[libvirt] [PATCH 07/10] apparmor, libvirt-qemu: Allow access to ceph config

Guido Günther agx at sigxcpu.org
Wed Jun 7 17:00:56 UTC 2017


On Wed, Jun 07, 2017 at 10:44:59AM -0600, Christian Ehrhardt wrote:
> On Fri, Jun 2, 2017 at 12:57 PM, Guido Günther <agx at sigxcpu.org> wrote:
> 
> > Shouldn't this only be added when ceph is in use?
> > Cheers,
> >  -- Guido
> >
> 
> Yeah it is part of a category of rules where in a perfect world we would
> wirte virt-aa-helper code for each of them.
> In this particular case I think the existance of the following would be the
> trigger:
> 
> <disk type='network'>
> [...]
>     <source protocol="rbd"
> 
> Yet for some cases - like this one - the "opening" we are doing in regard
> to apparmor is quite small and maybe the burden to create (and maintain) it
> in virt-aa-helper is too much.
> 
> So I'd appreciate if that change could be considered as-is - otherwise
> please let me know - I'll then add it to a bunch of issues of the category
> "needs to be done in virt-aa-helper" which I already track.

I was uder the impression that ceph.conf might contain sensitive data
which we might not want to open up to all domains but looking at

      http://docs.ceph.com/docs/jewel/rados/configuration/ceph-conf/

this does not seem to be the case so this is probably o.k.
CHeers,
 -- Guido




More information about the libvir-list mailing list