Allow nova-compute rw access to /dev/net/tun

Contrail Nova VIF plugin relies on Nova (core) code to create a tap interface before a vrouter interface is plugged. Thus nova-compute needs to be able to access /dev/net/tun which it cannot with the current apparmor profile when enforcing mode is enabled. See LP: #1841111 Change-Id: I31033bc7d95dfce6b677c6e948303f7154395f66 Closes-Bug: #1841111
2019-08-22 17:40:58 -04:00 · 2019-08-22 17:40:58 -04:00 · 4168ffd536
commit 4168ffd536
parent 4fb7ff1f7c
1 changed files with 1 additions and 0 deletions
--- a/templates/usr.bin.nova-compute
+++ b/templates/usr.bin.nova-compute
@ -134,4 +134,5 @@
 {% endif %}
  /var/lib/charm/*/ceph.conf r,
  /etc/ceph/* r,
+  /dev/net/tun rw,
 }