OpenStack Nova Compute Charm

Cinder ISCSI drivers require /sbin/iscsiadm permissions in apparmor

Bug #1821767 reported by Drew Freiberger
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Nova Compute Charm
Triaged
Medium
Tiago Pasqualini da Silva
nova (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

When implementing cinder-purestorage charm (currently in development by Field Engineering), we found that app armor denies iscsi commands for nova-compute.

Here are example entries from the log:

[2903238.364025] audit: type=1400 audit(1553613828.370:366): apparmor="DENIED" operation="exec" profile="/usr/bin/nova-compute" name="/sbin/iscsiadm" pid=569410 comm="privsep-helper" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[2903238.364667] audit: type=1400 audit(1553613828.374:367): apparmor="DENIED" operation="exec" profile="/usr/bin/nova-compute" name="/sbin/iscsiadm" pid=569410 comm="privsep-helper" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[2903238.406600] audit: type=1400 audit(1553613828.414:368): apparmor="DENIED" operation="exec" profile="/usr/bin/nova-compute" name="/sbin/iscsiadm" pid=569411 comm="privsep-helper" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[2903238.406734] audit: type=1400 audit(1553613828.414:369): apparmor="DENIED" operation="exec" profile="/usr/bin/nova-compute" name="/sbin/iscsiadm" pid=569411 comm="privsep-helper" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

Workaround is to set aa-profile-mode to complain.

Revision history for this message
Drew Freiberger (afreiberger) wrote :

After setting workaround, entire capture of dmesg from complain mode around volume attachment was:

[2903694.845859] audit: type=1400 audit(1553614284.848:370): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/bin/nova-compute" pid=586258 comm="apparmor_parser"
[2903992.462251] audit: type=1400 audit(1553614582.460:371): apparmor="ALLOWED" operation="exec" profile="/usr/bin/nova-compute" name="/sbin/iscsiadm" pid=596320 comm="privsep-helper" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/bin/nova-compute//null-/sbin/iscsiadm"
[2903992.474368] audit: type=1400 audit(1553614582.472:372): apparmor="ALLOWED" operation="open" profile="/usr/bin/nova-compute//null-/sbin/iscsiadm" name="/etc/ld.so.cache" pid=596320 comm="iscsiadm" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[2903992.474404] audit: type=1400 audit(1553614582.472:373): apparmor="ALLOWED" operation="open" profile="/usr/bin/nova-compute//null-/sbin/iscsiadm" name="/lib/x86_64-linux-gnu/libc-2.23.so" pid=596320 comm="iscsiadm" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[2903992.474733] audit: type=1400 audit(1553614582.472:374): apparmor="ALLOWED" operation="file_mprotect" profile="/usr/bin/nova-compute//null-/sbin/iscsiadm" name="/sbin/iscsiadm" pid=596320 comm="iscsiadm" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[2903992.474763] audit: type=1400 audit(1553614582.472:375): apparmor="ALLOWED" operation="file_mprotect" profile="/usr/bin/nova-compute//null-/sbin/iscsiadm" name="/lib/x86_64-linux-gnu/ld-2.23.so" pid=596320 comm="iscsiadm" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[2903992.667138] audit: type=1400 audit(1553614582.664:376): apparmor="ALLOWED" operation="exec" profile="/usr/bin/nova-compute" name="/sbin/iscsiadm" pid=596323 comm="privsep-helper" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/bin/nova-compute//null-/sbin/iscsiadm"
[2903992.682292] audit: type=1400 audit(1553614582.680:377): apparmor="ALLOWED" operation="open" profile="/usr/bin/nova-compute//null-/sbin/iscsiadm" name="/etc/ld.so.cache" pid=596323 comm="iscsiadm" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[2903992.688930] audit: type=1400 audit(1553614582.688:378): apparmor="ALLOWED" operation="open" profile="/usr/bin/nova-compute//null-/sbin/iscsiadm" name="/lib/x86_64-linux-gnu/libc-2.23.so" pid=596323 comm="iscsiadm" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[2903992.689324] audit: type=1400 audit(1553614582.688:379): apparmor="ALLOWED" operation="file_mprotect" profile="/usr/bin/nova-compute//null-/sbin/iscsiadm" name="/sbin/iscsiadm" pid=596323 comm="iscsiadm" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Revision history for this message
Drew Freiberger (afreiberger) wrote :

