OpenStack Neutron Open vSwitch Charm

[17.08][pike] DENIED apparmor messages in aa-enforce mode

Bug #1732897 reported by Dmitrii Shcherbakov on 2017-11-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Neutron Open vSwitch Charm	Confirmed	Low	Unassigned

Bug Description

bundle: https://git.launchpad.net/cpe-foundation/tree/templates/bundles/hyper-converged.yaml

change openstack-origin to: openstack-origin: &openstack-origin cloud:xenial-pike

See https://bugs.launchpad.net/charm-ceph-osd/+bug/1732523
https://bugs.launchpad.net/charm-ceph-osd/+bug/1732523/comments/10

crashdump (more messages there)

https://bugs.launchpad.net/charm-ceph-osd/+bug/1732523/+attachment/5009640/+files/juju-crashdump-2337cf3d-9acf-484e-86be-85fe8fe3e619.tar.gz

Nov 15 16:49:43 ralts kernel: [ 2368.834214] audit: type=1400 audit(1510764583.903:106): apparmor="DENIED" operation="open" profile="/usr/bin/neutron-openvswitch-agent" name="/etc/inputrc" pid=855886 comm="neutron-openvsw" requested_mask="r" denied_mask="r" fsuid
=115 ouid=0
Nov 15 16:49:44 ralts kernel: [ 2369.045149] audit: type=1400 audit(1510764584.113:107): apparmor="DENIED" operation="open" profile="/usr/bin/neutron-l3-agent" name="/etc/inputrc" pid=855932 comm="neutron-l3-agen" requested_mask="r" denied_mask="r" fsuid=115 ouid
=0
Nov 15 16:49:45 ralts kernel: [ 2370.017694] audit: type=1400 audit(1510764585.086:108): apparmor="DENIED" operation="open" profile="/usr/bin/neutron-openvswitch-agent" name="/usr/share/python-wheels/" pid=855886 comm="neutron-openvsw" requested_mask="r" denied_m
ask="r" fsuid=115 ouid=0

See original description

Tags:

Dmitrii Shcherbakov (dmitriis) on 2017-11-17

description:

updated

Dmitrii Shcherbakov (dmitriis) on 2017-11-20

tags:

added: cpe-onsite

Revision history for this message

James Page (james-page) wrote on 2017-11-29:

Any functional impact?

Changed in charm-neutron-openvswitch:
status:	New → Incomplete
importance:	Undecided → Low

Revision history for this message

Dmitrii Shcherbakov (dmitriis) wrote on 2017-11-29:

It's hard to estimate.

Some library calls causing this may get executed only during certain code paths at runtime and affect functionality.

I recall issues with apparmor profiles in the past which were functional and very hard to debug.

If there is a log full of DENIED messages during the initial deployment it leaves you guessing what went wrong in some cases which may or may not be related.

Changed in charm-neutron-openvswitch:
status:	Incomplete → Confirmed

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.