Enforcing AppArmor breaks LXD virt_type

Bug #1675803 reported by Ante Karamatić
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Nova Compute Charm
Fix Released
High
Ante Karamatić

Bug Description

When AppArmor is enforce, nova-lxd can't even start. This is because various cpu properties are not readable:

[76920.211338] audit: type=1400 audit(1490366094.192:56): apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/sys/devices/system/cpu/cpu0/topology/thread_siblings" pid=405569 comm="lscpu" requested_mask="r" denied_mask="r" fsuid=113 ouid=0
[76979.971671] audit: type=1400 audit(1490366153.952:57): apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/sys/devices/system/cpu/cpu0/topology/thread_siblings" pid=405740 comm="lscpu" requested_mask="r" denied_mask="r" fsuid=113 ouid=0
[77027.842095] audit: type=1400 audit(1490366201.827:59): apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/sys/devices/system/cpu/cpu0/topology/thread_siblings" pid=408803 comm="lscpu" requested_mask="r" denied_mask="r" fsuid=113 ouid=0
[77195.285248] audit: type=1400 audit(1490366369.265:604): apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/sys/devices/system/cpu/cpu0/topology/thread_siblings" pid=411560 comm="lscpu" requested_mask="r" denied_mask="r" fsuid=113 ouid=0
[77257.294846] audit: type=1400 audit(1490366431.273:606): apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/sys/devices/system/cpu/cpu0/cache/index2/type" pid=417631 comm="lscpu" requested_mask="r" denied_mask="r" fsuid=113 ouid=0
[77272.523721] audit: type=1400 audit(1490366446.502:607): apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/sys/devices/system/cpu/cpu0/cache/index2/type" pid=417728 comm="lscpu" requested_mask="r" denied_mask="r" fsuid=113 ouid=0
[77320.196691] audit: type=1400 audit(1490366494.173:609): apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq" pid=420761 comm="lscpu" requested_mask="r" denied_mask="r" fsuid=113 ouid=0
[77379.980314] audit: type=1400 audit(1490366553.957:610): apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq" pid=421164 comm="lscpu" requested_mask="r" denied_mask="r" fsuid=113 ouid=0
[77441.004521] audit: type=1400 audit(1490366614.981:611): apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq" pid=422502 comm="lscpu" requested_mask="r" denied_mask="r" fsuid=113 ouid=0

Ante Karamatić (ivoks)
Changed in charm-nova-compute:
assignee: nobody → Ante Karamatić (ivoks)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-nova-compute (master)

Fix proposed to branch: master
Review: https://review.openstack.org/449671

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-nova-compute (master)

Reviewed: https://review.openstack.org/449671
Committed: https://git.openstack.org/cgit/openstack/charm-nova-compute/commit/?id=d673f94097ac25656f473f6888b692af51950b47
Submitter: Jenkins
Branch: master

commit d673f94097ac25656f473f6888b692af51950b47
Author: Ante Karamatic <email address hidden>
Date: Fri Mar 24 16:07:09 2017 +0100

    Allow nova-compute to read through cpu attributes

    LXD requires access to CPU attributes that are currently not allowed
    in AppArmor profile. This change allows access to those attributes.
    It also adds virt_type to NovaComputeAppArmor context. It then uses
    this to provide nova-compute with access to LXD's socket.

    Change-Id: I78d18dcf37f6195ea1ceec1029ddfac44a4a1b33
    Closes-Bug: 1675803

Changed in charm-nova-compute:
status: In Progress → Fix Committed
Ante Karamatić (ivoks)
tags: added: stable-backport
James Page (james-page)
Changed in charm-nova-compute:
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-nova-compute (stable/17.02)

Fix proposed to branch: stable/17.02
Review: https://review.openstack.org/467111

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-nova-compute (stable/17.02)

Reviewed: https://review.openstack.org/467111
Committed: https://git.openstack.org/cgit/openstack/charm-nova-compute/commit/?id=098aff209621b3d1f56304bdf2ebb48305cff21c
Submitter: Jenkins
Branch: stable/17.02

commit 098aff209621b3d1f56304bdf2ebb48305cff21c
Author: Ante Karamatic <email address hidden>
Date: Fri Mar 24 16:07:09 2017 +0100

    Allow nova-compute to read through cpu attributes

    LXD requires access to CPU attributes that are currently not allowed
    in AppArmor profile. This change allows access to those attributes.
    It also adds virt_type to NovaComputeAppArmor context. It then uses
    this to provide nova-compute with access to LXD's socket.

    Resync charmhelpers from stable branch to resolve amulet action
    execution test errors.

    Change-Id: I78d18dcf37f6195ea1ceec1029ddfac44a4a1b33
    Closes-Bug: 1675803
    (cherry picked from commit d673f94097ac25656f473f6888b692af51950b47)

James Page (james-page)
Changed in charm-nova-compute:
status: Fix Committed → Fix Released
milestone: none → 17.08
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.