Bug #1475019 “apparmor blocks ntpd activity” : Bugs : Mirantis OpenStack

Revision history for this message

Vitaly Sedelnik (vsedelnik) wrote on 2015-07-16:

#1

Alexander, please provide more information on how to reproduce the issue and what is the impact.

Changed in mos:
status:	New → Incomplete
assignee:	nobody → Aleksandr Shaposhnikov (alashai8)
milestone:	none → 6.1-updates

Revision history for this message

Aleksandr Shaposhnikov (alashai8) wrote on 2015-07-16:

#2

There is nothing special about this bug. I did nothing to get this happens from time to time on the controllers so I don't have clear steps to reproduce that.

Changed in mos:
assignee:	Aleksandr Shaposhnikov (alashai8) → Vitaly Sedelnik (vsedelnik)

Aleksandr Shaposhnikov (alashai8) on 2015-07-16

description:

updated

Vitaly Sedelnik (vsedelnik) on 2015-08-17

Changed in mos:
importance:	Undecided → Medium
status:	Incomplete → Confirmed
assignee:	Vitaly Sedelnik (vsedelnik) → MOS Sustaining (mos-sustaining)

Revision history for this message

Denis Meltsaykin (dmeltsaykin) wrote on 2015-11-19:

#3

Setting this as Won't Fix, as this is medium not a customer-found bug.

Changed in mos:
status:	Confirmed → Incomplete
status:	Incomplete → Won't Fix

Revision history for this message

Hamza (h16mara) wrote on 2016-02-25:

#4

Hi,

Hit the same bug on MOS 7.0 too, and due to this timing issue, Ceph triggered a WARN state:
root@node-120:~# ceph health detail
HEALTH_WARN clock skew detected on mon.node-120
mon.node-120 addr 192.168.0.11:6789/0 clock skew 0.0667655s > max 0.05s (latency 0.00134925s):

root@node-120:~# ntpq -p
ntpq: read: Connection refused

NTP daemon is running:
root@node-120:~# pgrep -lf ntp
7221 ntpd

This is the same error message:
root@node-120:~# dmesg | grep ntp | tail -3
[2607440.438987] type=1400 audit(1456327372.337:216): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=7221 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[2607440.439037] type=1400 audit(1456327372.337:217): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=7221 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[2607440.439086] type=1400 audit(1456327372.337:218): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=7221 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

Regards,
Hamza

Denis Meltsaykin (dmeltsaykin) on 2016-04-14

tags:

added: customer-found

Andrii Petrenko (aplsms) on 2016-04-14

Changed in mos:
status:	Won't Fix → New
importance:	Medium → High
tags:	added: support

Revision history for this message

Andrii Petrenko (aplsms) wrote on 2016-04-14:

#5

Download full text (13.0 KiB)

Just got outage of this bug on customer.
I can provide logs by your requests.

<5>Apr 13 21:04:33 controller003 kernel: [4403436.671379] type=1400 audit(1460581470.926:139): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=14761 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
<5>Apr 13 21:04:39 controller003 kernel: [4403436.690432] type=1400 audit(1460581470.946:141): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=14836 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
<5>Apr 13 21:04:44 controller003 kernel: [4403436.691735] type=1400 audit(1460581470.950:143): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=14836 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
<133>Apr 13 21:07:42 controller003 haproxy[39530]: Server cinder-api/controller003 is UP, reason: Layer7 check passed, code: 200, info: "OK", check duration: 1420ms. 3 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
<5>Apr 13 21:09:05 cGGUTTPLDI003 kernel: [4403701.910191] type=1400 audit(1460581736.010:156): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=21670 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
<133>Apr 13 21:11:28 controller003 haproxy[39530]: Server nova-metadata-api/controller003 is UP, reason: Layer7 check passed, code: 200, info: "OK", check duration: 7590ms. 3 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
<133>Apr 13 21:12:58 controller003 haproxy[39530]: Server neutron/controller003 is UP, reason: Layer7 check passed, code: 200, info: "OK", check duration: 7033ms. 3 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
<133>Apr 13 21:16:40 controller003 haproxy[39530]: Backup Server mysqld/controller003 is UP, reason: Layer7 check passed, code: 200, info: "OK", check duration: 7135ms. 1 active and 2 backup servers online. 0 sessions requeued, 0 total in queue.
<133>Apr 13 21:16:47 controller003 haproxy[39530]: Server nova-metadata-api/controller003 is UP, reason: Layer7 check passed, code: 200, info: "OK", check duration: 4316ms. 3 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
<5>Apr 13 21:21:49 controller003 kernel: [4404469.956111] type=1400 audit(1460582503.594:185): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=8787 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
<5>Apr 13 21:21:57 controller003 kernel: [4404469.957537] type=1400 audit(1460582503.598:188): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=8787 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
<133>Apr 13 21:21:59 controller003 haproxy[39530]: Server neutron/controller003 is UP, r...

Just got outage of this bug on customer.
I can provide logs by your requests.

