2023-09-06 15:20:23 |
Peter Sabaini |
description |
Using the dm-crypt connection I'm getting seccomp faults
[Wed Sep 6 13:10:46 2023] audit: type=1326 audit(1694005847.315:85): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.microceph.daemon pid=3278 comm="cryptsetup" exe="/usr/sbin/cryptsetup" sig=0 arch=c000003e syscall=141 compat=0 ip=0x7f2d3d86893b code=0x50000
[Wed Sep 6 13:10:53 2023] audit: type=1326 audit(1694005854.487:86): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.microceph.daemon pid=4055 comm="cryptsetup" exe="/usr/sbin/cryptsetup" sig=0 arch=c000003e syscall=141 compat=0 ip=0x7f012932093b code=0x50000
[Wed Sep 6 13:10:55 2023] audit: type=1326 audit(1694005856.179:87): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.microceph.daemon pid=4055 comm="cryptsetup" exe="/usr/sbin/cryptsetup" sig=0 arch=c000003e syscall=249 compat=0 ip=0x7f0129324a3d code=0x50000
[Wed Sep 6 13:10:55 2023] audit: type=1326 audit(1694005856.179:88): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.microceph.daemon pid=4055 comm="cryptsetup" exe="/usr/sbin/cryptsetup" sig=0 arch=c000003e syscall=248 compat=0 ip=0x7f0129324a3d code=0x50000
[Wed Sep 6 13:10:55 2023] audit: type=1326 audit(1694005856.183:89): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.microceph.daemon pid=4055 comm="cryptsetup" exe="/usr/sbin/cryptsetup" sig=0 arch=c000003e syscall=249 compat=0 ip=0x7f0129324a3d code=0x50000
It seems like the assertions are not applied to existing processes immediately after connecting the dm-crypt interface. Restarting the microceph.daemon after interface connection works around this issue.
ubuntu@mc-3:~$ sudo microceph cluster bootstrap
ubuntu@mc-3:~$ sudo snap connect microceph:dm-crypt
ubuntu@mc-3:~$ sudo microceph disk add --encrypt /dev/vdc
Error: Failed adding new disk: Failed to open: Failed to luksOpen: /dev/disk/by-path/virtio-pci-0000:08:00.0, exit status 2, Failed to load key in kernel keyring.
No key available with this passphrase.
NOTE: OSD Encryption requires a snapd >= 2.59.1
Verify your version of snapd by running "snap version"
ubuntu@mc-3:~$ sudo dmesg -T | tail
...
[Wed Sep 6 13:10:46 2023] audit: type=1326 audit(1694005847.315:85): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.microceph.daemon pid=3278 comm="cryptsetup" exe="/usr/sbin/cryptsetup" sig=0 arch=c000003e syscall=141 compat=0 ip=0x7f2d3d86893b code=0x50000
[Wed Sep 6 13:10:53 2023] audit: type=1326 audit(1694005854.487:86): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.microceph.daemon pid=4055 comm="cryptsetup" exe="/usr/sbin/cryptsetup" sig=0 arch=c000003e syscall=141 compat=0 ip=0x7f012932093b code=0x50000
[Wed Sep 6 13:10:55 2023] audit: type=1326 audit(1694005856.179:87): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.microceph.daemon pid=4055 comm="cryptsetup" exe="/usr/sbin/cryptsetup" sig=0 arch=c000003e syscall=249 compat=0 ip=0x7f0129324a3d code=0x50000
[Wed Sep 6 13:10:55 2023] audit: type=1326 audit(1694005856.179:88): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.microceph.daemon pid=4055 comm="cryptsetup" exe="/usr/sbin/cryptsetup" sig=0 arch=c000003e syscall=248 compat=0 ip=0x7f0129324a3d code=0x50000
[Wed Sep 6 13:10:55 2023] audit: type=1326 audit(1694005856.183:89): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.microceph.daemon pid=4055 comm="cryptsetup" exe="/usr/sbin/cryptsetup" sig=0 arch=c000003e syscall=249 compat=0 ip=0x7f0129324a3d code=0x50000
ubuntu@mc-3:~$ sudo snap restart microceph.daemon
Restarted.
ubuntu@mc-3:~$ sudo microceph disk add --encrypt /dev/vdc
ubuntu@mc-3:~$ sudo microceph disk add --encrypt /dev/vdd
ubuntu@mc-3:~$ sudo microceph status
MicroCeph deployment summary:
- mc-3 (192.168.121.175)
Services: mds, mgr, mon, osd
Disks: 2
Is there an expectation that snap authors restart services after interface connection?
