OpenStack Nova Compute Charm

Complain is not set on nova-compute aa-profile at install time

Bug #1965131 reported by Giuseppe Petralia
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Nova Compute Charm
New
Undecided
Unassigned

Bug Description

To workaround LP#1960231 we set:

juju config nova-compute aa-profile-mode="complain"

But when adding new units with:

juju add-unit nova-compute

we see that this is not applied and apparmor status shows:

0 profiles are in complain mode.
7 processes have profiles defined.
7 processes are in enforce mode.
   /usr/bin/python3.8 (4506) /usr/bin/nova-compute
   /usr/bin/python3.8 (429032) /usr/bin/nova-compute
   /usr/bin/python3.8 (429069) /usr/bin/nova-compute
   /usr/sbin/chronyd (3267)
   /usr/sbin/libvirtd (4257) libvirtd
   /snap/canonical-livepatch/132/canonical-livepatchd (3265) snap.canonical-livepatch.canonical-livepatchd
   /snap/prometheus-libvirt-exporter/7/bin/libvirt-exporter (3273) snap.prometheus-libvirt-exporter.daemon
0 processes are in complain mode.

To workaround that we had to manually set complain with:

sudo aa-complain /usr/bin/nova-compute

While this was applied to existing units with the config-change correctly.

At first glance, it appears that the aa-profile-mode is ignored at install time

This affects charm nova-compute rev. 337

See original description
Giuseppe Petralia (peppepetra)
description: updated
description: updated
description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.