<5>Apr 13 21:04:33 controller003 kernel: [4403436.671379] type=1400 audit(1460581470.926:139): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=14761 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
<5>Apr 13 21:04:39 controller003 kernel: [4403436.690432] type=1400 audit(1460581470.946:141): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=14836 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
<5>Apr 13 21:04:44 controller003 kernel: [4403436.691735] type=1400 audit(1460581470.950:143): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=14836 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
<133>Apr 13 21:07:42 controller003 haproxy[39530]: Server cinder-api/controller003 is UP, reason: Layer7 check passed, code: 200, info: "OK", check duration: 1420ms. 3 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
<5>Apr 13 21:09:05 cGGUTTPLDI003 kernel: [4403701.910191] type=1400 audit(1460581736.010:156): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=21670 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
<133>Apr 13 21:11:28 controller003 haproxy[39530]: Server nova-metadata-api/controller003 is UP, reason: Layer7 check passed, code: 200, info: "OK", check duration: 7590ms. 3 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
<133>Apr 13 21:12:58 controller003 haproxy[39530]: Server neutron/controller003 is UP, reason: Layer7 check passed, code: 200, info: "OK", check duration: 7033ms. 3 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
<133>Apr 13 21:16:40 controller003 haproxy[39530]: Backup Server mysqld/controller003 is UP, reason: Layer7 check passed, code: 200, info: "OK", check duration: 7135ms. 1 active and 2 backup servers online. 0 sessions requeued, 0 total in queue.
<133>Apr 13 21:16:47 controller003 haproxy[39530]: Server nova-metadata-api/controller003 is UP, reason: Layer7 check passed, code: 200, info: "OK", check duration: 4316ms. 3 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
<5>Apr 13 21:21:49 controller003 kernel: [4404469.956111] type=1400 audit(1460582503.594:185): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=8787 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
<5>Apr 13 21:21:57 controller003 kernel: [4404469.957537] type=1400 audit(1460582503.598:188): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=8787 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
<133>Apr 13 21:21:59 controller003 haproxy[39530]: Server neutron/controller003 is UP, reason: Layer7 check passed, code: 200, info: "OK", check duration: 5542ms. 3 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
<5>Apr 13 21:24:21 controller003 kernel: [4404615.952113] type=1400 audit(1460582649.506:202): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=14810 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
<5>Apr 13 21:24:26 controller003 kernel: [4404615.953887] type=1400 audit(1460582649.506:204): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=14810 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
<133>Apr 13 21:26:57 controller003 haproxy[39530]: Server cinder-api/controller003 is UP, reason: Layer7 check passed, code: 200, info: "OK", check duration: 6098ms. 3 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
<5>Apr 13 21:27:19 controller003 kernel: [4404800.031057] type=1400 audit(1460582833.474:215): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=19699 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
<5>Apr 13 21:27:34 controller003 kernel: [4404800.033333] type=1400 audit(1460582833.474:220): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=19699 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
<133>Apr 13 21:27:44 controller003 haproxy[39530]: Server neutron/controller003 is UP, reason: Layer7 check passed, code: 200, info: "OK", check duration: 5920ms. 3 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
<133>Apr 13 21:31:52 controller003 haproxy[39530]: Server neutron/controller003 is UP, reason: Layer7 check passed, code: 200, info: "OK", check duration: 2262ms. 3 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
<5>Apr 13 21:36:28 controller003 kernel: [4405346.592185] type=1400 audit(1460583379.706:231): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=39422 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
<5>Apr 13 21:36:40 controller003 kernel: [4405346.593583] type=1400 audit(1460583379.710:235): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=39422 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
<133>Apr 13 21:36:49 controller003 haproxy[39530]: Server cinder-api/controller003 is UP, reason: Layer7 check passed, code: 200, info: "OK", check duration: 8739ms. 3 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
<133>Apr 13 21:39:37 controller003 haproxy[39530]: Server cinder-api/controller003 is UP, reason: Layer7 check passed, code: 200, info: "OK", check duration: 7820ms. 3 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
<5>Apr 13 21:42:23 controller003 kernel: [4405692.492509] type=1400 audit(1460583725.402:249): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=8847 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
<133>Apr 13 21:43:26 controller003 haproxy[39530]: Server cinder-api/controller003 is UP, reason: Layer7 check passed, code: 200, info: "OK", check duration: 3165ms. 3 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
<133>Apr 13 21:43:36 controller003 haproxy[39530]: Server neutron/controller003 is UP, reason: Layer7 check passed, code: 200, info: "OK", check duration: 8748ms. 3 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
<133>Apr 13 21:46:25 controller003 haproxy[39530]: Server nova-metadata-api/controller003 is UP, reason: Layer7 check passed, code: 200, info: "OK", check duration: 7431ms. 3 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
<133>Apr 13 21:49:39 controller003 haproxy[39530]: Server cinder-api/controller003 is UP, reason: Layer7 check passed, code: 200, info: "OK", check duration: 5349ms. 3 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
<133>Apr 13 21:51:29 controller003 haproxy[39530]: Server nova-metadata-api/controller003 is UP, reason: Layer7 check passed, code: 200, info: "OK", check duration: 6676ms. 3 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
<5>Apr 13 21:53:05 controller003 kernel: [4406331.502122] type=1400 audit(1460584364.030:265): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=30702 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
<133>Apr 13 21:53:55 controller003 haproxy[39530]: Server cinder-api/controller003 is UP, reason: Layer7 check passed, code: 200, info: "OK", check duration: 6024ms. 3 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
<133>Apr 13 21:56:37 controller003 haproxy[39530]: Server nova-metadata-api/controller003 is UP, reason: Layer7 check passed, code: 200, info: "OK", check duration: 6814ms. 3 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
<133>Apr 13 21:56:37 controller003 haproxy[39530]: Server cinder-api/controller003 is UP, reason: Layer7 check passed, code: 200, info: "OK", check duration: 6825ms. 3 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
<133>Apr 13 21:57:16 controller003 haproxy[39530]: Server neutron/controller003 is UP, reason: Layer7 check passed, code: 200, info: "OK", check duration: 7227ms. 3 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
<5>Apr 13 22:11:50 controller003 kernel: [4407469.147350] type=1400 audit(1460585500.994:276): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=19840 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
<5>Apr 13 22:12:03 controller003 kernel: [4407469.149131] type=1400 audit(1460585500.998:281): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=19840 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
<5>Apr 13 22:18:41 controller003 kernel: [4407884.119717] type=1400 audit(1460585915.722:290): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=31686 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
<5>Apr 13 22:18:47 controller003 kernel: [4407884.119897] type=1400 audit(1460585915.722:292): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=31686 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
<5>Apr 13 22:18:59 controller003 kernel: [4407884.121333] type=1400 audit(1460585915.722:296): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=31686 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
<4>Apr 13 22:23:41 controller003 kernel: [4408190.126274] audit_printk_skb: 15 callbacks suppressed
<133>Apr 13 22:28:59 controller003 haproxy[39530]: Server cinder-api/controller003 is UP, reason: Layer7 check passed, code: 200, info: "OK", check duration: 1707ms. 3 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
<133>Apr 13 22:32:28 controller003 haproxy[39530]: Server cinder-api/controller003 is UP, reason: Layer7 check passed, code: 200, info: "OK", check duration: 5426ms. 3 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
<5>Apr 13 22:36:34 controller003 kernel: [4408954.369705] type=1400 audit(1460586985.330:321): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/games/" pid=24586 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
<5>Apr 13 22:37:00 controller003 kernel: [4408980.491224] type=1400 audit(1460587011.438:325): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=25592 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
<5>Apr 13 22:37:12 controller003 kernel: [4408980.492599] type=1400 audit(1460587011.438:329): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=25592 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
<133>Apr 13 22:38:56 controller003 haproxy[27760]: Server cinder-api/controller003 is UP, reason: Layer7 check passed, code: 200, info: "OK", check duration: 9992ms. 3 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
<5>Apr 13 22:42:06 controller003 kernel: [4409283.351520] type=1400 audit(1460587314.118:345): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=34716 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
<5>Apr 13 23:24:46 controller003 kernel: [4411851.322082] type=1400 audit(1460589880.333:358): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=29008 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
<5>Apr 13 23:24:56 controller003 kernel: [4411851.323919] type=1400 audit(1460589880.337:362): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="dev/log" pid=29008 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

