yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #91122
[Bug 2003848] [NEW] Error by Live Snapshot and not Live Snapshot
Public bug reported:
Hi,
I want to take a snapshot.
Both live and when the instances are switched off.
Ubuntu 20.04
# Ansible managed
DISTRIB_ID="OSA"
DISTRIB_RELEASE="25.2.0"
DISTRIB_CODENAME="Yoga"
DISTRIB_DESCRIPTION="OpenStack-Ansible"
nova-25.0.2.dev8.dist-info
Compiled against library: libvirt 8.0.0
Using library: libvirt 8.0.0
Using API: QEMU 8.0.0
Running hypervisor: QEMU 4.2.1
ii apparmor 2.13.3-7ubuntu5.1 amd64 user-space parser
utility for AppArmor
I've also
Adjusted virt-aa-helper:
#include <tunables/global>
profile virt-aa-helper /usr/lib/libvirt/virt-aa-helper flags=(complain) {
#include <abstractions/base>
#include <abstractions/openssl>
# needed for searching directories
capability dac_override,
capability dac_read_search,
# needed for when disk is on a network filesystem
network inet,
network inet6,
deny @{PROC}/[0-9]*/mounts r,
@{PROC}/[0-9]*/net/psched r,
owner @{PROC}/[0-9]*/status r,
@{PROC}/filesystems r,
# Used when internally running another command (namely apparmor_parser)
@{PROC}/@{pid}/fd/ r,
# allow reading libnl's classid file
/etc/libnl{,-3}/classid r,
# for gl enabled graphics
/dev/dri/{,*} r,
# for hostdev
/sys/devices/ r,
/sys/devices/** r,
/sys/bus/usb/devices/ r,
deny /dev/sd* r,
deny /dev/vd* r,
deny /dev/dm-* r,
deny /dev/drbd[0-9]* r,
deny /dev/dasd* r,
deny /dev/nvme* r,
deny /dev/zd[0-9]* r,
deny /dev/mapper/ r,
deny /dev/mapper/* r,
/usr/lib/libvirt/virt-aa-helper mr,
/{usr/,}sbin/apparmor_parser Ux,
/etc/apparmor.d/libvirt/* r,
/etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
# for backingstore -- allow access to non-hidden files in @{HOME} as well
# as storage pools
audit deny @{HOME}/.* mrwkl,
audit deny @{HOME}/.*/ rw,
audit deny @{HOME}/.*/** mrwkl,
audit deny @{HOME}/bin/ rw,
audit deny @{HOME}/bin/** mrwkl,
@{HOME}/ r,
@{HOME}/** r,
/var/lib/libvirt/images/ rw,
/var/lib/libvirt/images/** rw,
# nova base images (LP: #907269)
/var/lib/nova/images/** rw,
/var/lib/nova/instances/_base/** rw,
# nova snapshots (LP: #1244694)
/var/lib/nova/instances/snapshots/** rw,
}
Filesystem: OCFS2
[keystone_authtoken]
insecure = False
auth_type = password
auth_url =
www_authenticate_uri =
project_domain_id = default
user_domain_id = default
project_name = service
username = nova
password =
region_name = RegionOne
service_token_roles_required = False
service_token_roles = service
service_type = compute
memcached_servers =
token_cache_time = 300
[libvirt]
inject_partition = -2
inject_password = False
inject_key = False
virt_type = kvm
live_migration_with_native_tls = true
live_migration_scheme = tls
live_migration_inbound_addr = xxx.xxx.xxx.xxx
hw_disk_discard = ignore
disk_cachemodes =
iscsi_use_multipath = True
** Affects: nova
Importance: Undecided
Status: New
** Attachment added: "DEBUG ERROR SNAPSHOT"
https://bugs.launchpad.net/bugs/2003848/+attachment/5643261/+files/Error_snapshot.txt
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/2003848
Title:
Error by Live Snapshot and not Live Snapshot
Status in OpenStack Compute (nova):
New
Bug description:
Hi,
I want to take a snapshot.
Both live and when the instances are switched off.
Ubuntu 20.04
# Ansible managed
DISTRIB_ID="OSA"
DISTRIB_RELEASE="25.2.0"
DISTRIB_CODENAME="Yoga"
DISTRIB_DESCRIPTION="OpenStack-Ansible"
nova-25.0.2.dev8.dist-info
Compiled against library: libvirt 8.0.0
Using library: libvirt 8.0.0
Using API: QEMU 8.0.0
Running hypervisor: QEMU 4.2.1
ii apparmor 2.13.3-7ubuntu5.1 amd64 user-space parser
utility for AppArmor
I've also
Adjusted virt-aa-helper:
#include <tunables/global>
profile virt-aa-helper /usr/lib/libvirt/virt-aa-helper flags=(complain) {
#include <abstractions/base>
#include <abstractions/openssl>
# needed for searching directories
capability dac_override,
capability dac_read_search,
# needed for when disk is on a network filesystem
network inet,
network inet6,
deny @{PROC}/[0-9]*/mounts r,
@{PROC}/[0-9]*/net/psched r,
owner @{PROC}/[0-9]*/status r,
@{PROC}/filesystems r,
# Used when internally running another command (namely apparmor_parser)
@{PROC}/@{pid}/fd/ r,
# allow reading libnl's classid file
/etc/libnl{,-3}/classid r,
# for gl enabled graphics
/dev/dri/{,*} r,
# for hostdev
/sys/devices/ r,
/sys/devices/** r,
/sys/bus/usb/devices/ r,
deny /dev/sd* r,
deny /dev/vd* r,
deny /dev/dm-* r,
deny /dev/drbd[0-9]* r,
deny /dev/dasd* r,
deny /dev/nvme* r,
deny /dev/zd[0-9]* r,
deny /dev/mapper/ r,
deny /dev/mapper/* r,
/usr/lib/libvirt/virt-aa-helper mr,
/{usr/,}sbin/apparmor_parser Ux,
/etc/apparmor.d/libvirt/* r,
/etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
# for backingstore -- allow access to non-hidden files in @{HOME} as well
# as storage pools
audit deny @{HOME}/.* mrwkl,
audit deny @{HOME}/.*/ rw,
audit deny @{HOME}/.*/** mrwkl,
audit deny @{HOME}/bin/ rw,
audit deny @{HOME}/bin/** mrwkl,
@{HOME}/ r,
@{HOME}/** r,
/var/lib/libvirt/images/ rw,
/var/lib/libvirt/images/** rw,
# nova base images (LP: #907269)
/var/lib/nova/images/** rw,
/var/lib/nova/instances/_base/** rw,
# nova snapshots (LP: #1244694)
/var/lib/nova/instances/snapshots/** rw,
}
Filesystem: OCFS2
[keystone_authtoken]
insecure = False
auth_type = password
auth_url =
www_authenticate_uri =
project_domain_id = default
user_domain_id = default
project_name = service
username = nova
password =
region_name = RegionOne
service_token_roles_required = False
service_token_roles = service
service_type = compute
memcached_servers =
token_cache_time = 300
[libvirt]
inject_partition = -2
inject_password = False
inject_key = False
virt_type = kvm
live_migration_with_native_tls = true
live_migration_scheme = tls
live_migration_inbound_addr = xxx.xxx.xxx.xxx
hw_disk_discard = ignore
disk_cachemodes =
iscsi_use_multipath = True
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/2003848/+subscriptions
Follow ups
