OpenStack Neutron Gateway Charm

Apparmor denied on install

Bug #1857125 reported by Peter Sabaini on 2019-12-20

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Neutron Gateway Charm	Expired	Undecided	Unassigned

Bug Description

I'm seeing apparmor DENIED when installing neutron-gateway with aa-profile-mode=enable and subsequent EPERMs:

apparmor="DENIED" operation="open" profile="/usr/bin/neutron-dhcp-agent" name="/usr/local/lib/python3.6/dist-packages/Tempita-0.5.2.dist-info/" pid=66631 comm="neutron-dhcp-ag" requested_mask="r" denied_mask="r" fsuid=113 ouid=0
apparmor="DENIED" operation="open" profile="/usr/bin/neutron-dhcp-agent" name="/etc/default/apport" pid=66631 comm="neutron-dhcp-ag" requested_mask="r" denied_mask="r" fsuid=113 ouid=0
apparmor="DENIED" operation="open" profile="/usr/bin/neutron-dhcp-agent" name="/etc/apt/apt.conf.d/" pid=66631 comm="neutron-dhcp-ag" requested_mask="r" denied_mask="r" fsuid=113 ouid=0
apparmor="DENIED" operation="open" profile="/usr/bin/neutron-dhcp-agent" name="/usr/share/dpkg/cputable" pid=66631 comm="neutron-dhcp-ag" requested_mask="r" denied_mask="r" fsuid=113 ouid=0
apparmor="DENIED" operation="open" profile="/usr/bin/neutron-lbaasv2-agent" name="/etc/ssl/openssl.cnf" pid=66642 comm="neutron-lbaasv2" requested_mask="r" denied_mask="r" fsuid=113 ouid=0

This is on cloud:bionic-stein, charm version neutron-gateway 14.0.2, jujucharms 276

Package version: 2:14.0.2-0ubuntu1~cloud0

Traceback and bundle excerpt: https://pastebin.ubuntu.com/p/FtRvkMRNsz/

Revision history for this message

Aurelien Lourot (aurelien-lourot) wrote on 2020-05-11:

Hi Peter, we don't support only 'disable', 'enforce' and 'complain', see https://github.com/openstack/charm-neutron-gateway/blob/master/config.yaml#L175

Also looking at the source-code, 'enable' and 'enforce' will really lead to different results: https://github.com/openstack/charm-neutron-gateway/blob/master/hooks/charmhelpers/contrib/openstack/context.py#L1994

Do you have the same issue when using 'enforce' instead of 'enable'? Thanks!

Revision history for this message

Aurelien Lourot (aurelien-lourot) wrote on 2020-05-11:

I meant "we support only 'disable', 'enforce' and 'complain'"

Changed in charm-neutron-gateway:
status:	New → Incomplete

Revision history for this message

Peter Sabaini (peter-sabaini) wrote on 2020-06-02:

Hi Aurelien,

I'm afraid I can't test this as the cloud is in use. FAOD, it's configured for "disable" now, and there are no DENIEDs anymore.

Thanks for the clarification on enforce vs. enable. I guess my bug then is about doing user input checking for that config option :-)

cheers,
peter.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-08-02:

[Expired for OpenStack neutron-gateway charm because there has been no activity for 60 days.]

Changed in charm-neutron-gateway:
status:	Incomplete → Expired

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.