Versions:
snap 2.60.2
snapd 2.60.2
series 16
ubuntu 22.04
kernel 5.15.0-82-generic
For reference, debug output with SNAP_CONFINE_DEBUG=1
https://pastebin.canonical.com/p/Q9jdT2HZrs/ |
Using the dm-crypt connection I'm getting seccomp faults
[Wed Sep 6 13:10:46 2023] audit: type=1326 audit(1694005847.315:85): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.microceph.daemon pid=3278 comm="cryptsetup" exe="/usr/sbin/cryptsetup" sig=0 arch=c000003e syscall=141 compat=0 ip=0x7f2d3d86893b code=0x50000
[Wed Sep 6 13:10:53 2023] audit: type=1326 audit(1694005854.487:86): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.microceph.daemon pid=4055 comm="cryptsetup" exe="/usr/sbin/cryptsetup" sig=0 arch=c000003e syscall=141 compat=0 ip=0x7f012932093b code=0x50000
[Wed Sep 6 13:10:55 2023] audit: type=1326 audit(1694005856.179:87): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.microceph.daemon pid=4055 comm="cryptsetup" exe="/usr/sbin/cryptsetup" sig=0 arch=c000003e syscall=249 compat=0 ip=0x7f0129324a3d code=0x50000
[Wed Sep 6 13:10:55 2023] audit: type=1326 audit(1694005856.179:88): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.microceph.daemon pid=4055 comm="cryptsetup" exe="/usr/sbin/cryptsetup" sig=0 arch=c000003e syscall=248 compat=0 ip=0x7f0129324a3d code=0x50000
[Wed Sep 6 13:10:55 2023] audit: type=1326 audit(1694005856.183:89): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.microceph.daemon pid=4055 comm="cryptsetup" exe="/usr/sbin/cryptsetup" sig=0 arch=c000003e syscall=249 compat=0 ip=0x7f0129324a3d code=0x50000
It seems like the assertions are not applied to existing processes immediately after connecting the dm-crypt interface. Restarting the microceph.daemon after interface connection works around this issue.
ubuntu@mc-3:~$ sudo microceph cluster bootstrap
ubuntu@mc-3:~$ sudo snap connect microceph:dm-crypt
ubuntu@mc-3:~$ sudo microceph disk add --encrypt /dev/vdc
Error: Failed adding new disk: Failed to open: Failed to luksOpen: /dev/disk/by-path/virtio-pci-0000:08:00.0, exit status 2, Failed to load key in kernel keyring.
No key available with this passphrase.
NOTE: OSD Encryption requires a snapd >= 2.59.1
Verify your version of snapd by running "snap version"
ubuntu@mc-3:~$ sudo dmesg -T | tail
...
[Wed Sep 6 13:10:46 2023] audit: type=1326 audit(1694005847.315:85): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.microceph.daemon pid=3278 comm="cryptsetup" exe="/usr/sbin/cryptsetup" sig=0 arch=c000003e syscall=141 compat=0 ip=0x7f2d3d86893b code=0x50000
[Wed Sep 6 13:10:53 2023] audit: type=1326 audit(1694005854.487:86): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.microceph.daemon pid=4055 comm="cryptsetup" exe="/usr/sbin/cryptsetup" sig=0 arch=c000003e syscall=141 compat=0 ip=0x7f012932093b code=0x50000
[Wed Sep 6 13:10:55 2023] audit: type=1326 audit(1694005856.179:87): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.microceph.daemon pid=4055 comm="cryptsetup" exe="/usr/sbin/cryptsetup" sig=0 arch=c000003e syscall=249 compat=0 ip=0x7f0129324a3d code=0x50000
[Wed Sep 6 13:10:55 2023] audit: type=1326 audit(1694005856.179:88): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.microceph.daemon pid=4055 comm="cryptsetup" exe="/usr/sbin/cryptsetup" sig=0 arch=c000003e syscall=248 compat=0 ip=0x7f0129324a3d code=0x50000
[Wed Sep 6 13:10:55 2023] audit: type=1326 audit(1694005856.183:89): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.microceph.daemon pid=4055 comm="cryptsetup" exe="/usr/sbin/cryptsetup" sig=0 arch=c000003e syscall=249 compat=0 ip=0x7f0129324a3d code=0x50000
ubuntu@mc-3:~$ sudo snap restart microceph.daemon
Restarted.
ubuntu@mc-3:~$ sudo microceph disk add --encrypt /dev/vdc
ubuntu@mc-3:~$ sudo microceph disk add --encrypt /dev/vdd
ubuntu@mc-3:~$ sudo microceph status
MicroCeph deployment summary:
- mc-3 (192.168.121.175)
Services: mds, mgr, mon, osd
Disks: 2
Is there an expectation that snap authors restart services after interface connection?
Versions:
snap 2.60.2
snapd 2.60.2
series 16
ubuntu 22.04
kernel 5.15.0-82-generic
For reference, debug output with SNAP_CONFINE_DEBUG=1
https://pastebin.canonical.com/p/Q9jdT2HZrs/
Steps to reproduce, using uvtools:
```
uvt-kvm create --cpu 4 --memory 8192 --disk 16 --host-passthrough --no-start "mc" release=jammy
virsh vol-create-as uvtool --format qcow2 "mc-virtio1.qcow" 34359738368
virsh attach-disk "mc" "/var/lib/uvtool/libvirt/images/mc-virtio1.qcow" vdc --subdriver qcow2 --targetbus virtio --config
virsh start mc
uvt-kvm wait "mc"
uvt-kvm ssh "mc" -- -t '\
sudo snap install --channel latest/edge microceph
sudo microceph cluster bootstrap
sudo snap connect microceph:dm-crypt'
uvt-kvm ssh "mc" -- 'sudo microceph disk add --encrypt /dev/vdc'
``` |
|