Request for classic confinement SPDK snap

manjo · May 20, 2020, 2:18pm

oops sorry about that. Yes I can redo with --devmode. Also could you please tell me if my for loop to make the connections above is correct? If I understand you correctly. I have to repeat the steps above after installing the snap with devmode collect the logs and post it here?

manjo · May 20, 2020, 3:18pm

Remove existing SPDK snap

ubuntu@sst100:~/Downloads$ sudo snap remove spdk
spdk removed

Install the snap with --devmode

ubuntu@sst100:~/Downloads$ sudo snap install --devmode spdk_20.04_arm64.snap
spdk 20.04 installed

Make connections

ubuntu@sst100:~/Downloads$ for i in system-observe system-trace log-observe kernel-module-control hardware-observe; do sudo snap connect spdk:$i ; done

Modprobe vfio-pci in noiommu mode, and run the setup script. The setup script worked this time, please ignore the modprobe fatal message at the end. That module does not exist on ARM64.

ubuntu@sst100:~/Downloads$ sudo modprobe vfio-pci
ubuntu@sst100:~/Downloads$ sudo HUGEMEM=8192 DRIVER_OVERRIDE=vfio-pci spdk.setup config
0007:01:00.0 (144d a808): nvme -> vfio-pci

Current user memlock limit: 16 MB

This is the maximum amount of memory you will be
able to use with DPDK and VFIO if run as current user.
To change this, please adjust limits.conf memlock limit for current user.

## WARNING: memlock limit is less than 64MB
## DPDK with VFIO may not be able to initialize if run as current user.
modprobe: FATAL: Module msr not found in directory /lib/modules/5.4.0-29-generic

jdstrand · May 20, 2020, 8:04pm

I believe you will have to redo the loop after installing in devmode (but you can always check ‘snap connections spdk’).

What are the security policy violations from journald at the time you ran the snap?

manjo · May 20, 2020, 8:38pm

In my post above I did re-run the for loop. Also snap connections for spdk are as follows:

ubuntu@sst100:~/build/git/build$ snap connections | grep spdk
hardware-observe       spdk:hardware-observe       :hardware-observe       manual
home                   spdk:home                   :home                   -
kernel-module-control  spdk:kernel-module-control  :kernel-module-control  manual
log-observe            spdk:log-observe            :log-observe            manual
network                spdk:network                :network                -
network-bind           spdk:network-bind           :network-bind           -
system-observe         spdk:system-observe         :system-observe         manual
system-trace           spdk:system-trace           :system-trace           manual
ubuntu@sst100:~/build/git/build$

There were no logs in journalctl. Here is what it looks like when I run the snap app.

ubuntu@sst100:~/build/git/build$ sudo HUGEMEM=8192 DRIVER_OVERRIDE=vfio-pci spdk.setup reset 
0007:01:00.0 (144d a808): vfio-pci -> nvme

ubuntu@sst100:~/build/git/build$ sudo HUGEMEM=8192 DRIVER_OVERRIDE=vfio-pci spdk.setup config
0007:01:00.0 (144d a808): nvme -> vfio-pci

Current user memlock limit: 16 MB

This is the maximum amount of memory you will be
able to use with DPDK and VFIO if run as current user.
To change this, please adjust limits.conf memlock limit for current user.

## WARNING: memlock limit is less than 64MB
## DPDK with VFIO may not be able to initialize if run as current user.
modprobe: FATAL: Module msr not found in directory /lib/modules/5.4.0-29-generic
ubuntu@sst100:~/build/git/build$

Here is the journalctl output when I run the snap app. There are no violations listed in the journald output.

