OpenStack Compute (nova)

Apparmor denies /usr/bin/nova-compute access to /proc/loadavg on openstack hypervisor show

Bug #1794564 reported by Drew Freiberger on 2018-09-26

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Invalid	Undecided	Unassigned
	OpenStack Nova Compute Charm	Fix Released	Medium	James Page	OpenStack Nova Compute Charm 19.04

Bug Description

On Xenial-Queens cloud, I'm seeing failure with nova-compute 17.0.5-0ubuntu1~cloud0 package unable to run uptime due to a failure to read /proc/loadavg.

Kernel log entries:

[4726259.738185] audit: type=1400 audit(1537977315.312:59959): apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/proc/loadavg" pid=1958757 comm="uptime" requested_mask="r" denied_mask="r" fsuid=64060 ouid=0
[4726265.862186] audit: type=1400 audit(1537977321.436:59960): apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/proc/loadavg" pid=1959961 comm="uptime" requested_mask="r" denied_mask="r" fsuid=64060 ouid=0

This happens when running "openstack hypervisor show <hostname>" with AppArmor in enforce mode.

this read access to /proc/loadavg should be added to apparmor profiles for the nova-compute package.

Tags:

Revision history for this message

Drew Freiberger (afreiberger) wrote on 2018-09-27:

Added charm-nova-compute, as this seems to be an apparmor file dropped by the charm

Revision history for this message

Drew Freiberger (afreiberger) wrote on 2018-09-27:

provided fix for review here: https://review.openstack.org/#/c/605822/

Revision history for this message

Drew Freiberger (afreiberger) wrote on 2018-09-27:

Additional note, this seems to be on Xenial when running HWE (4.15) kernel.

James Page (james-page) on 2018-10-18

Changed in charm-nova-compute:
status:	New → Triaged
Changed in nova:
status:	New → Invalid
Changed in charm-nova-compute:
importance:	Undecided → Medium
assignee:	nobody → James Page (james-page)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-18: Fix proposed to charm-nova-compute (master)

Fix proposed to branch: master
Review: https://review.openstack.org/611567

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-23: Fix merged to charm-nova-compute (master)

Reviewed: https://review.openstack.org/611567
Committed: https://git.openstack.org/cgit/openstack/charm-nova-compute/commit/?id=88c45e0fc70d7cd867f694f7abd7525a291fdf5b
Submitter: Zuul
Branch: master

commit 88c45e0fc70d7cd867f694f7abd7525a291fdf5b
Author: James Page <email address hidden>
Date: Thu Oct 18 11:40:23 2018 +0100

apparmor: add read permission on /proc/loadavg

Later OpenStack releases need access to this part; update apparmor
profile to permit read access.

Change-Id: Id4d8dace86b22a194a996232d4f50cef4c098c13
Closes-Bug: 1794564

Changed in charm-nova-compute:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-16: Change abandoned on charm-nova-compute (master)

Change abandoned by Drew Freiberger (<email address hidden>) on branch: master
Review: https://review.openstack.org/605822

David Ames (thedac) on 2018-11-20

Changed in charm-nova-compute:
milestone:	none → 19.04

David Ames (thedac) on 2019-04-17

Changed in charm-nova-compute:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.