openstack-ansible

qemu config should set security driver to apparmor on ubuntu

Bug #1732481 reported by Ondrej Vasko on 2017-11-15

14

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	openstack-ansible	In Progress	Medium	Unassigned

Bug Description

By default qemu uses selinux security model/driver. You can see that in /etc/libvirt/qemu.conf where there is a directive which is left default after OSA installation on ubuntu 16.04 [1].

As Ubuntu uses security driver apparmor, this directive should be set to apparmor [2]. This directive can be overriden by OSA users with `qemu_conf_dict: {}` whic is documented. Or in ansible playbooks I can see this directive in `roles/os_nova/defaults/main.yml`.

I noticed that when during live migration of VM with volume attached we received following error, which was resolved by changing qemu.conf. I didn't repeat the test many times though, but I believe I am right with this.

```
Live Migration failure: unsupported configuration: Unable to find security driver for model apparmor: libvirtError: unsupported configuration: Unable to find security driver for model apparmor
```

[1] #security_driver = "selinux"
[2] security_driver = "apparmor"
[3] https://docs.openstack.org/openstack-ansible-os_nova/pike/

Revision history for this message

Jean-Philippe Evrard (jean-philippe-evrard) wrote on 2017-11-17:

#1

Sorry for the late answer. This looks pertty valid, and I think we should do it by default, or at least wire it in the group vars to automatically do it on certain conditions, like if the security role isn't disabled. Major, an opinion?

Revision history for this message

Ondrej Vasko (ondrej.vasko) wrote on 2017-11-20:

#2

So far I don't know how much impact does this configuration change have to qemu. Though it may be related to apparmor misconfigurations I received lately (eg. https://bugs.launchpad.net/nova/+bug/1728563).

Basically I would expect that when I for example attach volume to qemu instance, the apparmor profile will change and add path to volume allowed as read, write or lock, which didn't happen before and I was not able to attach volume in openstack.

I still need to test if changing qemu security driver has something to do with that and if it fixes my issues. I will report my results afterwards.

Revision history for this message

Ondrej Vasko (ondrej.vasko) wrote on 2017-11-24:

#3

Update:

Nothing related to https://bugs.launchpad.net/nova/+bug/1728563.
Documentation source for security_driver: https://libvirt.org/drvqemu.html#securitysvirtaa

Jean-Philippe Evrard (jean-philippe-evrard) on 2017-12-05

Changed in openstack-ansible:
status:	New → Confirmed
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-05-03: Fix proposed to openstack-ansible-os_nova (master)

#4

Fix proposed to branch: master
Review: https://review.openstack.org/565958

Changed in openstack-ansible:
assignee:	nobody → Kevin Carter (kevin-carter)
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-05-27: Change abandoned on openstack-ansible-os_nova (master)

#5

Change abandoned by Kevin Carter (cloudnull) (<email address hidden>) on branch: master
Review: https://review.opendev.org/565958

Kevin Carter (kevin-carter) on 2019-06-05

Changed in openstack-ansible:
assignee:	Kevin Carter (kevin-carter) → nobody

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.