OpenStack Nova Compute Charm

Bug #1925511
Comment #0

Comment 0 for bug 1925511

Revision history for this message

Bartosz Woronicz (mastier1) wrote on 2021-04-22:

There's missing configurations of apparmon so nova can run /usr/bin/multipathd
when use-multipath option is set to charm
and one runs openstack server add volume...

```
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server During handling of the above exception, another exception occurred:
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server Traceback (most recent call last):
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server File "/usr/lib/python3/dist-packages/oslo_messaging/rpc/server.py", line 165, in _process_incoming
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server res = self.dispatcher.dispatch(message)
...

2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server File "/usr/lib/python3/dist-packages/os_brick/initiator/connector.py", line 251, in get_connector_properties
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server connector.get_connector_properties(
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server File "/usr/lib/python3/dist-packages/os_brick/initiator/connectors/base.py", line 54, in get_connector_properties
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server linuxscsi.LinuxSCSI.is_multipath_running(
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server File "/usr/lib/python3/dist-packages/os_brick/initiator/linuxscsi.py", line 172, in is_multipath_running
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server out, _err = execute(*cmd, run_as_root=True,
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server File "/usr/lib/python3/dist-packages/os_brick/privileged/rootwrap.py", line 186, in execute
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server raise putils.ProcessExecutionError(
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server oslo_concurrency.processutils.ProcessExecutionError: [Errno 13] Permission denied
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server Command: multipathd show status
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server Exit code: -
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server Stdout: None
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server Stderr: None
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server

```

```
[510617.168463] audit: type=1400 audit(1619095977.187:9276): apparmor="DENIED" operation="exec" profile="/usr/bin/nova-compute" name="/usr/sbin/multipathd" pid=2094222 comm="privsep-helper" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[510617.168473] audit: type=1400 audit(1619095977.187:9277): apparmor="DENIED" operation="exec" profile="/usr/bin/nova-compute" name="/usr/sbin/multipathd" pid=2094222 comm="privsep-helper" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
```

The workaround for it is to set app armor profile to complain
$ aa-complain /usr/bin/nova-compute

Then attacking works as expected
```
2021-04-22 13:03:03.879 2032868 INFO nova.virt.libvirt.driver [req-45993c5f-53ba-4b63-b796-4bcfd2dae2d7 36344934288b44b98282cce9095c60ca b0027274fda94bdd9ffebab10d6d9bdc - 2fba3120cb5542ffb124b7296cf22e71 2fba3120cb5542ffb124b7296cf22e71] [instance: 3c00f4ae-0d56-480b-839d-a8cf02019b72] Ignoring supplied device name: /dev/vdb
2021-04-22 13:03:04.127 2032868 INFO nova.compute.manager [req-45993c5f-53ba-4b63-b796-4bcfd2dae2d7 36344934288b44b98282cce9095c60ca b0027274fda94bdd9ffebab10d6d9bdc - 2fba3120cb5542ffb124b7296cf22e71 2fba3120cb5542ffb124b7296cf22e71] [instance: 3c00f4ae-0d56-480b-839d-a8cf02019b72] Attaching volume 3ed8c5e8-cf02-4e5e-bff8-04c7af3c89b5 to /dev/vdb
2021-04-22 13:03:06.937 2032868 INFO os_brick.initiator.connectors.fibre_channel [-] Fibre Channel volume device not yet found. Will rescan & retry. Try number: 0.
2021-04-22 13:03:08.973 2032868 INFO os_brick.initiator.linuxscsi [req-45993c5f-53ba-4b63-b796-4bcfd2dae2d7 36344934288b44b98282cce9095c60ca b0027274fda94bdd9ffebab10d6d9bdc - 2fba3120cb5542ffb124b7296cf22e71 2fba3120cb5542ffb124b7296cf22e71] Find Multipath device file for volume WWN 360002ac0000000000000001a00015717
```

There's missing configurations of apparmon so nova can run /usr/bin/multipathd
when use-multipath option is set to charm 
and one runs openstack server add volume...

```
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server During handling of the above exception, another exception occurred:
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server Traceback (most recent call last):
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server   File "/usr/lib/python3/dist-packages/oslo_messaging/rpc/server.py", line 165, in _process_incoming
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server     res = self.dispatcher.dispatch(message)
...

2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server   File "/usr/lib/python3/dist-packages/os_brick/initiator/connector.py", line 251, in get_connector_properties
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server     connector.get_connector_properties(
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server   File "/usr/lib/python3/dist-packages/os_brick/initiator/connectors/base.py", line 54, in get_connector_properties
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server     linuxscsi.LinuxSCSI.is_multipath_running(
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server   File "/usr/lib/python3/dist-packages/os_brick/initiator/linuxscsi.py", line 172, in is_multipath_running
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server     out, _err = execute(*cmd, run_as_root=True,
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server   File "/usr/lib/python3/dist-packages/os_brick/privileged/rootwrap.py", line 186, in execute
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server     raise putils.ProcessExecutionError(
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server oslo_concurrency.processutils.ProcessExecutionError: [Errno 13] Permission denied
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server Command: multipathd show status
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server Exit code: -
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server Stdout: None
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server Stderr: None
2021-04-22 12:52:57.696 2032868 ERROR oslo_messaging.rpc.server

```

The workaround for it is to set app armor profile to complain
$ aa-complain /usr/bin/nova-compute

Then attacking works as expected
```
2021-04-22 13:03:03.879 2032868 INFO nova.virt.libvirt.driver [req-45993c5f-53ba-4b63-b796-4bcfd2dae2d7 36344934288b44b98282cce9095c60ca b0027274fda94bdd9ffebab10d6d9bdc - 2fba3120cb5542ffb124b7296cf22e71 2fba3120cb5542ffb124b7296cf22e71] [instance: 3c00f4ae-0d56-480b-839d-a8cf02019b72] Ignoring supplied device name: /dev/vdb
2021-04-22 13:03:04.127 2032868 INFO nova.compute.manager [req-45993c5f-53ba-4b63-b796-4bcfd2dae2d7 36344934288b44b98282cce9095c60ca b0027274fda94bdd9ffebab10d6d9bdc - 2fba3120cb5542ffb124b7296cf22e71 2fba3120cb5542ffb124b7296cf22e71] [instance: 3c00f4ae-0d56-480b-839d-a8cf02019b72] Attaching volume 3ed8c5e8-cf02-4e5e-bff8-04c7af3c89b5 to /dev/vdb
2021-04-22 13:03:06.937 2032868 INFO os_brick.initiator.connectors.fibre_channel [-] Fibre Channel volume device not yet found. Will rescan & retry.  Try number: 0.
2021-04-22 13:03:08.973 2032868 INFO os_brick.initiator.linuxscsi [req-45993c5f-53ba-4b63-b796-4bcfd2dae2d7 36344934288b44b98282cce9095c60ca b0027274fda94bdd9ffebab10d6d9bdc - 2fba3120cb5542ffb124b7296cf22e71 2fba3120cb5542ffb124b7296cf22e71] Find Multipath device file for volume WWN 360002ac0000000000000001a00015717
```