[Bug 1821767] Re: Cinder ISCSI drivers require /sbin/iscsiadm permissions in apparmor

Tiago Pasqualini da Silva tiago.pasqualini at canonical.com
Wed May 15 14:43:39 UTC 2019


Fix:   https://review.opendev.org/#/c/655803/

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to nova in Ubuntu.
https://bugs.launchpad.net/bugs/1821767

Title:
  Cinder ISCSI drivers require /sbin/iscsiadm permissions in apparmor

Status in OpenStack nova-compute charm:
  Triaged
Status in nova package in Ubuntu:
  Confirmed

Bug description:
  When implementing cinder-purestorage charm (currently in development
  by Field Engineering), we found that app armor denies iscsi commands
  for nova-compute.

  Here are example entries from the log:

  [2903238.364025] audit: type=1400 audit(1553613828.370:366): apparmor="DENIED" operation="exec" profile="/usr/bin/nova-compute" name="/sbin/iscsiadm" pid=569410 comm="privsep-helper" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
  [2903238.364667] audit: type=1400 audit(1553613828.374:367): apparmor="DENIED" operation="exec" profile="/usr/bin/nova-compute" name="/sbin/iscsiadm" pid=569410 comm="privsep-helper" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
  [2903238.406600] audit: type=1400 audit(1553613828.414:368): apparmor="DENIED" operation="exec" profile="/usr/bin/nova-compute" name="/sbin/iscsiadm" pid=569411 comm="privsep-helper" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
  [2903238.406734] audit: type=1400 audit(1553613828.414:369): apparmor="DENIED" operation="exec" profile="/usr/bin/nova-compute" name="/sbin/iscsiadm" pid=569411 comm="privsep-helper" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

  Workaround is to set aa-profile-mode to complain.

To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-nova-compute/+bug/1821767/+subscriptions



More information about the Ubuntu-openstack-bugs mailing list