[Bug 1821767] Re: Cinder ISCSI drivers require /sbin/iscsiadm permissions in apparmor
Alex Kavanagh
1821767 at bugs.launchpad.net
Wed May 15 13:51:54 UTC 2019
** Also affects: nova (Ubuntu)
Importance: Undecided
Status: New
** Changed in: charm-nova-compute
Status: New => Triaged
** Changed in: charm-nova-compute
Importance: Undecided => Wishlist
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to nova in Ubuntu.
https://bugs.launchpad.net/bugs/1821767
Title:
Cinder ISCSI drivers require /sbin/iscsiadm permissions in apparmor
Status in OpenStack nova-compute charm:
Triaged
Status in nova package in Ubuntu:
New
Bug description:
When implementing cinder-purestorage charm (currently in development
by Field Engineering), we found that app armor denies iscsi commands
for nova-compute.
Here are example entries from the log:
[2903238.364025] audit: type=1400 audit(1553613828.370:366): apparmor="DENIED" operation="exec" profile="/usr/bin/nova-compute" name="/sbin/iscsiadm" pid=569410 comm="privsep-helper" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[2903238.364667] audit: type=1400 audit(1553613828.374:367): apparmor="DENIED" operation="exec" profile="/usr/bin/nova-compute" name="/sbin/iscsiadm" pid=569410 comm="privsep-helper" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[2903238.406600] audit: type=1400 audit(1553613828.414:368): apparmor="DENIED" operation="exec" profile="/usr/bin/nova-compute" name="/sbin/iscsiadm" pid=569411 comm="privsep-helper" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[2903238.406734] audit: type=1400 audit(1553613828.414:369): apparmor="DENIED" operation="exec" profile="/usr/bin/nova-compute" name="/sbin/iscsiadm" pid=569411 comm="privsep-helper" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Workaround is to set aa-profile-mode to complain.
To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-nova-compute/+bug/1821767/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list