OpenStack origin: cloud:xenial-ocata
Charm release: 17.08
When using LBaaS v2, I got 503 from the load balancer.
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>
When I manually connect to the backing servers, those returned 200, so status monitoring should work. However, /var/log/neutron/neutron-lbaasv2-agent.log is flooded with socket connection error and apparmor denied messages can be also observed.
[/var/log/neutron/neutron-lbaasv2-agent.log]
2017-09-21 19:44:44.850 736613 WARNING neutron_lbaas.drivers.haproxy.namespace_driver [-] Error while connecting to stats socket: [Errno 13] EACCES
2017-09-21 19:44:54.853 736613 WARNING neutron_lbaas.drivers.haproxy.namespace_driver [-] Error while connecting to stats socket: [Errno 13] EACCES
2017-09-21 19:45:04.851 736613 WARNING neutron_lbaas.drivers.haproxy.namespace_driver [-] Error while connecting to stats socket: [Errno 13] EACCES
2017-09-21 19:45:14.855 736613 WARNING neutron_lbaas.drivers.haproxy.namespace_driver [-] Error while connecting to stats socket: [Errno 13] EACCES
2017-09-21 19:45:24.860 736613 WARNING neutron_lbaas.drivers.haproxy.namespace_driver [-] Error while connecting to stats socket: [Errno 13] EACCES
[kernel log]
Sep 21 19:46:44 HOSTNAME kernel: audit: type=1400 audit(1506023204.857:304): apparmor="DENIED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/bin/neutron-lbaasv2-agent" name="var/lib/neutron/lbaas/v2/496d6d2b-8bf7-42b7-822f-c3f31d8db43f/haproxy_stats.sock" pid=736613 comm="neutron-lbaasv2" requested_mask="wr" denied_mask="wr" fsuid=115 ouid=0
Sep 21 19:46:54 HOSTNAME kernel: audit: type=1400 audit(1506023214.857:305): apparmor="DENIED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/bin/neutron-lbaasv2-agent" name="var/lib/neutron/lbaas/v2/496d6d2b-8bf7-42b7-822f-c3f31d8db43f/haproxy_stats.sock" pid=736613 comm="neutron-lbaasv2" requested_mask="wr" denied_mask="wr" fsuid=115 ouid=0
Sep 21 19:47:04 HOSTNAME kernel: audit: type=1400 audit(1506023224.857:306): apparmor="DENIED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/bin/neutron-lbaasv2-agent" name="var/lib/neutron/lbaas/v2/496d6d2b-8bf7-42b7-822f-c3f31d8db43f/haproxy_stats.sock" pid=736613 comm="neutron-lbaasv2" requested_mask="wr" denied_mask="wr" fsuid=115 ouid=0
Sep 21 19:47:14 HOSTNAME kernel: audit: type=1400 audit(1506023234.861:307): apparmor="DENIED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/bin/neutron-lbaasv2-agent" name="var/lib/neutron/lbaas/v2/496d6d2b-8bf7-42b7-822f-c3f31d8db43f/haproxy_stats.sock" pid=736613 comm="neutron-lbaasv2" requested_mask="wr" denied_mask="wr" fsuid=115 ouid=0
Sep 21 19:47:24 HOSTNAME kernel: audit: type=1400 audit(1506023244.865:308): apparmor="DENIED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/bin/neutron-lbaasv2-agent" name="var/lib/neutron/lbaas/v2/496d6d2b-8bf7-42b7-822f-c3f31d8db43f/haproxy_stats.sock" pid=736613 comm="neutron-lbaasv2" requested_mask="wr" denied_mask="wr" fsuid=115 ouid=0
It may be an apparmor policy issue, but starting from filing a bug to charm-neutron-gateway since it's charm-deployed environment.
Hmm, it looks like /etc/apparmor. d/usr.bin. neutron- lbaasv2- agent comes from the charm, but I didn't enable aa-profile-mode at all, but the profile is activated?
$ juju config neutron-gateway aa-profile-mode
disable