microstack requires read access to @{PROC}/*/{,task/*/}sched and
@{PROC}/*/{,task/*/}schedstat to allow virsh to read cpu statistics
of the instances.
Without this rule, openstack-hypervisor.virsh domstat list does not
print cpu statistics, vcpu.<id>.time, vcpu.<id>.stat.
Apparmor deny rule in dmesg:
[98847.604617] audit: type=1400 audit(1693470840.357:1499): \
apparmor="DENIED" operation="open" profile="snap.openstack-hypervisor.libvirtd" \
name="/proc/2014588/task/2014595/sched" pid=3668724 comm="rpc-libvirtd" \
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
This rule is also required by ceilometer service running on the
openstack-hypervisor snap which queries libvirt for the cpu/memory/disk
statistics of the instances running on hypervisor.
* interfaces/microstack-support: set controlsDeviceCgroup to true
This will prevent us from generating any udev rules which in turn should
entirely disable the enforcement of the device cgroup for processes in the
snap.
This is justified by the snap already managing cgroups of its containers and
VM's with the Delegate=true setting in serviceSnippets.
See also LP bug: https://bugs.launchpad.net/snapd/+bug/1892895 which is
partially addressed by this commit, specifically for the microstack snap which
uses the microstack-support interface.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* tests: add spread test for microstack cgroup delegation
* tests/main/interfaces-microstack-support: use snap restart
This fixes the test by making it fail on master without the change to use
controlsDeviceCgroup, but passes in the branch enabling that for the interface.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* tests: fix microstack-support test for cgroup v2
* i/b/microstack_support: add comment about delegation
* tests/microstack: make the service more verbose
Making the service more verbose might help debugging; these lines will
end up in journald.
* interfaces/udev/spec.go: leave TODO about cgroup interaction w/ Delegate=true
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
Co-authored-by: Alberto Mardegan <alberto.mardegan@canonical.com>
* Add microstack-support interface
Add an interface to enable MicroStack to work in a confined environment.
* Address review comments
* add rules necessary for LVM use
* Add rules required for the usage of iSCSI
OpenStack relies on the following components when working with LVM
volumes:
* tgtd - a daemon that exposes block devices via iSCSI;
* scsid - a control plane daemon for the iSCSI initiator data plane
implemented in the iscsi_tcp module;
* iscsi_tcp kernel module.
Working with the iSCSI kernel stack requires a more privileged access to
sysfs to that iscsi-adm and iscsid can do their job.
* Adjust the policy based on functional testing
After several tempest test runs, based on the kernel logs, it became
apparent that libvirt requires a wider rw access to the hierarchy under
/sys/fs/cgroup/*/machine.
* Fix test coverage for the microstack-support iface
* fix formatting in basedeclaration_test.go
* Fix comment typos/inconsistencies
* Replace tgtd rules with LIO ones
* fix a static check failure
* Address points raised in the review
* refactoring;
* added Delegate=true since libvirt manages its own cgroup subtree.
* Replace /dev/* rw with less privileged rules
The snapd team requested a less permissive rule to be used for block
device access. While MicroStack considers volume support experimental
due to https://bugs.launchpad.net/snapd/+bug/1892895, it seems
acceptable to limit the set of VG names to the ones prefixed with
"microstack-" to avoid blocking the whole review on this. Lifting this
naming restriction will be a consideration for the future versions of
this interface.
* Address review comments
* Fix indentation to avoid a static check failure
* TestKModConnectedPlug: expect the vfio-pci module
* Address security review comments
* Address review comments
* Remove the unused import
