Auto connect interfaces request for juju-db snap

The juju-db snap packages mongodb and is deployed as the database used by the Juju controller. It is meant to only be used on Juju controller instances.

As per, the logs are filled with lots of repeated apparmor denials :

audit: type=1400 audit(1620133548.999:75999): apparmor="DENIED" operation="open" profile="snap.juju-db.daemon" name="/proc/3219/net/netstat" pid=1605657 comm="ftdc" requested_mask="r" denied_mask="r" 
audit: type=1400 audit(1620133548.999:76000): apparmor="DENIED" operation="open" profile="snap.juju-db.daemon" name="/proc/3219/net/snmp" pid=1605657 comm="ftdc" requested_mask="r" denied_mask="r" 
audit: type=1400 audit(1633081268.998:1248): apparmor="DENIED" operation="open" profile="snap.juju-db.daemon" name="/proc/vmstat" pid=4516 comm="ftdc" requested_mask="r" denied_mask="r"

Adding the interfaces

  • network-observe
  • system-observe

to the snap and connecting them manually solves the issue.

Is it possible to have these auto connect please?

+1 from me for auto-connect network-observe and system-observe to juju-db since both are clearly required to get the requested accesses.

Can other @reviewers please vote?

+1 to both for the reasons given.

+2 votes for, 0 votes against. Granting auto-connect of system-observe and hardware-observe to juju-db. This is now live.

Thanks! Much appreciated.

1 Like