OpenStack Nova Compute Charm

focal iscsiadm and blockdev location is wrongly mention in apparmor profi;le

Bug #1906727 reported by Narinder Gupta
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Nova Compute Charm
Fix Released
High
James Page
OpenStack Nova Compute Charm 21.04

Bug Description

While going the netap integration find out that following locations of binary are wrong for focal.

/usr/sbin/blockdev
/usr/sbin/iscsiadm
/etc/multipath.conf

after adding the following entries attach the iscsi volume and detach iscsi volume works fine.
  /usr/sbin/iscsiadm rix,
  /usr/sbin/blockdev rix,
  /etc/multipath.conf r,

Otherwise if apparnor profile is enabled the get the following DENIED messages in DMESG

Dec 3 21:03:15 node05 kernel: [21390.228906] audit: type=1400 audit(1607029395.480:462): apparmor="DENIED" operation="exec" profile="/usr/bin/nova-compute" name="/usr/sbin/iscsiadm" pid=1432437 comm="privsep-helper" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

[22157.818194] audit: type=1400 audit(1607030163.076:490): apparmor="DENIED" operation="exec" profile="/usr/bin/nova-compute" name="/usr/sbin/blockdev" pid=1463984 comm="privsep-helper" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

See original description
Narinder Gupta (narindergupta)
description: updated
tags: added: field high
James Page (james-page)
Changed in charm-nova-compute:
status: New → Invalid
Billy Olsen (billy-olsen)
tags: removed: field high
Revision history for this message
James Page (james-page) wrote :

The blockdev and iscsiadm binaries should be accessible under / and /usr locations already:

  /{usr/,}sbin/blockdev rix,
  /{usr/,}sbin/iscsiadm rix,

the apparmor patterns should allow that.

/etc/multipath.conf is not included.

no longer affects: nova (Ubuntu)
Changed in charm-nova-compute:
status: Invalid → Triaged
importance: Undecided → High
assignee: nobody → James Page (james-page)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-nova-compute (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/charm-nova-compute/+/795313

Revision history for this message
James Page (james-page) wrote :

https://review.opendev.org/c/openstack/charm-nova-compute/+/795313

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-nova-compute (master)

Reviewed: https://review.opendev.org/c/openstack/charm-nova-compute/+/795313
Committed: https://opendev.org/openstack/charm-nova-compute/commit/9d9a74ddda83df01ae8cbd34c6d13697b5fe17bc
Submitter: "Zuul (22348)"
Branch: master

commit 9d9a74ddda83df01ae8cbd34c6d13697b5fe17bc
Author: James Page <email address hidden>
Date: Tue Jun 8 13:29:22 2021 +0100

    apparmor: ensure multipath.conf is accessible

    Allow access to main multipath configuration file from the
    nova-compute daemon.

    Change-Id: Ibaa5f45b7fd72fcc936986286939e1285bcdb945
    Closes-Bug: 1906727

Changed in charm-nova-compute:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-nova-compute (stable/21.04)

Fix proposed to branch: stable/21.04
Review: https://review.opendev.org/c/openstack/charm-nova-compute/+/798670

Aurelien Lourot (aurelien-lourot)
Changed in charm-nova-compute:
milestone: none → 21.04
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-nova-compute (stable/21.04)

Reviewed: https://review.opendev.org/c/openstack/charm-nova-compute/+/798670
Committed: https://opendev.org/openstack/charm-nova-compute/commit/a0e789070dcf4505cb935803b7203cadc86b5d8a
Submitter: "Zuul (22348)"
Branch: stable/21.04

commit a0e789070dcf4505cb935803b7203cadc86b5d8a
Author: James Page <email address hidden>
Date: Tue Jun 8 13:29:22 2021 +0100

    apparmor: ensure multipath.conf is accessible

    Allow access to main multipath configuration file from the
    nova-compute daemon.

    Change-Id: Ibaa5f45b7fd72fcc936986286939e1285bcdb945
    Closes-Bug: 1906727
    (cherry picked from commit 9d9a74ddda83df01ae8cbd34c6d13697b5fe17bc)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.