Skip to content

Commit

Permalink
interfaces/microstack-support: read access to /proc/task/sched{,stat}
Browse files Browse the repository at this point in the history 
microstack requires read access to @{PROC}/*/{,task/*/}sched and
@{PROC}/*/{,task/*/}schedstat to allow virsh to read cpu statistics
of the instances.

Without this rule, openstack-hypervisor.virsh domstat list does not
print cpu statistics, vcpu.<id>.time, vcpu.<id>.stat.

Apparmor deny rule in dmesg:
[98847.604617] audit: type=1400 audit(1693470840.357:1499): \
apparmor="DENIED" operation="open" profile="snap.openstack-hypervisor.libvirtd" \
name="/proc/2014588/task/2014595/sched" pid=3668724 comm="rpc-libvirtd" \
requested_mask="r" denied_mask="r" fsuid=0 ouid=0

This rule is also required by ceilometer service running on the
openstack-hypervisor snap which queries libvirt for the cpu/memory/disk
statistics of the instances running on hypervisor.
  • Loading branch information
@hemanthnakkina @mvo5
hemanthnakkina authored and mvo5 committed Oct 12, 2023
1 parent 93a8628 commit ffd5443
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions interfaces/builtin/microstack_support.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,8 @@ const microStackSupportConnectedPlugAppArmor = `
@{PROC}/mtrr w,
@{PROC}/@{pids}/environ r,
@{PROC}/@{pids}/sched r,
@{PROC}/@{pids}/task/@{tid}/sched r,
@{PROC}/@{pids}/task/@{tid}/schedstat r,
@{PROC}/*/status r,
Expand Down

0 comments on commit ffd5443

Please sign in to comment.