yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1944486] [NEW] live migration fails with apparmor security driver

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: hanchl <1944486@xxxxxxxxxxxxxxxxxx>
Date: Wed, 22 Sep 2021 02:00:04 -0000
Reply-to: Bug 1944486 <1944486@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

If the apparmor service is used as the security driver on the source
node, the xml file of the instance will contain the seclabel. When we
perform the operation of instance live migration, nova will require the
target node to use apparmor, otherwise we will get an aborted live
migration.

The xml file:
  <seclabel type='dynamic' model='apparmor' relabel='yes'>
    <label>libvirt-f07ba7d5-cc3e-4f33-8187-418a121fbf8d</label>
    <imagelabel>libvirt-f07ba7d5-cc3e-4f33-8187-418a121fbf8d</imagelabel>
  </seclabel>

The ERROR log:

2021-09-18 10:34:36,856.856 13059 ERROR nova.virt.libvirt.driver [req-0064793c-812e-49db-8a48-6e20216c07ed a6a7bea61c2e4bdba3ceccf7ca803c45 0b4d40edb4ab454d93ac783758ab205d - default default] [instance: 8d59e2f0-180f-4835-89fb-f46b258c586b] Live Migration failure: unsupported configuration: Unable to find security driver for model apparmor: libvirtError: unsupported configuration: Unable to find security driver for model apparmor
2021-09-18 10:34:36,886.886 13059 ERROR nova.virt.libvirt.driver [req-0064793c-812e-49db-8a48-6e20216c07ed a6a7bea61c2e4bdba3ceccf7ca803c45 0b4d40edb4ab454d93ac783758ab205d - default default] [instance: 8d59e2f0-180f-4835-89fb-f46b258c586b] Migration operation has aborted

** Affects: nova
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1944486

Title:
  live migration fails with apparmor security driver

Status in OpenStack Compute (nova):
  New

Bug description:
  If the apparmor service is used as the security driver on the source
  node, the xml file of the instance will contain the seclabel. When we
  perform the operation of instance live migration, nova will require
  the target node to use apparmor, otherwise we will get an aborted live
  migration.

  The xml file:
    <seclabel type='dynamic' model='apparmor' relabel='yes'>
      <label>libvirt-f07ba7d5-cc3e-4f33-8187-418a121fbf8d</label>
      <imagelabel>libvirt-f07ba7d5-cc3e-4f33-8187-418a121fbf8d</imagelabel>
    </seclabel>

  The ERROR log:

  2021-09-18 10:34:36,856.856 13059 ERROR nova.virt.libvirt.driver [req-0064793c-812e-49db-8a48-6e20216c07ed a6a7bea61c2e4bdba3ceccf7ca803c45 0b4d40edb4ab454d93ac783758ab205d - default default] [instance: 8d59e2f0-180f-4835-89fb-f46b258c586b] Live Migration failure: unsupported configuration: Unable to find security driver for model apparmor: libvirtError: unsupported configuration: Unable to find security driver for model apparmor
  2021-09-18 10:34:36,886.886 13059 ERROR nova.virt.libvirt.driver [req-0064793c-812e-49db-8a48-6e20216c07ed a6a7bea61c2e4bdba3ceccf7ca803c45 0b4d40edb4ab454d93ac783758ab205d - default default] [instance: 8d59e2f0-180f-4835-89fb-f46b258c586b] Migration operation has aborted

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1944486/+subscriptions

Follow ups

[Bug 1944486] Re: live migration fails with apparmor security driver
From: Launchpad Bug Tracker, 2022-07-09