OpenStack Nova Compute Charm

app armor denying /sbin/mkswap execute for nova-compute

Bug #1813226 reported by Drew Freiberger on 2019-01-24

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Nova Compute Charm	Fix Released	Medium	Unassigned	OpenStack Nova Compute Charm 19.04

Bug Description

A customer has set up nova flavors that include a swap disk of 1024MB.

When these instances deploy to nova-compute nodes, nova-compute is being denied /sbin/mkswap by apparmor.

[5554118.175449] audit: type=1400 audit(1548371648.739:275): apparmor="DENIED" operation="exec" profile="/usr/bin/nova-compute" name="/sbin/mkswap" pid=2008161 comm="nova-compute" requested_mask="x" denied_mask="x" fsuid=64060 ouid=0

2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [req-0182b37f-291e-4f19-8103-dc49ce2cb7f8 84eaac7a07e44c05bcec5d72481aae90 6f52b8683f1b4cefa5b46fc8269f26d2 - dca1e82bfd334bc2a3b9499de5247916 dca1e82bfd334bc2a3b9499de5247916] [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] Instance failed to spawn: OSError: [Errno 13] Permission denied
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] Traceback (most recent call last):
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] File "/usr/lib/python2.7/dist-packages/nova/compute/manager.py", line 2239, in _build_resources
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] yield resources
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] File "/usr/lib/python2.7/dist-packages/nova/compute/manager.py", line 2019, in _build_and_run_instance
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] block_device_info=block_device_info)
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] File "/usr/lib/python2.7/dist-packages/nova/virt/libvirt/driver.py", line 3086, in spawn
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] block_device_info=block_device_info)
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] File "/usr/lib/python2.7/dist-packages/nova/virt/libvirt/driver.py", line 3520, in _create_image
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] swap_mb=swap_mb)
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] File "/usr/lib/python2.7/dist-packages/nova/virt/libvirt/imagebackend.py", line 243, in cache
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] *args, **kwargs)
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] File "/usr/lib/python2.7/dist-packages/nova/virt/libvirt/imagebackend.py", line 597, in create_image
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] prepare_template(target=base, *args, **kwargs)
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] File "/usr/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py", line 277, in inner
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] return f(*args, **kwargs)
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] File "/usr/lib/python2.7/dist-packages/nova/virt/libvirt/imagebackend.py", line 239, in fetch_func_sync
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] fetch_func(target=target, *args, **kwargs)
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] File "/usr/lib/python2.7/dist-packages/nova/virt/libvirt/driver.py", line 3268, in _create_swap
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] utils.mkfs('swap', target)
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] File "/usr/lib/python2.7/dist-packages/nova/utils.py", line 748, in mkfs
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] execute(*args, run_as_root=run_as_root)
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] File "/usr/lib/python2.7/dist-packages/nova/utils.py", line 231, in execute
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] return processutils.execute(*cmd, **kwargs)
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] File "/usr/lib/python2.7/dist-packages/oslo_concurrency/processutils.py", line 391, in execute
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] env=env_variables)
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] File "/usr/lib/python2.7/dist-packages/eventlet/green/subprocess.py", line 54, in __init__
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] subprocess_orig.Popen.__init__(self, args, 0, *argss, **kwds)
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] File "/usr/lib/python2.7/subprocess.py", line 711, in __init__
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] errread, errwrite)
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] File "/usr/lib/python2.7/subprocess.py", line 1343, in _execute_child
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] raise child_exception
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] OSError: [Errno 13] Permission denied
2019-01-24 23:14:08.754 1407811 ERROR nova.compute.manager [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8]
2019-01-24 23:14:08.759 1407811 INFO nova.compute.manager [req-0182b37f-291e-4f19-8103-dc49ce2cb7f8 84eaac7a07e44c05bcec5d72481aae90 6f52b8683f1b4cefa5b46fc8269f26d2 - dca1e82bfd334bc2a3b9499de5247916 dca1e82bfd334bc2a3b9499de5247916] [instance: bb21b0d7-a7e3-49f8-86bc-e345c81c22b8] Terminating instance

Tags:

James Page (james-page) on 2019-02-22

Changed in charm-nova-compute:
status:	New → Triaged
importance:	Undecided → Medium
milestone:	none → 19.04

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-25: Fix merged to charm-nova-compute (master)

Reviewed: https://review.openstack.org/638623
Committed: https://git.openstack.org/cgit/openstack/charm-nova-compute/commit/?id=d75e536c4d15013bfc15d49f8ab44b1ae678e160
Submitter: Zuul
Branch: master

commit d75e536c4d15013bfc15d49f8ab44b1ae678e160
Author: James Page <email address hidden>
Date: Fri Feb 22 10:43:45 2019 +0000

Add /sbin/mkswap to apparmor profile

Ensure nova-compute can create swap files for instances to use.

Change-Id: I0227c7caad3fd06112d6c30c271271b78f2299af
Closes-Bug: 1813226

Changed in charm-nova-compute:
status:	Triaged → Fix Committed

Felipe Reyes (freyes) on 2019-03-18

tags:

added: backport-potential

David Ames (thedac) on 2019-04-17

Changed in charm-nova-compute:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.