[Bug 1821767] Re: Cinder ISCSI drivers require /sbin/iscsiadm permissions in apparmor
Sahid Orentino
sahid.ferdjaoui at canonical.com
Wed May 15 14:31:37 UTC 2019
** Changed in: charm-nova-compute
Importance: Wishlist => Medium
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to nova in Ubuntu.
https://bugs.launchpad.net/bugs/1821767
Title:
Cinder ISCSI drivers require /sbin/iscsiadm permissions in apparmor
Status in OpenStack nova-compute charm:
Triaged
Status in nova package in Ubuntu:
Confirmed
Bug description:
When implementing cinder-purestorage charm (currently in development
by Field Engineering), we found that app armor denies iscsi commands
for nova-compute.
Here are example entries from the log:
[2903238.364025] audit: type=1400 audit(1553613828.370:366): apparmor="DENIED" operation="exec" profile="/usr/bin/nova-compute" name="/sbin/iscsiadm" pid=569410 comm="privsep-helper" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[2903238.364667] audit: type=1400 audit(1553613828.374:367): apparmor="DENIED" operation="exec" profile="/usr/bin/nova-compute" name="/sbin/iscsiadm" pid=569410 comm="privsep-helper" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[2903238.406600] audit: type=1400 audit(1553613828.414:368): apparmor="DENIED" operation="exec" profile="/usr/bin/nova-compute" name="/sbin/iscsiadm" pid=569411 comm="privsep-helper" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[2903238.406734] audit: type=1400 audit(1553613828.414:369): apparmor="DENIED" operation="exec" profile="/usr/bin/nova-compute" name="/sbin/iscsiadm" pid=569411 comm="privsep-helper" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Workaround is to set aa-profile-mode to complain.
To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-nova-compute/+bug/1821767/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list