AppArmor preventing Cinder volume from mounting

asked 2013-12-30 02:16:14 -0500

nbetham gravatar image

I have been following the guide to install Openstack Havana on Ubuntu and I have encountered a problem where the profiles loaded into apparmor prevents a vm from attaching a Cinder volume. I have been able to mount the Cinder iscsi target manually on the compute node from the controller with no issues. The issue seems to happen when libvirt is updating the profile for the vm. It adds "/dev/sdb" rw, to the bottom of the AppArmor profile specific to the vm then tells AppArmor to reload the profile. However when Nova tries to attach the volume to the vm it is denied by AppArmor.

My current Openstack setup involves one controller node and one compute node, running Ubuntu Server 12.04 amd64 and Ubuntu Server 13.10 amd64 respectively.

Here is the syslog for the transaction:

[ 940.868707] scsi5 : iSCSI Initiator over TCP/IP
[ 941.375404] scsi 5:0:0:0: RAID IET Controller 0001 PQ: 0 ANSI: 5
[ 941.377049] scsi 5:0:0:0: Attached scsi generic sg3 type 12
[ 941.378866] scsi 5:0:0:1: Direct-Access IET VIRTUAL-DISK 0001 PQ: 0 ANSI: 5
[ 941.379830] sd 5:0:0:1: Attached scsi generic sg4 type 0
[ 941.380250] sd 5:0:0:1: [sdb] 2097152 512-byte logical blocks: (1.07 GB/1.00 GiB)
[ 941.380863] sd 5:0:0:1: [sdb] Write Protect is off
[ 941.380868] sd 5:0:0:1: [sdb] Mode Sense: 49 00 00 08
[ 941.381228] sd 5:0:0:1: [sdb] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[ 941.384558] sdb: unknown partition table
[ 941.386602] sd 5:0:0:1: [sdb] Attached SCSI disk
Connection3:0 to [target: iqn.2010-10.org.openstack:volume-1275fe44-3014-4cee-a712-5a5acec4a310, portal: 10.0.1.1,3260] through [iface: default] is operational now
[ 941.864524] type=1400 audit(1388357102.732:49): apparmor="STATUS" operation="profile_replace" parent=3651 profile="unconfined" name="libvirt-e8041077-5488-4d8d-850e-e041463367c8" pid=3652 comm="apparmor_parser"
[ 941.868422] type=1400 audit(1388357102.736:50): apparmor="DENIED" operation="open" parent=1 profile="libvirt-e8041077-5488-4d8d-850e-e041463367c8" name="/dev/sdb" pid=3258 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=109 ouid=109
[ 941.868432] type=1400 audit(1388357102.736:51): apparmor="DENIED" operation="open" parent=1 profile="libvirt-e8041077-5488-4d8d-850e-e041463367c8" name="/dev/sdb" pid=3258 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=109 ouid=109
[ 941.868460] type=1400 audit(1388357102.736:52): apparmor="DENIED" operation="open" parent=1 profile="libvirt-e8041077-5488-4d8d-850e-e041463367c8" name="/dev/sdb" pid=3258 comm="qemu-system-x86" requested_mask="rw" denied_mask="rw" fsuid=109 ouid=109
[ 941.868761] type=1400 audit(1388357102.736:53): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/libvirtd" pid=1595 comm="libvirtd" pid=1595 comm="libvirtd" capability=29 capname="audit_write"
[ 942.292018] type=1400 audit(1388357103.160:54): apparmor="STATUS" operation="profile_replace" parent=3653 profile="unconfined" name="libvirt-e8041077-5488-4d8d-850e-e041463367c8" pid=3654 comm="apparmor_parser"
[ 942.395211] sd 5:0:0:1: [sdb] Synchronizing SCSI cache
[ 942.646286] connection3:0: detected conn error (1020)
iscsid: Connection3:0 to [target: iqn.2010-10.org.openstack:volume-1275fe44-3014-4cee-a712-5a5acec4a310 ...
(more)
edit retag flag offensive close delete