MAAS

snap: Temporal cannot read GOMAXPROCS

Bug #2059419 reported by Anton Troyanov on 2024-03-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	MAAS	Triaged	Medium	Unassigned	MAAS 3.6.0

Bug Description

Mar 28 10:49:22 maas maas-temporal[538987]: 2024/03/28 10:49:22 WARNING: failed to set GOMAXPROCS: open /sys/fs/cgroup/system.slice/snap.maas.pebble.service/cpu.max: permission denied.

root@foo:~# snap connections maas
Interface Plug Slot Notes
avahi-observe maas:avahi-observe :avahi-observe -
content - maas:maas-logs -
content maas:test-db-socket - -
hardware-observe maas:hardware-observe :hardware-observe -
home maas:home :home -
kernel-module-observe maas:kernel-module-observe :kernel-module-observe -
mount-observe maas:mount-observe :mount-observe -
network maas:network :network -
network-bind maas:network-bind :network-bind -
network-control maas:network-control :network-control -
network-observe maas:network-observe :network-observe -
snap-refresh-control maas:snap-refresh-control :snap-refresh-control -
system-observe maas:system-observe :system-observe -
time-control maas:time-control :time-control -

Revision history for this message

Anton Troyanov (troyanov) wrote on 2024-03-28:

From @skatsaounis
https://github.com/search?q=repo%3Asnapcore%2Fsnapd+%22system.slice%22+path%3A%2F%5Einterfaces%5C%2Fbuiltin%5C%2F%2F&type=code

Revision history for this message

Anton Troyanov (troyanov) wrote on 2024-03-28:

Seems to be AppArmor related

Mar 28 17:12:28 cyberfarm kernel: [4545037.534115] audit: type=1400 audit(1711635148.229:13416): apparmor="DENIED" operation="open" class="file" namespace="root//lxd-maas_<var-snap-lxd-common-lxd>" profile="snap.maas.pebble" name="/sys/fs/cgroup/system.slice/snap.maas.pebble.service/cpu.max" pid=1527142 comm="python3" requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000

Revision history for this message

Anton Troyanov (troyanov) wrote on 2024-03-28:

If I add the following under /var/lib/snapd/apparmor/profiles/snap.maas.pebble then everything works.

/sys/fs/cgroup/system.slice/snap.maas.pebble.service/cpu.max r,

Maybe we should add /sys/fs/cgroup/system.slice/snap.@{SNAP_NAME}/cpu.max r to system-observe?

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.