snapd

snap.maas.supervisor DENIED

Bug #1939949 reported by Robert Tilley on 2021-08-14

This bug affects 5 people

Affects		Status	Importance	Assigned to	Milestone
	MAAS	Triaged	Low	Unassigned	MAAS 3.4.x
	snapd	Won't Fix	Undecided	Unassigned

Bug Description

This appears that it may be related in some way to a previous issue Bug #1867571. I am constantly getting some version of the following error message. It isn't always /dev/sda but could be also ="/etc/gss/mech.d/" for example. Log attached.

Aug 13 20:57:49 utl01 kernel: [898463.471232] audit: type=1400 audit(1628888269.041:222847): apparmor="DENIED" operation="open" profile="snap.maas.supervisor" name="/dev/sda" pid=2245069 comm="amd64" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

snap 2.51.3
snapd 2.51.3
series 16
ubuntu 20.04
kernel 5.4.0-81-generic

See original description

Tags:

Revision history for this message

Robert Tilley (fladventurerob) wrote on 2021-08-14:

syslog.1 Edit (22.5 MiB, application/octet-stream)

description:

updated

Robert Tilley (fladventurerob) on 2021-08-14

description:

updated

Revision history for this message

Ian Johnson (anonymouse67) wrote on 2021-08-16:

I'm not sure that this is a snapd bug, it depends on why MAAS is trying to access /dev/sda

Revision history for this message

Alberto Donato (ack) wrote on 2021-08-17:

Could you paste the output of `snap connections maas`?

Changed in maas:
status:	New → Incomplete

Paweł Stołowski (stolowski) on 2022-05-17

Changed in snapd:
status:	New → Incomplete

Revision history for this message

James Simpson (jsimpso) wrote on 2022-05-24:

I've just noticed similar messages on a MAAS server:

"kernel: [8227300.867247] audit: type=1400 audit(1653363233.557:970746): apparmor="DENIED" operation="open" profile="snap.maas.supervisor" name="/dev/vda" pid=1645448 comm="amd64" requested_mask="r" denied_mask="r" fsuid=0 ouid=0"

"vda" is the root (and only) disk on this particular machine.

We're also seeing this for "/etc/gss/mech.d/":
jsimpso@maas:~$ grep 'apparmor="DENIED"' /var/log/syslog | cut -d ' ' -f 12,13 | sort | uniq
profile="snap.maas.supervisor" name="/dev/vda"
profile="snap.maas.supervisor" name="/etc/gss/mech.d/"

Here's the output of "snap connections maas" as previously requested:
Interface Plug Slot Notes
avahi-observe maas:avahi-observe :avahi-observe -
content[maas-cli] maas:maas-cli maas-cli:maas-cli -
content maas:test-db-socket - -
hardware-observe maas:hardware-observe :hardware-observe -
home maas:home :home -
kernel-module-observe maas:kernel-module-observe :kernel-module-observe -
mount-observe maas:mount-observe :mount-observe -
network maas:network :network -
network-bind maas:network-bind :network-bind -
network-control maas:network-control :network-control -
network-observe maas:network-observe :network-observe -
system-observe maas:system-observe :system-observe -
time-control maas:time-control :time-control -

Adam Collard (adam-collard) on 2022-05-26

Changed in maas:
status:	Incomplete → New

Revision history for this message

Alberto Donato (ack) wrote on 2022-05-30:

The /dev/vda error is quite strange, as MAAS should be allowed to access block devices.

For other paths, it could be that apps used inside the maas snap (e.g. nginx, wget, ...) try to access default paths for configs, which are not allowed as they're outside of the snap. This is usually harmless as MAAS has its own configs.

Do you see any wrong behavior in MAAS that could be related to the error?

Changed in maas:
status:	New → Incomplete

Revision history for this message

Launchpad Janitor (janitor) wrote on 2022-07-30:

[Expired for MAAS because there has been no activity for 60 days.]

Changed in maas:
status:	Incomplete → Expired

Revision history for this message

Launchpad Janitor (janitor) wrote on 2022-07-30:

[Expired for snapd because there has been no activity for 60 days.]

Changed in snapd:
status:	Incomplete → Expired

Revision history for this message

Junien Fridrick (axino) wrote on 2022-08-01 (last edit on 2022-08-01):

Hi,

I'm not seeing any wrong behaviour in MAAS, but the log spamming is quite bad :
https://pastebin.ubuntu.com/p/jwT9cHy2TT/

$ snap connections maas
Interface Plug Slot Notes
avahi-observe maas:avahi-observe :avahi-observe -
content[maas-cli] maas:maas-cli maas-cli:maas-cli -
content maas:test-db-socket - -
hardware-observe maas:hardware-observe :hardware-observe -
home maas:home :home -
kernel-module-observe maas:kernel-module-observe :kernel-module-observe -
mount-observe maas:mount-observe :mount-observe -
network maas:network :network -
network-bind maas:network-bind :network-bind -
network-control maas:network-control :network-control -
network-observe maas:network-observe :network-observe -
system-observe maas:system-observe :system-observe -
time-control maas:time-control :time-control -

Changed in maas:
status:	Expired → New
Changed in snapd:
status:	Expired → New

Revision history for this message

Christian Grabowski (cgrabowski) wrote on 2022-08-01:

Hi there, can you please provide what version of MAAS you are using and what version of Ubuntu the machine running the snap is using?

Revision history for this message

Junien Fridrick (axino) wrote on 2022-08-02:

#10

Sure ! MAAS snap 3.1.0-10901-g.f1f8f1505, Ubuntu 20.04, kernel 5.4.0-120-generic

Bill Wear (billwear) on 2022-08-17

Changed in maas:
status:	New → Triaged
importance:	Undecided → Low

Revision history for this message

Jerzy Husakowski (jhusakowski) wrote on 2022-09-08:

#11

MAAS attempts retrieving information that is not available from inside of a snap. This leads to snapd log spam. MAAS should not attempt retrieving such information.