Etcd Charm

etcdctl snap deployed to a xenial-lxd deployment being denied file_lock in apparmor

Bug #1809385 reported by Tim Van Steenburgh
24
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Etcd Charm
New
Undecided
Unassigned

Bug Description

Opened by afreiberger on 2018-09-26 15:54:08+00:00 at https://github.com/juju-solutions/layer-etcd/issues/139

------------------------------------------------------------

Every 5 minutes (update-status hook) the etcd charm is calling etcdctl which is causing 4 entries in the kernel logs for apparmor denials
[Wed Sep 26 15:46:31 2018] audit: type=1400 audit(1537976803.563:59951): apparmor="DENIED" operation="file_lock" namespace="root//lxd-juju-7e2a4a-15-lxd-2_" profile="/snap/core/5328/usr/lib/snapd/snap-confine" name="/dev/null" pid=1907424 comm="etcdctl" requested_mask="k" denied_mask="k" fsuid=100000 ouid=0
[Wed Sep 26 15:46:32 2018] audit: type=1400 audit(1537976804.507:59952): apparmor="DENIED" operation="file_lock" namespace="root//lxd-juju-7e2a4a-15-lxd-2_" profile="/snap/core/5328/usr/lib/snapd/snap-confine" name="/dev/null" pid=1907909 comm="etcdctl" requested_mask="k" denied_mask="k" fsuid=100000 ouid=0
[Wed Sep 26 15:46:33 2018] audit: type=1400 audit(1537976805.331:59953): apparmor="DENIED" operation="file_lock" namespace="root//lxd-juju-7e2a4a-15-lxd-2_" profile="/snap/core/5328/usr/lib/snapd/snap-confine" name="/dev/null" pid=1908489 comm="etcdctl" requested_mask="k" denied_mask="k" fsuid=100000 ouid=0
[Wed Sep 26 15:46:33 2018] audit: type=1400 audit(1537976805.427:59954): apparmor="DENIED" operation="file_lock" namespace="root//lxd-juju-7e2a4a-15-lxd-2_" profile="/snap/core/5328/usr/lib/snapd/snap-confine" name="/dev/null" pid=1908548 comm="etcdctl" requested_mask="k" denied_mask="k" fsuid=100000 ouid=0

Drew Freiberger (afreiberger)
tags: added: canonical-bootstack
Revision history for this message
Guilherme G. Piccoli (gpiccoli) wrote :

What possibly is trying to lock /dev/null? I'm trying to understand this problem; a simple redirection (like something >/dev/null) seems not to cause the lock attempt. I have not much experience in juju/snaps/charms, so I'm trying instrumenting the kernel file locking functions to collect information.

Also, would be harmful to just add rwk to the apparmor profile in this case, to allow such locking?
Thanks!

tags: added: sts
Revision history for this message
Felipe Alencastro (falencastro) wrote :

This still happens with charm-etcd rev 655 and ubuntu focal and appears to trigger LP#1933128.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.