[libvirt] [PATCH 02/12] apparmor, libvirt-qemu: Silence lttng related deny messages

Christian Ehrhardt christian.ehrhardt at canonical.com
Wed Dec 20 12:42:42 UTC 2017 

On Wed, Dec 20, 2017 at 10:30 AM, intrigeri <intrigeri+libvirt at boum.org> wrote:
> Hi,
>
> Christian Ehrhardt:
>> --- a/examples/apparmor/libvirt-qemu
>> +++ b/examples/apparmor/libvirt-qemu
>> @@ -191,3 +191,7 @@
>>    /sys/devices/system/node/ r,
>>    /sys/devices/system/node/node[0-9]*/meminfo r,
>>    /sys/module/vhost/parameters/max_mem_regions r,
>> +
>> +  # silence refusals to open lttng files (see LP: #1432644)
>> +  deny /dev/shm/lttng-ust-wait-* r,
>> +  deny /run/shm/lttng-ust-wait-* r,
>
> In principle this looks OK to me but I wonder if this is the sweet
> spot regarding admin UX.
>
> I've skimmed over the Ubuntu bug report but found it confusing as it
> mixes breakage caused by the fact we deny such access (which
> apparently does not happen anymore otherwise you would not be
> proposing these deny rules) with log flooding issues (that will be
> fixed by the proposed rules).
>
> So I'm afraid I need to ask an executive summary :)
> Under which circumstances do we log these denials?
>
> I'd like to make sure we're not creating the following situation:
>
>  - In most practical cases we don't even try to access these files, so
>    don't log denials, and then these rules are not useful.
>
>  - In the rare(r) case when the admin actually enables LTT-ng
>    debugging, with these added rules it'll be hard to discover why it
>    does not work.

Great point intrigeri!

#1
At least as far as my history analysis went this was triggered by ceph
having the support for lttng enabled.
Not by actually (trying to) enable the LTT-ng tracking.
While being disabled in ceph package since then it could show up in a
similar manner from almost any other source.

#2
OTOH I never have seen any complains on LTT-ng not working in the virt
stack for the years carrying this delta.
So either it is not an issue to those using LTT-ng or no one
(statistically) uses it on virt-hosts in  a case that would require it
to get these access.

Especially due to #1 IMHO I'd tend to add the denies as the flooding
hits people not explicitly enabling/caring about LTT-ng.
It would be great if instead of allow/deny we had the option to "deny
but report once" - like a ratelimit, but we don't.

> Thanks in advance!
>
> Cheers,
> --
> intrigeri


-- 
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd

More information about the libvir-list mailing list