Denis Puchkin (dpuchkin) on 2016-04-20

Changed in mos:
assignee:	MOS Maintenance (mos-maintenance) → Denis Puchkin (dpuchkin)

Revision history for this message

Denis Puchkin (dpuchkin) wrote on 2016-04-20:

#6

Hi
The cause of these apparmor messages is misconfigured ntp apparmor profile,
but there is nothing terrible

Apparmor banned only messages (like ntp successfully started and listen on socket )
to rsyslog through /dev/log, this happened because NTP is running in the
network namespase and apparmor has some issues with that.

Therefore apparmor doesn't not blocks ntpd activity and reason of clock skew in other place

as workaround, to allow ntp send msg to rsyslog you can Add the attach_disconnected flag
to the ntpd profile /etc/apparmor.d/usr.sbin.ntpd
-/usr/sbin/ntpd {
+/usr/sbin/ntpd flags=(attach_disconnected) {

please note, if you want get ntpd status, you should run ntpd -nq in proper namespace:

# ip netns exec vrouter ntpq -pn
remote refid st t when poll reach delay offset jitter
==================================================
+85.21.78.91 89.109.251.24 2 u 39m 1024 374 74.328 -7.866 1.642
*193.85.174.5 .GPS. 1 u 40m 1024 174 27.040 2.521 1.731
+191.233.81.105 213.109.127.82 3 u 851 1024 167 19.762 -8.164 3.164

Revision history for this message

Denis Puchkin (dpuchkin) wrote on 2016-04-20:

#7

closed as invalid, explanation in the comments above

Changed in mos:
status:	New → Invalid

Mirantis OpenStack

apparmor blocks ntpd activity

Bug Description

Other bug subscribers

Remote bug watches