openstack-helm

Nova can't be installed on RHEL/Centos

Bug #1822991 reported by Jerzy Midura on 2019-04-03

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	openstack-helm	Fix Released	Undecided	Unassigned

Bug Description

Due to the change in nova/values.yaml - especially the lines 1959:1962 the apparmor policy was added to the nova POD.

This change causes nova-compute fail to start on non Debian (Ubuntu) distros. Nova-compute PODs are stuck in INIT:BLOCKED.
Following error can be found in the logs of init container:
Mar 25 08:51:28 node1 kubelet: E0325 08:51:28.830670 6095 pod_workers.go:190] Error syncing pod 0e15d81a-4ed9-11e9-a5d3-52540058e105 ("nova-compute-default-mr64s_openstack(0e15d81a-4ed9-11e9-a5d3-52540058e105)"), skipping: pod cannot be run: Cannot enforce AppArmor: AppArmor is not enabled on the host

Tested on Centos 7.6.

As a workaround I've commented out the following lines:
# mandatory_access_control:
# type: apparmor
# nova-compute-default:
# nova-compute-default: localhost/docker-default

After the change Nova PODs started correctly.

Tags:

Revision history for this message

Jerzy Midura (j.midura) wrote on 2019-04-03:

Moved to https://storyboard.openstack.org/#!/story/2005356, probably it is better place. Sorry for duplicate.

Revision history for this message

Gage Hugo (gagehugo) wrote on 2020-06-19:

These values were moved to overrides, so the default values.yaml shouldn't break RHEL/Centos for this reason anymore.

Revision history for this message

Gage Hugo (gagehugo) wrote on 2020-06-19:

https://github.com/openstack/openstack-helm/blob/master/nova/values_overrides/apparmor.yaml

Changed in openstack-helm:
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.