qemu config should set security driver to apparmor on ubuntu

Bug #1732481 reported by Ondrej Vasko
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
openstack-ansible
In Progress
Medium
Unassigned

Bug Description

By default qemu uses selinux security model/driver. You can see that in /etc/libvirt/qemu.conf where there is a directive which is left default after OSA installation on ubuntu 16.04 [1].

As Ubuntu uses security driver apparmor, this directive should be set to apparmor [2]. This directive can be overriden by OSA users with `qemu_conf_dict: {}` whic is documented. Or in ansible playbooks I can see this directive in `roles/os_nova/defaults/main.yml`.

I noticed that when during live migration of VM with volume attached we received following error, which was resolved by changing qemu.conf. I didn't repeat the test many times though, but I believe I am right with this.

```
Live Migration failure: unsupported configuration: Unable to find security driver for model apparmor: libvirtError: unsupported configuration: Unable to find security driver for model apparmor
```

[1] #security_driver = "selinux"
[2] security_driver = "apparmor"
[3] https://docs.openstack.org/openstack-ansible-os_nova/pike/

Revision history for this message
Jean-Philippe Evrard (jean-philippe-evrard) wrote :

Sorry for the late answer. This looks pertty valid, and I think we should do it by default, or at least wire it in the group vars to automatically do it on certain conditions, like if the security role isn't disabled. Major, an opinion?

Revision history for this message
Ondrej Vasko (ondrej.vasko) wrote :

So far I don't know how much impact does this configuration change have to qemu. Though it may be related to apparmor misconfigurations I received lately (eg. https://bugs.launchpad.net/nova/+bug/1728563).

Basically I would expect that when I for example attach volume to qemu instance, the apparmor profile will change and add path to volume allowed as read, write or lock, which didn't happen before and I was not able to attach volume in openstack.

I still need to test if changing qemu security driver has something to do with that and if it fixes my issues. I will report my results afterwards.

Revision history for this message
Ondrej Vasko (ondrej.vasko) wrote :

Update:

Nothing related to https://bugs.launchpad.net/nova/+bug/1728563.
Documentation source for security_driver: https://libvirt.org/drvqemu.html#securitysvirtaa

Changed in openstack-ansible:
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-os_nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/565958

Changed in openstack-ansible:
assignee: nobody → Kevin Carter (kevin-carter)
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on openstack-ansible-os_nova (master)

Change abandoned by Kevin Carter (cloudnull) (<email address hidden>) on branch: master
Review: https://review.opendev.org/565958

Changed in openstack-ansible:
assignee: Kevin Carter (kevin-carter) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.