Ceph OSD Charm

apparmor: missing 'l' permission for directory based OSD's in /srv/ceph

Bug #1748426 reported by James Page on 2018-02-09

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Ceph OSD Charm	Fix Released	High	James Page	Ceph OSD Charm 18.02

Bug Description

If a deployment is using directory based OSD's mounted under /srv/ceph, the 'l' permission is required for ceph-osd operation OR over time the ceph-osd daemons will fail internal ops and eventually core dump.

syslog:Feb 9 10:55:36 ucs-5a-block-3 kernel: [714046.268570] audit: type=1400 audit(1518173736.395:34384): apparmor="ALLOWED" operation="link" profile="/usr/bin/ceph-osd" name="/srv/ceph/bcache-sdg/current/1.4b_head/DIR_B/DIR_4/gnocchi\u0c24d173-d667-434d-b4e6-95bdd773d531\u1517400000.0\umin\u300.0\uv3__head_372A954B__1" pid=358592 comm="tp_fstore_op" requested_mask="l" denied_mask="l" fsuid=64045 ouid=64045 target="/srv/ceph/bcache-sdg/current/1.4b_head/DIR_B/gnocchi\u0c24d173-d667-434d-b4e6-95bdd773d531\u1517400000.0\umin\u300.0\uv3__head_372A954B__1"
syslog:Feb 9 10:55:36 ucs-5a-block-3 kernel: [714046.268602] audit: type=1400 audit(1518173736.395:34385): apparmor="ALLOWED" operation="link" profile="/usr/bin/ceph-osd" name="/srv/ceph/bcache-sdg/current/1.4b_head/DIR_B/DIR_4/gnocchi\u0ce05e5b-41de-4f04-9efc-70053dfde9ec\u1517400000.0\umean\u300.0\uv3__head_C058744B__1" pid=358592 comm="tp_fstore_op" requested_mask="l" denied_mask="l" fsuid=64045 ouid=64045 target="/srv/ceph/bcache-sdg/current/1.4b_head/DIR_B/gnocchi\u0ce05e5b-41de-4f04-9efc-70053dfde9ec\u1517400000.0\umean\u300.0\uv3__head_C058744B__1"
syslog:Feb 9 10:55:36 ucs-5a-block-3 kernel: [714046.268695] audit: type=1400 audit(1518173736.395:34386): apparmor="ALLOWED" operation="link" profile="/usr/bin/ceph-osd" name="/srv/ceph/bcache-sdg/current/1.4b_head/DIR_B/DIR_4/gnocchi\u0e0ecab3-1aee-477d-bf6b-f622e194e18a\unone\uv3__head_D27C7C4B__1" pid=358592 comm="tp_fstore_op" requested_mask="l" denied_mask="l" fsuid=64045 ouid=64045 target="/srv/ceph/bcache-sdg/current/1.4b_head/DIR_B/gnocchi\u0e0ecab3-1aee-477d-bf6b-f622e194e18a\unone\uv3__head_D27C7C4B__1"
syslog:Feb 9 10:55:36 ucs-5a-block-3 kernel: [714046.268736] audit: type=1400 audit(1518173736.395:34387): apparmor="ALLOWED" operation="link" profile="/usr/bin/ceph-osd" name="/srv/ceph/bcache-sdg/current/1.4b_head/DIR_B/DIR_4/gnocchi\u0fbe65eb-a029-4e2f-9885-46524f1cd91b\u1517400000.0\usum\u300.0\uv3__head_1B6CAB4B__1" pid=358592 comm="tp_fstore_op" requested_mask="l" denied_mask="l" fsuid=64045 ouid=64045 target="/srv/ceph/bcache-sdg/current/1.4b_head/DIR_B/gnocchi\u0fbe65eb-a029-4e2f-9885-46524f1cd91b\u1517400000.0\usum\u300.0\uv3__head_1B6CAB4B__1"
syslog:Feb 9 10:55:36 ucs-5a-block-3 kernel: [714046.268774] audit: type=1400 audit(1518173736.395:34388): apparmor="ALLOWED" operation="link" profile="/usr/bin/ceph-osd" name="/srv/ceph/bcache-sdg/current/1.4b_head/DIR_B/DIR_4/gnocchi\u10356080-cb66-4c0f-9e58-30bc28467936\u1517400000.0\umax\u300.0\uv3__head_8DE6B14B__1" pid=358592 comm="tp_fstore_op" requested_mask="l" denied_mask="l" fsuid=64045 ouid=64045 target="/srv/ceph/bcache-sdg/current/1.4b_head/DIR_B/gnocchi\u10356080-cb66-4c0f-9e58-30bc28467936\u1517400000.0\umax\u300.0\uv3__head_8DE6B14B__1"
syslog:Feb 9 10:55:36 ucs-5a-block-3 kernel: [714046.268811] audit: type=1400 audit(1518173736.395:34389): apparmor="ALLOWED" operation="link" profile="/usr/bin/ceph-osd" name="/srv/ceph/bcache-sdg/current/1.4b_head/DIR_B/DIR_4/gnocchi\u1065bcf4-2961-41f5-bf8f-8aeeb67065a1\unone\uv3__head_4788C34B__1" pid=358592 comm="tp_fstore_op" requested_mask="l" denied_mask="l" fsuid=64045 ouid=64045 target="/srv/ceph/bcache-sdg/current/1.4b_head/DIR_B/gnocchi\u1065bcf4-2961-41f5-bf8f-8aeeb67065a1\unone\uv3__head_4788C34B__1"
syslog:Feb 9 10:55:36 ucs-5a-block-3 kernel: [714046.268847] audit: type=1400 audit(1518173736.395:34390): apparmor="ALLOWED" operation="link" profile="/usr/bin/ceph-osd" name="/srv/ceph/bcache-sdg/current/1.4b_head/DIR_B/DIR_4/gnocchi\u151b1ac5-deed-4124-af1f-23853e46cbd7\u1517400000.0\usum\u300.0\uv3__head_C33E234B__1" pid=358592 comm="tp_fstore_op" requested_mask="l" denied_mask="l" fsuid=64045 ouid=64045 target="/srv/ceph/bcache-sdg/current/1.4b_head/DIR_B/gnocchi\u151b1ac5-deed-4124-af1f-23853e46cbd7\u1517400000.0\usum\u300.0\uv3__head_C33E234B__1"