May 20 20:32:40 sst100 audit[16636]: AVC apparmor="ALLOWED" operation="truncate"
May 20 20:32:40 sst100 audit[17039]: AVC apparmor="ALLOWED" operation="open" pro
May 20 20:32:40 sst100 audit[17040]: SECCOMP auid=1000 uid=0 gid=0 ses=3 pid=170
May 20 20:32:40 sst100 audit[17040]: AVC apparmor="ALLOWED" operation="chown" pr
May 20 20:32:40 sst100 audit[17041]: AVC apparmor="ALLOWED" operation="chmod" pr
May 20 20:32:40 sst100 sudo[16635]: pam_unix(sudo:session): session closed for u
lines 979-1001/1001 (END)[19543.364820] nvme nvme0: failed to set APST feature )

jdstrand · May 20, 2020, 8:54pm

The “ALLOWED” entries are policy violations. Since you installed with --devmode, that puts the apparmor and seccomp profiles into complain mode, which allows but logs policy violations.

These log entries are truncated. Can you provide the full log output?

manjo · May 20, 2020, 10:36pm

Sorry about that noise … I was also testing a VPP snap that I was working on. I rebooted the system and ran it fresh.

Snap app setup command.

ubuntu@sst100:~$ sudo modprobe vfio-pci
[sudo] password for ubuntu: 
ubuntu@sst100:~$ sudo HUGEMEM=8192 DRIVER_OVERRIDE=vfio-pci spdk.setup config
0007:01:00.0 (144d a808): nvme -> vfio-pci

Current user memlock limit: 16 MB

This is the maximum amount of memory you will be
able to use with DPDK and VFIO if run as current user.
To change this, please adjust limits.conf memlock limit for current user.

## WARNING: memlock limit is less than 64MB
## DPDK with VFIO may not be able to initialize if run as current user.
modprobe: FATAL: Module msr not found in directory /lib/modules/5.4.0-29-generic
ubuntu@sst100:~$

Full journalctl command output:

ubuntu@sst100:~$ journalctl -e 
May 20 22:32:57 sst100 vpp.vpp[507]: vpp[507]: dpdk_config: rte_eal_init returne
May 20 22:32:57 sst100 vpp[507]: dpdk_config: rte_eal_init returned -1
May 20 22:33:01 sst100 login[566]: pam_unix(login:session): session opened for u
May 20 22:33:01 sst100 systemd-logind[509]: New session 1 of user ubuntu.
May 20 22:33:01 sst100 systemd[1]: Created slice User Slice of ubuntu.
May 20 22:33:01 sst100 systemd[1]: Started Session 1 of user ubuntu.
May 20 22:33:01 sst100 systemd[1]: Starting User Manager for UID 1000...
May 20 22:33:01 sst100 systemd[783]: pam_unix(systemd-user:session): session ope
May 20 22:33:01 sst100 systemd[783]: Listening on GnuPG network certificate mana
May 20 22:33:01 sst100 systemd[783]: Listening on GnuPG cryptographic agent and 
May 20 22:33:01 sst100 systemd[783]: Listening on GnuPG cryptographic agent and 
May 20 22:33:01 sst100 systemd[783]: Listening on GnuPG cryptographic agent and 
May 20 22:33:01 sst100 systemd[783]: Reached target Paths.
May 20 22:33:01 sst100 systemd[783]: Listening on REST API socket for snapd user
May 20 22:33:01 sst100 systemd[783]: Listening on GnuPG cryptographic agent (ssh
May 20 22:33:01 sst100 systemd[783]: Reached target Sockets.
May 20 22:33:01 sst100 systemd[783]: Reached target Timers.
May 20 22:33:01 sst100 systemd[783]: Reached target Basic System.
May 20 22:33:01 sst100 systemd[1]: Started User Manager for UID 1000.
May 20 22:33:01 sst100 systemd[783]: Reached target Default.
May 20 22:33:01 sst100 systemd[783]: Startup finished in 83ms.
May 20 22:33:45 sst100 kernel: random: crng init done
May 20 22:33:45 sst100 kernel: random: 7 urandom warning(s) missed due to rateli
lines 1000-1022/1022 (END)[  108.466045] nvme nvme0: failed to set APST feature)
lines 1000-1022/1022 (END)

manjo · May 27, 2020, 6:20pm

Please let me know what the next steps are?

