From 7bec243c626d674b64a79b9f3e961944cbf55603 Mon Sep 17 00:00:00 2001 From: Aleksandr Chudinov Date: Tue, 12 Mar 2024 15:51:49 +0200 Subject: [PATCH] fix apparmor profile for non-standard nova home in cases when non-standard path to nova instances is configured with nova_system_home_folder variable there may be problems with instances spawning due to libvirt virt-aa-helper missing permission in apparmor profile, this commit resolves this Change-Id: I3d37eb5a9635044570690370dfcbc060ff4d9e49 --- handlers/main.yml | 5 +++++ tasks/drivers/kvm/nova_compute_kvm.yml | 17 +++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/handlers/main.yml b/handlers/main.yml index c37716cc..3c1337ac 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -88,3 +88,8 @@ - "venv changed" - "cert installed" - "systemd service changed" + +- name: Reload apparmor profile + ansible.builtin.service: + name: apparmor.service + state: reloaded diff --git a/tasks/drivers/kvm/nova_compute_kvm.yml b/tasks/drivers/kvm/nova_compute_kvm.yml index 6139cece..008da85b 100644 --- a/tasks/drivers/kvm/nova_compute_kvm.yml +++ b/tasks/drivers/kvm/nova_compute_kvm.yml @@ -135,6 +135,23 @@ - nova-kvm - nova-libvirt +- name: Set apparmor config (Ubuntu/Debian) + lineinfile: + dest: "/etc/apparmor.d/local/usr.lib.libvirt.virt-aa-helper" + line: " {{ nova_system_home_folder }}/instances/_base/* r," + backup: true + create: true + owner: "root" + group: "root" + mode: "0644" + when: + - ansible_facts['distribution'] == 'Ubuntu' or ansible_facts['distribution'] == 'Debian' + notify: Reload apparmor profile + tags: + - nova-config + - nova-kvm + - nova-libvirt + - name: Including nova_disable_smt tasks include_tasks: nova_disable_smt.yml when: