Opened by afreiberger on 2018-09-26 15:54:08+00:00 at https://github.com/juju-solutions/layer-etcd/issues/139
------------------------------------------------------------
Every 5 minutes (update-status hook) the etcd charm is calling etcdctl which is causing 4 entries in the kernel logs for apparmor denials
[Wed Sep 26 15:46:31 2018] audit: type=1400 audit(1537976803.563:59951): apparmor="DENIED" operation="file_lock" namespace="root//lxd-juju-7e2a4a-15-lxd-2_" profile="/snap/core/5328/usr/lib/snapd/snap-confine" name="/dev/null" pid=1907424 comm="etcdctl" requested_mask="k" denied_mask="k" fsuid=100000 ouid=0
[Wed Sep 26 15:46:32 2018] audit: type=1400 audit(1537976804.507:59952): apparmor="DENIED" operation="file_lock" namespace="root//lxd-juju-7e2a4a-15-lxd-2_" profile="/snap/core/5328/usr/lib/snapd/snap-confine" name="/dev/null" pid=1907909 comm="etcdctl" requested_mask="k" denied_mask="k" fsuid=100000 ouid=0
[Wed Sep 26 15:46:33 2018] audit: type=1400 audit(1537976805.331:59953): apparmor="DENIED" operation="file_lock" namespace="root//lxd-juju-7e2a4a-15-lxd-2_" profile="/snap/core/5328/usr/lib/snapd/snap-confine" name="/dev/null" pid=1908489 comm="etcdctl" requested_mask="k" denied_mask="k" fsuid=100000 ouid=0
[Wed Sep 26 15:46:33 2018] audit: type=1400 audit(1537976805.427:59954): apparmor="DENIED" operation="file_lock" namespace="root//lxd-juju-7e2a4a-15-lxd-2_" profile="/snap/core/5328/usr/lib/snapd/snap-confine" name="/dev/null" pid=1908548 comm="etcdctl" requested_mask="k" denied_mask="k" fsuid=100000 ouid=0
What possibly is trying to lock /dev/null? I'm trying to understand this problem; a simple redirection (like something >/dev/null) seems not to cause the lock attempt. I have not much experience in juju/snaps/charms, so I'm trying instrumenting the kernel file locking functions to collect information.
Also, would be harmful to just add rwk to the apparmor profile in this case, to allow such locking?
Thanks!