OpenStack Nova Compute Charm

nova-compute charm does not update apparmor profile to support multipath

Bug #1826467 reported by Tiago Pasqualini da Silva
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Nova Compute Charm
Fix Committed
Undecided
Unassigned

Bug Description

Deploying nova-compute with apparmor in enforce mode causes it to fail to attach volumes with multipath. Checking the apparmor logs we can see that it is blocking multipath:

apparmor="ALLOWED" operation="open" profile="/usr/bin/nova-compute" name="/sys/devices/virtual/block/dm-0/dm/name" pid=66757 comm="nova-compute" requested_mask="r" denied_mask="r" fsuid=64060 ouid=0
apparmor="ALLOWED" operation="exec" profile="/usr/bin/nova-compute" name="/sbin/multipath" pid=82737 comm="privsep-helper" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/bin/nova-compute//null-/sbin/multipath"
apparmor="ALLOWED" operation="file_mmap" profile="/usr/bin/nova-compute//null-/sbin/multipath" name="/sbin/multipath" pid=82737 comm="multipath" requested_mask="rm" denied_mask="rm" fsuid=0 ouid=0
apparmor="ALLOWED" operation="file_mmap" profile="/usr/bin/nova-compute//null-/sbin/multipath" name="/lib/x86_64-linux-gnu/ld-2.23.so" pid=82737 comm="multipath" requested_mask="rm" denied_mask="rm" fsuid=0 ouid=0
apparmor="ALLOWED" operation="open" profile="/usr/bin/nova-compute//null-/sbin/multipath" name="/etc/ld.so.cache" pid=82737 comm="multipath" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="ALLOWED" operation="open" profile="/usr/bin/nova-compute//null-/sbin/multipath" name="/lib/x86_64-linux-gnu/libpthread-2.23.so" pid=82737 comm="multipath" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="ALLOWED" operation="file_mmap" profile="/usr/bin/nova-compute//null-/sbin/multipath" name="/lib/x86_64-linux-gnu/libpthread-2.23.so" pid=82737 comm="multipath" requested_mask="rm" denied_mask="rm" fsuid=0 ouid=0
apparmor="ALLOWED" operation="open" profile="/usr/bin/nova-compute//null-/sbin/multipath" name="/lib/x86_64-linux-gnu/libdevmapper.so.1.02.1" pid=82737 comm="multipath" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="ALLOWED" operation="file_mmap" profile="/usr/bin/nova-compute//null-/sbin/multipath" name="/lib/x86_64-linux-gnu/libdevmapper.so.1.02.1" pid=82737 comm="multipath" requested_mask="rm" denied_mask="rm" fsuid=0 ouid=0

Sahid Orentino (sahid-ferdjaoui)
Changed in charm-nova-compute:
status: New → In Progress
Revision history for this message
Sahid Orentino (sahid-ferdjaoui) wrote :

Fix in-progress here:

  https://review.opendev.org/#/c/655803/

Revision history for this message
Tiago Pasqualini da Silva (tiago.pasqualini) wrote :

After more debugging, I found more paths being blocked by apparmor:

apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/dev/mapper/control" pid=24599 comm="multipath" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/proc/sys/fs/nr_open" pid=25595 comm="multipath" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/proc/devices" pid=26965 comm="multipath" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/etc/multipath/bindings" pid=27233 comm="multipath" requested_mask="wrc" denied_mask="wrc" fsuid=0 ouid=0
apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/etc/multipath/wwids" pid=27233 comm="multipath" requested_mask="wrc" denied_mask="wrc" fsuid=0 ouid=0
apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/etc/udev/udev.conf" pid=29130 comm="multipathd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="DENIED" operation="unlink" profile="/usr/bin/nova-compute" name="/dev/disk/by-id/scsi-1IET_00030001" pid=28989 comm="privsep-helper" requested_mask="d" denied_mask="d" fsuid=0 ouid=0

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-nova-compute (master)

Reviewed: https://review.opendev.org/655803
Committed: https://git.openstack.org/cgit/openstack/charm-nova-compute/commit/?id=40914493c7be88a1c3cd80c937d65e044301c24b
Submitter: Zuul
Branch: master

commit 40914493c7be88a1c3cd80c937d65e044301c24b
Author: tpsilva <email address hidden>
Date: Thu Apr 25 18:45:42 2019 -0300

    Add multipath to nova-compute AppArmor profile

    Deploying nova-compute with apparmor in enforce mode causes it to fail
    to attach volumes with multipath. This patch fixes it by updating the
    nova-compute apparmor profile to include paths and binaries needed for
    multipath.

    Change-Id: Icc2d187fa3dd63e0930d57a87e7a60ff386f0032
    Closes-bug: #1826467

Changed in charm-nova-compute:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-nova-compute (stable/19.04)

Fix proposed to branch: stable/19.04
Review: https://review.opendev.org/659543

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-nova-compute (stable/19.04)

Reviewed: https://review.opendev.org/659543
Committed: https://git.openstack.org/cgit/openstack/charm-nova-compute/commit/?id=15f8a94e080ce4c708dfbfa7b602ebd165e44aa5
Submitter: Zuul
Branch: stable/19.04

commit 15f8a94e080ce4c708dfbfa7b602ebd165e44aa5
Author: tpsilva <email address hidden>
Date: Thu Apr 25 18:45:42 2019 -0300

    Add multipath to nova-compute AppArmor profile

    Deploying nova-compute with apparmor in enforce mode causes it to fail
    to attach volumes with multipath. This patch fixes it by updating the
    nova-compute apparmor profile to include paths and binaries needed for
    multipath.

    Change-Id: Icc2d187fa3dd63e0930d57a87e7a60ff386f0032
    Closes-bug: #1826467
    (cherry picked from commit 40914493c7be88a1c3cd80c937d65e044301c24b)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.