yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1794564] [NEW] Apparmor denies /usr/bin/nova-compute access to /proc/loadavg on openstack hypervisor show

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Drew Freiberger <1794564@xxxxxxxxxxxxxxxxxx>
Date: Wed, 26 Sep 2018 16:54:59 -0000
Reply-to: Bug 1794564 <1794564@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

On Xenial-Queens cloud, I'm seeing failure with nova-compute
17.0.5-0ubuntu1~cloud0 package unable to run uptime due to a failure to
read /proc/loadavg.

Kernel log entries:

[4726259.738185] audit: type=1400 audit(1537977315.312:59959): apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/proc/loadavg" pid=1958757 comm="uptime" requested_mask="r" denied_mask="r" fsuid=64060 ouid=0
[4726265.862186] audit: type=1400 audit(1537977321.436:59960): apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/proc/loadavg" pid=1959961 comm="uptime" requested_mask="r" denied_mask="r" fsuid=64060 ouid=0

This happens when running "openstack hypervisor show <hostname>" with
AppArmor in enforce mode.

this read access to /proc/loadavg should be added to apparmor profiles
for the nova-compute package.

** Affects: nova
     Importance: Undecided
         Status: New


** Tags: canonical-bootstack

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1794564

Title:
  Apparmor denies /usr/bin/nova-compute access to /proc/loadavg on
  openstack hypervisor show

Status in OpenStack Compute (nova):
  New

Bug description:
  On Xenial-Queens cloud, I'm seeing failure with nova-compute
  17.0.5-0ubuntu1~cloud0 package unable to run uptime due to a failure
  to read /proc/loadavg.

  Kernel log entries:

  [4726259.738185] audit: type=1400 audit(1537977315.312:59959): apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/proc/loadavg" pid=1958757 comm="uptime" requested_mask="r" denied_mask="r" fsuid=64060 ouid=0
  [4726265.862186] audit: type=1400 audit(1537977321.436:59960): apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/proc/loadavg" pid=1959961 comm="uptime" requested_mask="r" denied_mask="r" fsuid=64060 ouid=0

  This happens when running "openstack hypervisor show <hostname>" with
  AppArmor in enforce mode.

  this read access to /proc/loadavg should be added to apparmor profiles
  for the nova-compute package.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1794564/+subscriptions

Follow ups

[Bug 1794564] Re: Apparmor denies /usr/bin/nova-compute access to /proc/loadavg on openstack hypervisor show
From: David Ames, 2019-04-17
[Bug 1794564] Re: Apparmor denies /usr/bin/nova-compute access to /proc/loadavg on openstack hypervisor show
From: James Page, 2018-10-18
[Bug 1794564] Re: Apparmor denies /usr/bin/nova-compute access to /proc/loadavg on openstack hypervisor show
From: Drew Freiberger, 2018-09-27