Revision history for this message

James Page (james-page) wrote on 2018-02-09:

(for clarity 'l' is permissions to hard link)

Changed in charm-ceph-osd:
status:	New → Triaged
importance:	Undecided → High
status:	Triaged → In Progress
assignee:	nobody → James Page (james-page)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-09: Fix merged to charm-ceph-osd (master)

Reviewed: https://review.openstack.org/542784
Committed: https://git.openstack.org/cgit/openstack/charm-ceph-osd/commit/?id=c4473c291634ea9e962827b02d2b30d9a033cbbc
Submitter: Zuul
Branch: master

commit c4473c291634ea9e962827b02d2b30d9a033cbbc
Author: James Page <email address hidden>
Date: Fri Feb 9 11:21:31 2018 +0000

apparmor: Fix use with directory based OSD's

    Ensure that directory based OSD's under /srv/ceph can hard
    link when apparmor is in enforce mode. If not, then links go
    missing over time and the ceph-osd daemons eventually abort.

Change-Id: I7cc25f5d436204d1f47c9a3a67a15f27c16b7505
Closes-Bug: 1748426

Changed in charm-ceph-osd:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-09: Fix proposed to charm-ceph-osd (stable/17.11)

Fix proposed to branch: stable/17.11
Review: https://review.openstack.org/542950

James Page (james-page) on 2018-02-11

Changed in charm-ceph-osd:
status:	Fix Committed → Fix Released
milestone:	none → 18.02

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-11: Fix merged to charm-ceph-osd (stable/17.11)

Reviewed: https://review.openstack.org/542950
Committed: https://git.openstack.org/cgit/openstack/charm-ceph-osd/commit/?id=9355f9738a3225a09ed76d8273df74bb101e48e2
Submitter: Zuul
Branch: stable/17.11

commit 9355f9738a3225a09ed76d8273df74bb101e48e2
Author: James Page <email address hidden>
Date: Fri Feb 9 11:21:31 2018 +0000

apparmor: Fix use with directory based OSD's

    Ensure that directory based OSD's under /srv/ceph can hard
    link when apparmor is in enforce mode. If not, then links go
    missing over time and the ceph-osd daemons eventually abort.

    Change-Id: I7cc25f5d436204d1f47c9a3a67a15f27c16b7505
    Closes-Bug: 1748426
    (cherry picked from commit c4473c291634ea9e962827b02d2b30d9a033cbbc)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.