Apparmor denies /usr/bin/nova-compute access to /proc/loadavg on openstack hypervisor show
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Invalid
|
Undecided
|
Unassigned | ||
OpenStack Nova Compute Charm |
Fix Released
|
Medium
|
James Page |
Bug Description
On Xenial-Queens cloud, I'm seeing failure with nova-compute 17.0.5-
Kernel log entries:
[4726259.738185] audit: type=1400 audit(153797731
[4726265.862186] audit: type=1400 audit(153797732
This happens when running "openstack hypervisor show <hostname>" with AppArmor in enforce mode.
this read access to /proc/loadavg should be added to apparmor profiles for the nova-compute package.
Changed in charm-nova-compute: | |
status: | New → Triaged |
Changed in nova: | |
status: | New → Invalid |
Changed in charm-nova-compute: | |
importance: | Undecided → Medium |
assignee: | nobody → James Page (james-page) |
status: | Triaged → In Progress |
Changed in charm-nova-compute: | |
milestone: | none → 19.04 |
Changed in charm-nova-compute: | |
status: | Fix Committed → Fix Released |
Added charm-nova-compute, as this seems to be an apparmor file dropped by the charm