You log contains:
qemu-system-x86_64: -chardev
pty,id=charserial0,logfile=/var/lib/nova/instances/2691027e-9d67-4f78-841f-01e6c809e8fc/console.log,logappend=off
Which is the older style where qemu itself opens the file instead of the
more modern example I posted above where it is pre-opened and passed as
fd.
All that is fine, for a version like that you'll likely need the apparmor rule
to allow it indeed.
Could you report the dmesg entry showing the deny as well?
With an older libvirt 1.3.1 and an "old style" XML entry you get the old
behavior.
All this is for the switch of openstack to virtlogd btw - see more in bug
1667033 (not needed, but if you are interested).
So you should essentially have one of two potential behaviors:
A) Old as in Xenial which means libvirt 1.3.1 qemu 2.5 and openstack
2:13.1.4-0ubuntu4.2
This uses direct file paths which means:
A1) Old XMl style
<serial type='file'>
<source path='/var/lib/nova/instances/consoletest/console.log'/>
<target port='0'/>
</serial>
<console type='file'>
<source path='/var/lib/nova/instances/consoletest/console.log'/>
<target type='serial' port='0'/>
</console>
A2) apparmor entries
"/var/lib/nova/instances/consoletest/console.log" rw,
"/var/lib/nova/instances/consoletest/console.log" rw,
A3) chardev with path on qemu
-chardev
file,id=charserial0,path=/var/lib/nova/instances/consoletest/console.log
A*) Qemu will open the file under the apparmor profile, but since it is defined
as source path it was added to its per guest apparmor profile and is working.
B) New style with virtlogd as in >=Zesty / Ocata which means libvirt >=2.5 qemu
>=2.8 and OpenStack >=15
B1) New style XML syntax
<serial type='pty'>
<log file='/var/lib/nova/instances/testlp1762769/console.log'
append='off'/>
<target port='0'/>
</serial>
<console type='pty'>
<log file='/var/lib/nova/instances/testlp1762769/console.log'
append='off'/>
<target type='serial' port='0'/>
</console>
B2) no apparmor entries (none needed)
B3) console with fdset passed
-add-fd set=1,fd=28 -chardev
pty,id=charserial0,logfile=/dev/fdset/1,logappend=on -device
isa-serial,chardev=charserial0,id=serial0
B*) libvirt/virtlogd will open the files and pass FD's to be used to qemu as
needed
You should have A OR B, but not a mix (as it seems in the bug so far).
A and B work, but a mix might not.
You might report your dmesg, but I assume to know what I see there.
I'd ask you to really sort out if you have any external repositories or
configuration that pushes you into the dead zone.
For a try without Openstack you can do this:
$ apt install uvtool-libvirt
$ uvt-simplestreams-libvirt --verbose sync --source
http://cloud-images.ubuntu.com/daily arch=amd64 release=bionic label=daily
$ uvt-kvm create --password ubuntu consoletest arch=amd64 release=bionic
label=daily
# That is a kvm guest based on the cloud image, you can shut it down edit it's
xml to the example above (if on Xenial as-is A, if later B) and start the guest
again.
Really if there is an issue I'd need the full set of how A or B breaks
for you with all mentioned logs. If you happen to find why you seem to
be somewhere in between A/B let me know here as well.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1762769
Title:
missing entry at apparmor profile for nova instances
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1762769/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
