Add multipath to nova-compute AppArmor profile

Deploying nova-compute with apparmor in enforce mode causes it to fail to attach volumes with multipath. This patch fixes it by updating the nova-compute apparmor profile to include paths and binaries needed for multipath. Change-Id: Icc2d187fa3dd63e0930d57a87e7a60ff386f0032 Closes-bug: #1826467
2019-04-25 18:45:42 -03:00 · 2019-04-25 18:45:42 -03:00 · 40914493c7
parent 3fa196704d
commit 40914493c7
1 changed files with 10 additions and 0 deletions
--- a/templates/usr.bin.nova-compute
+++ b/templates/usr.bin.nova-compute
@ -31,6 +31,8 @@

  /bin/* rix,
  /dev/disk/** r,
+  /dev/disk/by-id/* r,
+  /dev/mapper/control wr,
  /dev/nbd* rw,
  /dev/tty rw,
  /dev/pts/* r,
@ -43,14 +45,19 @@
  /etc/modprobe.d/ r,
  /etc/modprobe.d/** r,
  /etc/mtab rw,
+  /etc/multipath/bindings wr,
+  /etc/multipath/wwids wr,
  /etc/nova/** r,
  /etc/ssh/ssh_config r,
  /etc/ssl/openssl.cnf r,
  /etc/sudoers r,
  /etc/sudoers.d/ r,
  /etc/sudoers.d/* r,
+  /etc/udev/udev.conf r,
  /proc/*/cmdline r,
  /proc/cmdline r,
+  /proc/devices r,
+  /proc/sys/fs/nr_open r,
  /proc/sys/net/ipv6/conf/** w,
  /proc/*/task/*/comm wr,
  /proc/*/fd/ r,
@ -76,6 +83,8 @@
  /sbin/hdparm rix,
  /sbin/xtables-multi rix,
  /sbin/mkswap rix,
+  /sbin/multipath rix,
+  /sbin/multipathd rix,
  /sys/block/ r,
  /sys/class/fc_host/{,**} r,
  /sys/class/iscsi_host/ r,
@ -91,6 +100,7 @@
  /sys/devices/system/cpu/** r,
  /sys/devices/system/node/ r,
  /sys/devices/system/node/** r,
+  /sys/devices/virtual/block/dm*/ r,
  /sys/devices/virtual/block/nbd*/ r,
  /sys/devices/virtual/iscsi_transport/** r,
  /sys/devices/virtual/net/** w,