yahoo-eng-team team mailing list archive

[James Page <james.page@xxxxxxxxxx>]

** Changed in: charm-nova-compute
       Status: New => Triaged

** Changed in: nova
       Status: New => Invalid

** Changed in: charm-nova-compute
   Importance: Undecided => Medium

** Changed in: charm-nova-compute
     Assignee: (unassigned) => James Page (james-page)

** Changed in: charm-nova-compute
       Status: Triaged => In Progress

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1794564

Title:
  Apparmor denies /usr/bin/nova-compute access to /proc/loadavg on
  openstack hypervisor show

Status in OpenStack nova-compute charm:
  In Progress
Status in OpenStack Compute (nova):
  Invalid

Bug description:
  On Xenial-Queens cloud, I'm seeing failure with nova-compute
  17.0.5-0ubuntu1~cloud0 package unable to run uptime due to a failure
  to read /proc/loadavg.

  Kernel log entries:

  [4726259.738185] audit: type=1400 audit(1537977315.312:59959): apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/proc/loadavg" pid=1958757 comm="uptime" requested_mask="r" denied_mask="r" fsuid=64060 ouid=0
  [4726265.862186] audit: type=1400 audit(1537977321.436:59960): apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/proc/loadavg" pid=1959961 comm="uptime" requested_mask="r" denied_mask="r" fsuid=64060 ouid=0

  This happens when running "openstack hypervisor show <hostname>" with
  AppArmor in enforce mode.

  this read access to /proc/loadavg should be added to apparmor profiles
  for the nova-compute package.

To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-nova-compute/+bug/1794564/+subscriptions