Control: reassign -1 libvirt-daemon-system Control: affects -1 nova-compute Control: tag -1 + upstream Control: tag -1 + moreinfo
Hi, arad...@tma-0.net: > When launching a QEMU KVM instance, an error occurs immediately upon > launching the > qemu process: > Could not open backing file: Could not open > '/var/lib/nova/instances/_base/affe96668a4c64ef380ff1c71b4caec17039080e': > Permission > denied > This is caused because the AppArmor profile for libvirt does not include > access to > nova's instances directory (/var/lib/nova/instances). > This error was fixed by adding the following lines to > /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper: > /var/lib/nova/instances/_base/ r, > /var/lib/nova/instances/_base/* r, > /var/lib/nova/instances/** rw, > and running: > sudo apparmor_parser -r /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper Thanks for the bug report + debugging + solution! I'm reassigning to the package that ships the faulty profile. Let's submit this to libvirt upstream (https://www.redhat.com/mailman/listinfo/libvir-list). Do you want to do it yourself or shall I? Now, one question before we move this upstream: does virt-aa-helper really need write access to /var/lib/nova/instances/**? Knowing a little bit what this helper does, I can't imagine why it would; and in your logs I see only denied_mask="r". > Probably it would be more appropriate to put that in a separate profile? I think it's fine to add these lines to usr.lib.libvirt.virt-aa-helper. Cheers, -- intrigeri