Auto connect interfaces request for juju-db snap

wallyworld · October 1, 2021, 11:45am

The juju-db snap packages mongodb and is deployed as the database used by the Juju controller. It is meant to only be used on Juju controller instances.

As per https://bugs.launchpad.net/juju/+bug/1927098, the logs are filled with lots of repeated apparmor denials :

audit: type=1400 audit(1620133548.999:75999): apparmor="DENIED" operation="open" profile="snap.juju-db.daemon" name="/proc/3219/net/netstat" pid=1605657 comm="ftdc" requested_mask="r" denied_mask="r" 
audit: type=1400 audit(1620133548.999:76000): apparmor="DENIED" operation="open" profile="snap.juju-db.daemon" name="/proc/3219/net/snmp" pid=1605657 comm="ftdc" requested_mask="r" denied_mask="r" 
audit: type=1400 audit(1633081268.998:1248): apparmor="DENIED" operation="open" profile="snap.juju-db.daemon" name="/proc/vmstat" pid=4516 comm="ftdc" requested_mask="r" denied_mask="r"

Adding the interfaces

network-observe
system-observe

to the snap and connecting them manually solves the issue.

Is it possible to have these auto connect please?

emitorino · October 5, 2021, 6:16pm

+1 from me for auto-connect network-observe and system-observe to juju-db since both are clearly required to get the requested accesses.

Can other @reviewers please vote?

jdstrand · October 6, 2021, 4:03am

+1 to both for the reasons given.

emitorino · October 6, 2021, 7:56pm

+2 votes for, 0 votes against. Granting auto-connect of system-observe and hardware-observe to juju-db. This is now live.

wallyworld · October 7, 2021, 6:23am

Thanks! Much appreciated.