On Wed, Dec 20, 2017 at 10:30 AM, intrigeri <intrigeri+libvirt@xxxxxxxx> wrote: > Hi, > > Christian Ehrhardt: >> --- a/examples/apparmor/libvirt-qemu >> +++ b/examples/apparmor/libvirt-qemu >> @@ -191,3 +191,7 @@ >> /sys/devices/system/node/ r, >> /sys/devices/system/node/node[0-9]*/meminfo r, >> /sys/module/vhost/parameters/max_mem_regions r, >> + >> + # silence refusals to open lttng files (see LP: #1432644) >> + deny /dev/shm/lttng-ust-wait-* r, >> + deny /run/shm/lttng-ust-wait-* r, > > In principle this looks OK to me but I wonder if this is the sweet > spot regarding admin UX. > > I've skimmed over the Ubuntu bug report but found it confusing as it > mixes breakage caused by the fact we deny such access (which > apparently does not happen anymore otherwise you would not be > proposing these deny rules) with log flooding issues (that will be > fixed by the proposed rules). > > So I'm afraid I need to ask an executive summary :) > Under which circumstances do we log these denials? > > I'd like to make sure we're not creating the following situation: > > - In most practical cases we don't even try to access these files, so > don't log denials, and then these rules are not useful. > > - In the rare(r) case when the admin actually enables LTT-ng > debugging, with these added rules it'll be hard to discover why it > does not work. Great point intrigeri! #1 At least as far as my history analysis went this was triggered by ceph having the support for lttng enabled. Not by actually (trying to) enable the LTT-ng tracking. While being disabled in ceph package since then it could show up in a similar manner from almost any other source. #2 OTOH I never have seen any complains on LTT-ng not working in the virt stack for the years carrying this delta. So either it is not an issue to those using LTT-ng or no one (statistically) uses it on virt-hosts in a case that would require it to get these access. Especially due to #1 IMHO I'd tend to add the denies as the flooding hits people not explicitly enabling/caring about LTT-ng. It would be great if instead of allow/deny we had the option to "deny but report once" - like a ratelimit, but we don't. > Thanks in advance! > > Cheers, > -- > intrigeri -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
