Release: Mirantis OpenStack 9.2
Build number: 528
Keystone Apparmor policy is not activated during package install time.
When Keystone package installed on controller the apparmor service is not refreshed/updated correctly Only the manual restart forces the keystone policy to be activated.
When controller is rebooted the service apparmor comes up with including the earlier not applied keystone policy.
Before controller reboot:
root@cic-2:~# apparmor_status
apparmor module is loaded.
7 profiles are loaded.
7 profiles are in enforce mode.
/sbin/dhclient
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
/usr/sbin/ntpd
/usr/sbin/slapd
/usr/sbin/tcpdump
docker-default
0 profiles are in complain mode.
2 processes have profiles defined.
2 processes are in enforce mode.
/usr/sbin/ntpd (4610)
/usr/sbin/slapd (16102)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
After controller reboot:
root@cic-2:~# apparmor_status
apparmor module is loaded.
8 profiles are loaded.
7 profiles are in enforce mode.
/sbin/dhclient
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
/usr/sbin/ntpd
/usr/sbin/slapd
/usr/sbin/tcpdump
docker-default
1 profiles are in complain mode.
/usr/bin/keystone-all
2 processes have profiles defined.
2 processes are in enforce mode.
/usr/sbin/ntpd (6269)
/usr/sbin/slapd (8663)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
sla2 for 9.0-updates