qemu config should set security driver to apparmor on ubuntu
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openstack-ansible |
In Progress
|
Medium
|
Unassigned |
Bug Description
By default qemu uses selinux security model/driver. You can see that in /etc/libvirt/
As Ubuntu uses security driver apparmor, this directive should be set to apparmor [2]. This directive can be overriden by OSA users with `qemu_conf_dict: {}` whic is documented. Or in ansible playbooks I can see this directive in `roles/
I noticed that when during live migration of VM with volume attached we received following error, which was resolved by changing qemu.conf. I didn't repeat the test many times though, but I believe I am right with this.
```
Live Migration failure: unsupported configuration: Unable to find security driver for model apparmor: libvirtError: unsupported configuration: Unable to find security driver for model apparmor
```
[1] #security_driver = "selinux"
[2] security_driver = "apparmor"
[3] https:/
Changed in openstack-ansible: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in openstack-ansible: | |
assignee: | Kevin Carter (kevin-carter) → nobody |
Sorry for the late answer. This looks pertty valid, and I think we should do it by default, or at least wire it in the group vars to automatically do it on certain conditions, like if the security role isn't disabled. Major, an opinion?