Apparmor does not allow nova-compute process to access /etc/ssh/ssh_config.d
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
OpenStack Nova Compute Charm | Status tracked in Trunk | |||||
2023.1 |
Fix Released
|
Undecided
|
DUFOUR Olivier | |||
2023.2 |
Fix Released
|
Undecided
|
DUFOUR Olivier | |||
Trunk |
Fix Released
|
Medium
|
DUFOUR Olivier | |||
Yoga |
Fix Released
|
Undecided
|
DUFOUR Olivier | |||
Zed |
Fix Released
|
Undecided
|
DUFOUR Olivier |
Bug Description
In some occurences, an user might want to put some custom ssh configuration in /etc/ssh/
In the triggered case, we tried to apply a workaround to an issue with ssh host keys between nodes on different network spaces.
But ultimately, there could be other reason for a user to put a custom configuration in "/etc/ssh/
This was discovered because due to a bug with LP#1969971, a workaround in /etc/ssh/
This was discovered on the following environment :
* Ubuntu Jammy 22.04
* Juju 2.9.45
* Openstack Yoga
The steps to trigger the issue :
* have nova-computes to use different spaces between management and migration network (related to https:/
* apply a workaround to circumvent the issue in LP#1969971 in /etc/ssh/
* have nova-compute aa-profile-mode set to "enforce"
* try to resize an existing instance to a different flavor
At a first glance in this situation, there is no easy workaround aside from disabling apparmor, which kind of defeat its purpose.
Due to customer's environment restriction, I'm able to post only screenshot of the logs.
Changed in charm-nova-compute: | |
assignee: | nobody → DUFOUR Olivier (odufourc) |
importance: | Undecided → Medium |
Fix proposed to branch: master /review. opendev. org/c/openstack /charm- nova-compute/ +/902047
Review: https:/