libvirt-4a03fea7-e966-48e4-80ac-aa138db67243
#
# This profile is for the domain whose UUID matches this file.
#

#include <tunables/global>

profile libvirt-4a03fea7-e966-48e4-80ac-aa138db67243 {
  #include <abstractions/libvirt-qemu>
  #include <libvirt/libvirt-4a03fea7-e966-48e4-80ac-aa138db67243.files>

}
root@ubuntu-trusty-5773:/etc/apparmor.d/abstractions# cat /etc/apparmor.d/libvirt/libvirt-4a03fea7-e966-48e4-80ac-aa138db67243.files
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
  "/var/log/libvirt/**/instance-00000008.log" w,
  "/var/lib/libvirt/qemu/domain-instance-00000008/monitor.sock" rw,
  "/var/run/libvirt/**/instance-00000008.pid" rwk,
  "/run/libvirt/**/instance-00000008.pid" rwk,
  "/var/run/libvirt/**/*.tunnelmigrate.dest.instance-00000008" rw,
  "/run/libvirt/**/*.tunnelmigrate.dest.instance-00000008" rw,
  "/var/lib/nova/instances/4a03fea7-e966-48e4-80ac-aa138db67243/console.log" rw,
  "/var/lib/nova/instances/4a03fea7-e966-48e4-80ac-aa138db67243/console.log" rw,
  # for qemu guest agent channel
  owner "/var/lib/libvirt/qemu/channel/target/domain-instance-00000008/**" rw,
  /dev/vhost-net rw,

root@ubuntu-trusty-5773:/etc/apparmor.d/abstractions# dpkg -S libvirt-qemu
libvirt-bin: /etc/apparmor.d/abstractions/libvirt-qemu

root@ubuntu-trusty-5773:/etc/apparmor.d/abstractions# dpkg -l libvirt-bin
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=========================================-=========================-=========================-=======================================================================================
ii libvirt-bin 1.3.1-1ubuntu10.6~cloud0 amd64 programs for the libvirt library

Seeing identical behavior on Xenial
ubuntu@ubuntu-xenial-5165:~$ dpkg -l libvirt-bin
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=========================================-=========================-=========================-=======================================================================================
ii libvirt-bin 1.3.1-1ubuntu10.8 amd64 programs for the libvirt library