[libvirt] [PATCH 02/12] apparmor, libvirt-qemu: Silence lttng related deny messages

Christian Ehrhardt christian.ehrhardt at canonical.com
Wed Dec 20 12:42:42 UTC 2017

On Wed, Dec 20, 2017 at 10:30 AM, intrigeri <intrigeri+libvirt at boum.org> wrote:
> Hi,
> Christian Ehrhardt:
>> --- a/examples/apparmor/libvirt-qemu
>> +++ b/examples/apparmor/libvirt-qemu
>> @@ -191,3 +191,7 @@
>>    /sys/devices/system/node/ r,
>>    /sys/devices/system/node/node[0-9]*/meminfo r,
>>    /sys/module/vhost/parameters/max_mem_regions r,
>> +
>> +  # silence refusals to open lttng files (see LP: #1432644)
>> +  deny /dev/shm/lttng-ust-wait-* r,
>> +  deny /run/shm/lttng-ust-wait-* r,
> In principle this looks OK to me but I wonder if this is the sweet
> spot regarding admin UX.
> I've skimmed over the Ubuntu bug report but found it confusing as it
> mixes breakage caused by the fact we deny such access (which
> apparently does not happen anymore otherwise you would not be
> proposing these deny rules) with log flooding issues (that will be
> fixed by the proposed rules).
> So I'm afraid I need to ask an executive summary :)
> Under which circumstances do we log these denials?
> I'd like to make sure we're not creating the following situation:
>  - In most practical cases we don't even try to access these files, so
>    don't log denials, and then these rules are not useful.
>  - In the rare(r) case when the admin actually enables LTT-ng
>    debugging, with these added rules it'll be hard to discover why it
>    does not work.

Great point intrigeri!

At least as far as my history analysis went this was triggered by ceph
having the support for lttng enabled.
Not by actually (trying to) enable the LTT-ng tracking.
While being disabled in ceph package since then it could show up in a
similar manner from almost any other source.

OTOH I never have seen any complains on LTT-ng not working in the virt
stack for the years carrying this delta.
So either it is not an issue to those using LTT-ng or no one
(statistically) uses it on virt-hosts in  a case that would require it
to get these access.

Especially due to #1 IMHO I'd tend to add the denies as the flooding
hits people not explicitly enabling/caring about LTT-ng.
It would be great if instead of allow/deny we had the option to "deny
but report once" - like a ratelimit, but we don't.

> Thanks in advance!
> Cheers,
> --
> intrigeri

Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd

More information about the libvir-list mailing list