OpenStack Nova Compute Charm

aa-profile enforce mode break libvirt-image-backend=rbd

Bug #1732492 reported by Edward Hope-Morley on 2017-11-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Nova Compute Charm	Fix Released	High	Edward Hope-Morley	OpenStack Nova Compute Charm 17.11

Bug Description

If i deploy nova-compute to use the RBDImageBackend with aa-profile-mode=enforce I am unable to boot instances and I get:

[ 8953.984025] audit: type=1400 audit(1510763812.222:50): apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/var/lib/charm/nova-compute/ceph.conf" pid=5781 comm="nova-compute" requested_mask="r" denied_mask="r" fsuid=113 ouid=0

So we need to allow nova-compute to access ceph.conf

Tags:

Edward Hope-Morley (hopem) on 2017-11-15

Changed in charm-nova-compute:
assignee:	nobody → Edward Hope-Morley (hopem)
status:	New → Confirmed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-11-15: Fix proposed to charm-nova-compute (master)

Fix proposed to branch: master
Review: https://review.openstack.org/520165

Changed in charm-nova-compute:
status:	Confirmed → In Progress

Revision history for this message

Hua Zhang (zhhuabj) wrote on 2017-11-16:

After adding the profile '/var/lib/charm/nova-compute/ceph.conf r,' into /etc/apparmor.d/usr.bin.nova-compute, we can continue to hit the following errors:

Nov 15 12:49:36 juju-864213-xenial-mitaka-ceph-11 kernel: [705198.766810] audit: type=1400 audit(1510750176.727:10140): apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/tmp/" pid=16922 comm="nova-compute" requested_mask="r" denied_mask="r" fsuid=113 ouid=0
Nov 15 12:49:36 juju-864213-xenial-mitaka-ceph-11 kernel: [705198.766828] audit: type=1400 audit(1510750176.727:10141): apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/var/tmp/" pid=16922 comm="nova-compute" requested_mask="r" denied_mask="r" fsuid=113 ouid=0
Nov 15 12:49:36 juju-864213-xenial-mitaka-ceph-11 kernel: [705198.779201] audit: type=1400 audit(1510750176.739:10142): apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/etc/ceph/ceph.client.nova-compute.keyring" pid=16922 comm="nova-compute" requested_mask="r" denied_mask="r" fsuid=113 ouid=113

So I think the following profiles are required:

/var/lib/charm/nova-compute/ceph.conf r,
/etc/ceph/ceph.client.nova-compute.keyring r,
/tmp/ r,
/var/tmp/ r,

Revision history for this message

Edward Hope-Morley (hopem) wrote on 2017-11-16:

@zhhuabj i've now fixed this in the patch and there are no more denials fro /tmp and /var/tmp

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-11-24: Fix merged to charm-nova-compute (master)

Reviewed: https://review.openstack.org/520165
Committed: https://git.openstack.org/cgit/openstack/charm-nova-compute/commit/?id=0423eae1dfd1e4d4f232cf5a2f58553a64f4b257
Submitter: Zuul
Branch: master

commit 0423eae1dfd1e4d4f232cf5a2f58553a64f4b257
Author: Edward Hope-Morley <email address hidden>
Date: Wed Nov 15 18:04:00 2017 +0000

Add ceph paths to usr.bin.nova-compute aa profile

    The current profile does not include ceph paths
    which breaks nova-compute if
    libvirt-image-backend=rbd when in enforce mode.
    Also fix access to /tmp and /var/tmp.

Change-Id: Ie03a43ef73ca5f97f4f9e5edcefd261a0e36abf9
Closes-Bug: 1732492

Changed in charm-nova-compute:
status:	In Progress → Fix Committed

James Page (james-page) on 2017-12-01

Changed in charm-nova-compute:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.