I hit this issue today when trying `terraform-provider-libvirt`. So I
spent some time debugging it. Below are my findings.
1. Dir-based pools are affected. I didn't tried with default one as I
created custom storage pool in terraform (`/srv/libvirt/images`). Then I
was able to catch `/etc/apparmor.d/libvirt/libvirt-XXXX*` files and
check their contents. There was no `/srv/libvirt/images` path so it's
definitely was not added there.
2. Then I found `/**.qcow{,2} r,` in the
`/etc/apparmor.d/usr.lib.libvirt.virt-aa-helper` file. So my image
should be allowed by this rule. But I was still unable to create VM. I
tried to add my path here without any success though.
3. Next thing to try was `/etc/apparmor.d/libvirt/TEMPLATE.qemu`. I
added my pool path there AAAAND it works after. So this is what I have
in TEMPLATE.qemu file now:
```
#
# This profile is for the domain whose UUID matches this file.
#
#include <tunables/global>
profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
#include <abstractions/libvirt-qemu>
# Allow access to custom storage pool
"/srv/libvirt/images/" r,
"/srv/libvirt/images/**" rwk,
}
```
Now those paths appears in libvirt/libvirt-XXXX file and access is
finally allowed.
Please let me know if there is better way to do this.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1677398
Title:
Apparmor prevents using storage pools and hostdev networks
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1677398/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
