OpenStack Nova Compute Charm

apparmor rules block access to uefi info

Bug #1958686 reported by Billy Olsen
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Nova Compute Charm
Fix Released
Medium
Billy Olsen
OpenStack Nova Compute Charm 22.04

Bug Description

When apparmor is enabled, instances launched using UEFI bootloader fails with errors in the nova compute log indicating that UEFINotSupported as follows:

2022-01-21 18:36:27.711 210601 ERROR nova.compute.manager [req-3f3210ac-7955-4a5f-bb82-e3142f553ba8 368f85f2704047bf828f04440314fb4f ccaa6e8d5ad241be903e2b6d1b084b3f - 3dd99fe5d6d340dbbe1e3954db2f243a 3dd99fe5d6
d340dbbe1e3954db2f243a] [instance: 41f84494-60e1-464b-aee4-684b4ebbbb1a] Failed to build and run instance: nova.exception.UEFINotSupported: UEFI is not supported

This is due to apparmor denying access to the necessary firmware data, as seen in the kernel log:

Jan 21 18:36:19 juju-2fd326-zaza-f91f109580ce-10 kernel: [26072.013560] audit: type=1400 audit(1642790179.754:95): apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/usr/share/qemu/firmware/" pid=210601 comm="nova-compute" requested_mask="r" denied_mask="r" fsuid=64060 ouid=0

To recreate this, set the image to boot with UEFI bootloader:

$ openstack image set --property hw_firmware_type=uefi $IMAGE

And launch an instance.

Work around is to disable apparmor or put it into complain mode.

See original description
Billy Olsen (billy-olsen)
Changed in charm-nova-compute:
status: New → In Progress
importance: Undecided → High
importance: High → Medium
assignee: nobody → Billy Olsen (billy-olsen)
milestone: none → 22.04
Billy Olsen (billy-olsen)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-nova-compute (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/charm-nova-compute/+/826208

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-nova-compute (master)

Reviewed: https://review.opendev.org/c/openstack/charm-nova-compute/+/826208
Committed: https://opendev.org/openstack/charm-nova-compute/commit/f4eeb0650ae548257e613c772e806b6b4748c4fa
Submitter: "Zuul (22348)"
Branch: master

commit f4eeb0650ae548257e613c772e806b6b4748c4fa
Author: Billy Olsen <email address hidden>
Date: Fri Jan 21 15:52:36 2022 -0700

    Allow read access to firmware information

    Update the apparmor profile for nova-compute to allow it to read the
    firmware configuration information for qemu. This is necessary in order
    to launch instances using UEFI when apparmor enforcement is enabled.

    Closes-Bug: #1958686
    Change-Id: I7d9152dcc684923600c40ff0227c3c3eaafa7574

Changed in charm-nova-compute:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-nova-compute (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/charm-nova-compute/+/837041

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-nova-compute (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/charm-nova-compute/+/837041
Committed: https://opendev.org/openstack/charm-nova-compute/commit/1a16d18c715dd4d650edf830f9a63382558a1439
Submitter: "Zuul (22348)"
Branch: stable/xena

commit 1a16d18c715dd4d650edf830f9a63382558a1439
Author: Billy Olsen <email address hidden>
Date: Fri Jan 21 15:52:36 2022 -0700

    Allow read access to firmware information

    Update the apparmor profile for nova-compute to allow it to read the
    firmware configuration information for qemu. This is necessary in order
    to launch instances using UEFI when apparmor enforcement is enabled.

    Closes-Bug: #1958686
    Change-Id: I7d9152dcc684923600c40ff0227c3c3eaafa7574
    (cherry picked from commit f4eeb0650ae548257e613c772e806b6b4748c4fa)

tags: added: in-stable-xena
Alex Kavanagh (ajkavanagh)
Changed in charm-nova-compute:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.