Cinder ISCSI drivers require /sbin/iscsiadm permissions in apparmor
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Nova Compute Charm |
Triaged
|
Medium
|
Tiago Pasqualini da Silva | ||
nova (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
When implementing cinder-purestorage charm (currently in development by Field Engineering), we found that app armor denies iscsi commands for nova-compute.
Here are example entries from the log:
[2903238.364025] audit: type=1400 audit(155361382
[2903238.364667] audit: type=1400 audit(155361382
[2903238.406600] audit: type=1400 audit(155361382
[2903238.406734] audit: type=1400 audit(155361382
Workaround is to set aa-profile-mode to complain.
Changed in charm-nova-compute: | |
status: | New → Triaged |
importance: | Undecided → Wishlist |
Changed in charm-nova-compute: | |
importance: | Wishlist → Medium |
Changed in charm-nova-compute: | |
assignee: | nobody → Tiago Pasqualini da Silva (tiago.pasqualini) |
After setting workaround, entire capture of dmesg from complain mode around volume attachment was:
[2903694.845859] audit: type=1400 audit(155361428 4.848:370) : apparmor="STATUS" operation= "profile_ replace" profile= "unconfined" name="/ usr/bin/ nova-compute" pid=586258 comm="apparmor_ parser" 2.460:371) : apparmor="ALLOWED" operation="exec" profile= "/usr/bin/ nova-compute" name="/ sbin/iscsiadm" pid=596320 comm="privsep- helper" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target= "/usr/bin/ nova-compute/ /null-/ sbin/iscsiadm" 2.472:372) : apparmor="ALLOWED" operation="open" profile= "/usr/bin/ nova-compute/ /null-/ sbin/iscsiadm" name="/ etc/ld. so.cache" pid=596320 comm="iscsiadm" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 2.472:373) : apparmor="ALLOWED" operation="open" profile= "/usr/bin/ nova-compute/ /null-/ sbin/iscsiadm" name="/ lib/x86_ 64-linux- gnu/libc- 2.23.so" pid=596320 comm="iscsiadm" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 2.472:374) : apparmor="ALLOWED" operation= "file_mprotect" profile= "/usr/bin/ nova-compute/ /null-/ sbin/iscsiadm" name="/ sbin/iscsiadm" pid=596320 comm="iscsiadm" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 2.472:375) : apparmor="ALLOWED" operation= "file_mprotect" profile= "/usr/bin/ nova-compute/ /null-/ sbin/iscsiadm" name="/ lib/x86_ 64-linux- gnu/ld- 2.23.so" pid=596320 comm="iscsiadm" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 2.664:376) : apparmor="ALLOWED" operation="exec" profile= "/usr/bin/ nova-compute" name="/ sbin/iscsiadm" pid=596323 comm="privsep- helper" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target= "/usr/bin/ nova-compute/ /null-/ sbin/iscsiadm" 2.680:377) : apparmor="ALLOWED" operation="open" profile= "/usr/bin/ nova-compute/ /null-/ sbin/iscsiadm" name="/ etc/ld. so.cache" pid=596323 comm="iscsiadm" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 2.688:378) : apparmor="ALLOWED" operation="open" profile= "/usr/bin/ nova-compute/ /null-/ sbin/iscsiadm" name="/ lib/x86_ 64-linux- gnu/libc- 2.23.so" pid=596323 comm="iscsiadm" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 2.688:379) : apparmor="ALLOWED" operation= "file_mprotect" profile= "/usr/bin/ nova-compute/ /null-/ sbin/iscsiadm" name="/ sbin/iscsiadm" pid=596323 comm="iscsiadm" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[2903992.462251] audit: type=1400 audit(155361458
[2903992.474368] audit: type=1400 audit(155361458
[2903992.474404] audit: type=1400 audit(155361458
[2903992.474733] audit: type=1400 audit(155361458
[2903992.474763] audit: type=1400 audit(155361458
[2903992.667138] audit: type=1400 audit(155361458
[2903992.682292] audit: type=1400 audit(155361458
[2903992.688930] audit: type=1400 audit(155361458
[2903992.689324] audit: type=1400 audit(155361458