"qemu" user needs access to HugePage directory (bsc#1092431)

In ardana the qemu binary is run under the 'qemu' user not root. When using hugepages, the same user that runs the qemu binary needs permissions to acces the directory where hugepages are mounted. It is best to mount hugepages in a more temporary and less restrictive location. We also have to give root access to the directory. Change-Id: I1233c3dc146a7c5b8bc1b6bcfcb56fb6f0547eb0
ArdanaCLM · Jul 27, 2018 · c598123 · c598123
1 parent 336a954
commit c598123
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 3 deletions.
diff --git a/roles/NOV-CMP-KVM/defaults/main.yml b/roles/NOV-CMP-KVM/defaults/main.yml
@@ -33,6 +33,7 @@ nova_cgroup_device_acl:
   - /dev/hpet
   - /dev/vfio/vfio
 huge_page_sizes: "{{ non_numa_huge_pages | union(numa_huge_pages) | map(attribute='size') | unique | list }}"
+huge_page_dirs_mode: +t,ug=rwx,o-rwx
 neutron_ovs_bridge:
   "{%- set ovs_br_list = NOV_KVM | provided_data('ovs_bridge') -%}
    {%- if ovs_br_list | length > 0 -%}

diff --git a/roles/NOV-CMP-KVM/files/etc/apparmor.d/abstractions/libvirt-qemu b/roles/NOV-CMP-KVM/files/etc/apparmor.d/abstractions/libvirt-qemu
@@ -73,7 +73,7 @@
   #/var/lib/dbus/machine-id r,
 
   # Allow access to hugepages
-  /dev/hugepages_*/** rw,
+  /tmp/hugepages_*/** rw,
 
   # access to firmware's etc
   /usr/share/kvm/** r,

diff --git a/roles/NOV-CMP-KVM/tasks/configure.yml b/roles/NOV-CMP-KVM/tasks/configure.yml
@@ -169,6 +169,22 @@
     state: directory
   when: sym_result.stat.islnk is defined and sym_result.stat.islnk == False
 
+- name: NOV-CMP-KVM | configure |
+        Set ownership of hugepage directories to qemu user
+  become: yes
+  file:
+    path: /tmp/hugepages_{{ item.size }}
+    state: directory
+    owner: "{{ libvirt_qemu_user }}"
+    group: "root"
+    mode: "{{ huge_page_dirs_mode }"
+  with_items:
+    total_huge_pages
+  when:
+    total_huge_pages | length > 0
+  tags:
+    - skip_ansible_lint
+
 #(TODO)From 4.0 version we can remove the copy of saved instances images
 - name: NOV-CMP-KVM | configure | Copy saved instances images to new location
   become: yes

diff --git a/roles/NOV-CMP-KVM/templates/qemu.conf.j2 b/roles/NOV-CMP-KVM/templates/qemu.conf.j2
@@ -1,3 +1,22 @@
+{#
+#
+# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
+# (c) Copyright 2017-2018 SUSE LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+#}
+
 # Master configuration file for the QEMU driver.
 # All settings described here are optional - if omitted, sensible
 # defaults are used.
@@ -346,7 +365,7 @@ cgroup_device_acl = [
 # be specified at once, separated by comma and enclosed in square
 # brackets, for example:
 #
-#     hugetlbfs_mount = ["/dev/hugepages2M", "/dev/hugepages1G"]
+#     hugetlbfs_mount = ["/tmp/hugepages2M", "/tmp/hugepages1G"]
 #
 # The size of huge page served by specific mount point is determined by
 # libvirt at the daemon startup.
@@ -357,7 +376,7 @@ cgroup_device_acl = [
 {% if huge_page_sizes is defined and huge_page_sizes|length > 0 %}
 hugetlbfs_mount = [
   {% for size in huge_page_sizes %}
-    "/dev/hugepages_{{ size }}"{% if not loop.last %},{% endif %}
+    "/tmp/hugepages_{{ size }}"{% if not loop.last %},{% endif %}
   {% endfor %}
 ]
 {% endif %}