Merge "Allow nova-compute to read through cpu attributes"

2017-04-06 16:36:19 +00:00 · 2017-04-06 16:36:19 +00:00 · 0360a476a0
commit 0360a476a0
parent 2358f94b30 d673f94097
2 changed files with 5 additions and 0 deletions
--- a/hooks/nova_compute_context.py
+++ b/hooks/nova_compute_context.py
@ -647,6 +647,7 @@ class NovaComputeAppArmorContext(context.AppArmorContext):
        super(NovaComputeAppArmorContext, self).__call__()
        if not self.ctxt:
            return self.ctxt
+        self._ctxt.update({'virt_type': config('virt-type')})
        self._ctxt.update({'aa_profile': self.aa_profile})
        return self.ctxt

--- a/templates/usr.bin.nova-compute
+++ b/templates/usr.bin.nova-compute
@ -50,6 +50,7 @@
  /sbin/xtables-multi rix,
  /sys/block/ r,
  /sys/devices/system/cpu/ r,
+  /sys/devices/system/cpu/** r,
  /sys/devices/system/node/ r,
  /sys/devices/system/node/** r,
  /sys/devices/virtual/block/nbd*/ r,
@ -61,6 +62,9 @@
  /usr/lib{,32,64}/** mrw,
  /usr/lib{,32,64}/python{2,3}.[34567]/**.{pyc,so} mrw,
  /var/lib/nova/** rwk,
+{% if virt_type == 'lxd' %}
+  /var/lib/lxd/unix.socket rw,
+{% endif %}
  /var/log/nova/nova-compute.log w,
  /var/run/libvirt/* rw,
  /var/run/libvirt/libvirt-sock rw,