Add multipath to nova-compute AppArmor profile
Deploying nova-compute with apparmor in enforce mode causes it to fail
to attach volumes with multipath. This patch fixes it by updating the
nova-compute apparmor profile to include paths and binaries needed for
multipath.
Change-Id: Icc2d187fa3dd63e0930d57a87e7a60ff386f0032
Closes-bug: #1826467
(cherry picked from commit 40914493c7
)
This commit is contained in:
parent
d33fa57b40
commit
15f8a94e08
|
@ -31,6 +31,8 @@
|
|||
|
||||
/bin/* rix,
|
||||
/dev/disk/** r,
|
||||
/dev/disk/by-id/* r,
|
||||
/dev/mapper/control wr,
|
||||
/dev/nbd* rw,
|
||||
/dev/tty rw,
|
||||
/dev/pts/* r,
|
||||
|
@ -43,14 +45,19 @@
|
|||
/etc/modprobe.d/ r,
|
||||
/etc/modprobe.d/** r,
|
||||
/etc/mtab rw,
|
||||
/etc/multipath/bindings wr,
|
||||
/etc/multipath/wwids wr,
|
||||
/etc/nova/** r,
|
||||
/etc/ssh/ssh_config r,
|
||||
/etc/ssl/openssl.cnf r,
|
||||
/etc/sudoers r,
|
||||
/etc/sudoers.d/ r,
|
||||
/etc/sudoers.d/* r,
|
||||
/etc/udev/udev.conf r,
|
||||
/proc/*/cmdline r,
|
||||
/proc/cmdline r,
|
||||
/proc/devices r,
|
||||
/proc/sys/fs/nr_open r,
|
||||
/proc/sys/net/ipv6/conf/** w,
|
||||
/proc/*/task/*/comm wr,
|
||||
/proc/*/fd/ r,
|
||||
|
@ -76,6 +83,8 @@
|
|||
/sbin/hdparm rix,
|
||||
/sbin/xtables-multi rix,
|
||||
/sbin/mkswap rix,
|
||||
/sbin/multipath rix,
|
||||
/sbin/multipathd rix,
|
||||
/sys/block/ r,
|
||||
/sys/class/fc_host/{,**} r,
|
||||
/sys/class/iscsi_host/ r,
|
||||
|
@ -91,6 +100,7 @@
|
|||
/sys/devices/system/cpu/** r,
|
||||
/sys/devices/system/node/ r,
|
||||
/sys/devices/system/node/** r,
|
||||
/sys/devices/virtual/block/dm*/ r,
|
||||
/sys/devices/virtual/block/nbd*/ r,
|
||||
/sys/devices/virtual/iscsi_transport/** r,
|
||||
/sys/devices/virtual/net/** w,
|
||||
|
|
Loading…
Reference in New Issue