Here are the detach app armor traces:

[2904353.570983] audit: type=1400 audit(1553614943.564:489): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-0ed090c8-f408-4f66-8208-4f025e996025" pid=606020 comm="apparmor_parser"
[2904353.775248] audit: type=1400 audit(1553614943.768:490): apparmor="ALLOWED" operation="exec" profile="/usr/bin/nova-compute" name="/sbin/iscsiadm" pid=606129 comm="privsep-helper" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/bin/nova-compute//null-/sbin/iscsiadm"
[2904353.786613] audit: type=1400 audit(1553614943.780:491): apparmor="ALLOWED" operation="open" profile="/usr/bin/nova-compute//null-/sbin/iscsiadm" name="/etc/ld.so.cache" pid=606129 comm="iscsiadm" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[2904353.786659] audit: type=1400 audit(1553614943.780:492): apparmor="ALLOWED" operation="open" profile="/usr/bin/nova-compute//null-/sbin/iscsiadm" name="/lib/x86_64-linux-gnu/libc-2.23.so" pid=606129 comm="iscsiadm" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[2904353.787304] audit: type=1400 audit(1553614943.780:493): apparmor="ALLOWED" operation="file_mprotect" profile="/usr/bin/nova-compute//null-/sbin/iscsiadm" name="/sbin/iscsiadm" pid=606129 comm="iscsiadm" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[2904353.787347] audit: type=1400 audit(1553614943.780:494): apparmor="ALLOWED" operation="file_mprotect" profile="/usr/bin/nova-compute//null-/sbin/iscsiadm" name="/lib/x86_64-linux-gnu/ld-2.23.so" pid=606129 comm="iscsiadm" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[2904353.788002] audit: type=1400 audit(1553614943.780:495): apparmor="ALLOWED" operation="open" profile="/usr/bin/nova-compute//null-/sbin/iscsiadm" name="/etc/iscsi/nodes/" pid=606129 comm="iscsiadm" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[2904353.788067] audit: type=1400 audit(1553614943.780:496): apparmor="ALLOWED" operation="capable" profile="/usr/bin/nova-compute//null-/sbin/iscsiadm" pid=606129 comm="iscsiadm" capability=1 capname="dac_override"
[2904353.788091] audit: type=1400 audit(1553614943.780:497): apparmor="ALLOWED" operation="open" profile="/usr/bin/nova-compute//null-/sbin/iscsiadm" name="/etc/iscsi/nodes/iqn.2010-06.com.purestorage:flasharray.401a4a5a9b723cc8/" pid=606129 comm="iscsiadm" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[2904353.788234] audit: type=1400 audit(1553614943.780:498): apparmor="ALLOWED" operation="open" profile="/usr/bin/nova-compute//null-/sbin/iscsiadm" name="/run/lock/iscsi/lock" pid=606129 comm="iscsiadm" requested_mask="wrc" denied_mask="wrc" fsuid=0 ouid=0

Revision history for this message
Alex Kavanagh (ajkavanagh) wrote :

TRIAGE: this might be a nova packaging bug rather than a charm bug as the apparmor profiles potentially need changing.

Alex Kavanagh (ajkavanagh)
Changed in charm-nova-compute:
status: New → Triaged
importance: Undecided → Wishlist
Sahid Orentino (sahid-ferdjaoui)
Changed in charm-nova-compute:
importance: Wishlist → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in nova (Ubuntu):
status: New → Confirmed
Sahid Orentino (sahid-ferdjaoui)
Changed in charm-nova-compute:
assignee: nobody → Tiago Pasqualini da Silva (tiago.pasqualini)
Revision history for this message
Tiago Pasqualini da Silva (tiago.pasqualini) wrote :

Fix: https://review.opendev.org/#/c/655803/

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.