1. Patchew
  2. Libvirt
  3. View series

[PATCH] apparmor: ceph config file names

christian.ehrhardt@canonical.com posted 1 patch 2 years, 6 months ago
Test syntax-check failed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20211007113242.625136-1-christian.ehrhardt@canonical.com
src/security/apparmor/libvirt-qemu | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] apparmor: ceph config file names
Posted by christian.ehrhardt@canonical.com 2 years, 6 months ago 
From: Christian Ehrhardt <christian.ehrhardt@canonical.com>

If running multiple [1] clusters (uncommon) the ceph config file will be
derived from the cluster name. Therefore the rule to allow to read ceph
config files need to be opened up slightly to allow for that condition.

[1]: https://docs.ceph.com/en/mimic/rados/configuration/common/#running-multiple-clusters

Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1588576

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
 src/security/apparmor/libvirt-qemu | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index 4156428163..8cd76d48ec 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -199,7 +199,7 @@
   /sys/class/ r,
 
   # for rbd
-  /etc/ceph/ceph.conf r,
+  /etc/ceph/*.conf r,
 
   # Various functions will need to enumerate /tmp (e.g. ceph), allow the base
   # dir and a few known functions like samba support.
-- 
2.33.0
Re: [PATCH] apparmor: ceph config file names
Posted by Jamie Strandboge 2 years, 6 months ago 
On Thu, 07 Oct 2021, christian.ehrhardt@canonical.com wrote:

> From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> 
> If running multiple [1] clusters (uncommon) the ceph config file will be
> derived from the cluster name. Therefore the rule to allow to read ceph
> config files need to be opened up slightly to allow for that condition.
> 
> [1]: https://docs.ceph.com/en/mimic/rados/configuration/common/#running-multiple-clusters
> 
> Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1588576
> 
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> ---
>  src/security/apparmor/libvirt-qemu | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
> index 4156428163..8cd76d48ec 100644
> --- a/src/security/apparmor/libvirt-qemu
> +++ b/src/security/apparmor/libvirt-qemu
> @@ -199,7 +199,7 @@
>    /sys/class/ r,
>  
>    # for rbd
> -  /etc/ceph/ceph.conf r,
> +  /etc/ceph/*.conf r,
>  
>    # Various functions will need to enumerate /tmp (e.g. ceph), allow the base
>    # dir and a few known functions like samba support.

LGTM, thanks!

-- 
Email: jamie@strandboge.com
IRC:   jdstrand
Re: [PATCH] apparmor: ceph config file names
Posted by Christian Ehrhardt 2 years, 6 months ago 
On Sat, Oct 9, 2021 at 2:33 PM Jamie Strandboge <jamie@strandboge.com> wrote:
>
> On Thu, 07 Oct 2021, christian.ehrhardt@canonical.com wrote:
>
> > From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> >
> > If running multiple [1] clusters (uncommon) the ceph config file will be
> > derived from the cluster name. Therefore the rule to allow to read ceph
> > config files need to be opened up slightly to allow for that condition.
> >
> > [1]: https://docs.ceph.com/en/mimic/rados/configuration/common/#running-multiple-clusters
> >
> > Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1588576
> >
> > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> > ---
> >  src/security/apparmor/libvirt-qemu | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
> > index 4156428163..8cd76d48ec 100644
> > --- a/src/security/apparmor/libvirt-qemu
> > +++ b/src/security/apparmor/libvirt-qemu
> > @@ -199,7 +199,7 @@
> >    /sys/class/ r,
> >
> >    # for rbd
> > -  /etc/ceph/ceph.conf r,
> > +  /etc/ceph/*.conf r,
> >
> >    # Various functions will need to enumerate /tmp (e.g. ceph), allow the base
> >    # dir and a few known functions like samba support.
>
> LGTM, thanks!



> --
> Email: jamie@strandboge.com
> IRC:   jdstrand

Thank you both Jamie and Michal!,
Reviews are in, no freeze right now, no negative feedback appeared and
the tests work fine.
Thereby I'm pushing this AA change now ...

-- 
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
Re: [PATCH] apparmor: ceph config file names
Posted by Michal Prívozník 2 years, 6 months ago 
On 10/7/21 1:32 PM, christian.ehrhardt@canonical.com wrote:
> From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> 
> If running multiple [1] clusters (uncommon) the ceph config file will be
> derived from the cluster name. Therefore the rule to allow to read ceph
> config files need to be opened up slightly to allow for that condition.
> 
> [1]: https://docs.ceph.com/en/mimic/rados/configuration/common/#running-multiple-clusters
> 
> Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1588576
> 
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> ---
>  src/security/apparmor/libvirt-qemu | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

Michal

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.