alexmurray · June 9, 2020, 7:52am

The output you posted is still truncated (each line appears to be cut off at the end) and it doesn’t appear to list any policy violations. If you are still experiencing issues, can you please open a terminal, and capture the output - something like the following should work:

journalctl --boot | grep spdk | grep '\(AVC\|SECCOMP\)'

manjo · June 15, 2020, 8:01pm

$ sudo journalctl --boot | grep spdk | grep '$AVC\|SECCOMP$' Jun 15 19:58:37 ps1100r audit[2047]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap-update-ns.spdk" pid=2047 comm="apparmor_parser" Jun 15 19:58:37 ps1100r audit[2048]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.spdk.accel-perf" pid=2048 comm="apparmor_parser" Jun 15 19:58:37 ps1100r audit[2049]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.spdk.gen-nvme" pid=2049 comm="apparmor_parser" Jun 15 19:58:37 ps1100r audit[2052]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.spdk.iscsi-top" pid=2052 comm="apparmor_parser" Jun 15 19:58:37 ps1100r audit[2054]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.spdk.nvmf-tgt" pid=2054 comm="apparmor_parser" Jun 15 19:58:37 ps1100r audit[2051]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.spdk.iscsi-tgt" pid=2051 comm="apparmor_parser" Jun 15 19:58:37 ps1100r audit[2056]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.spdk.setup" pid=2056 comm="apparmor_parser" Jun 15 19:58:37 ps1100r audit[2055]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.spdk.rpc" pid=2055 comm="apparmor_parser" Jun 15 19:58:37 ps1100r audit[2053]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.spdk.nvme-perf" pid=2053 comm="apparmor_parser" Jun 15 19:58:37 ps1100r audit[2050]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.spdk.ioat-perf" pid=2050 comm="apparmor_parser" Jun 15 19:58:37 ps1100r audit[2057]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.spdk.spdk-lspci" pid=2057 comm="apparmor_parser" Jun 15 19:58:37 ps1100r audit[2058]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.spdk.spdk-tgt" pid=2058 comm="apparmor_parser" Jun 15 19:58:37 ps1100r audit[2060]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.spdk.spdk-trace" pid=2060 comm="apparmor_parser" Jun 15 19:58:37 ps1100r audit[2059]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.spdk.spdk-top" pid=2059 comm="apparmor_parser" Jun 15 19:58:37 ps1100r audit[2063]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.spdk.vhost" pid=2063 comm="apparmor_parser" Jun 15 19:58:37 ps1100r audit[2061]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.spdk.spdk-trace-record" pid=2061 comm="apparmor_parser" Jun 15 19:58:37 ps1100r audit[2062]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.spdk.spdkcli" pid=2062 comm="apparmor_parser" Jun 15 19:58:39 ps1100r audit[2162]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.gen-nvme" pid=2162 comm="apparmor_parser" Jun 15 19:58:40 ps1100r audit[2168]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.rpc" pid=2168 comm="apparmor_parser" Jun 15 19:58:40 ps1100r audit[2164]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.iscsi-tgt" pid=2164 comm="apparmor_parser" Jun 15 19:58:40 ps1100r audit[2165]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.iscsi-top" pid=2165 comm="apparmor_parser" Jun 15 19:58:40 ps1100r audit[2163]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.ioat-perf" pid=2163 comm="apparmor_parser" Jun 15 19:58:40 ps1100r audit[2167]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.nvmf-tgt" pid=2167 comm="apparmor_parser" Jun 15 19:58:40 ps1100r audit[2169]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.setup" pid=2169 comm="apparmor_parser" Jun 15 19:58:40 ps1100r audit[2161]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.accel-perf" pid=2161 comm="apparmor_parser" Jun 15 19:58:40 ps1100r audit[2166]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.nvme-perf" pid=2166 comm="apparmor_parser" Jun 15 19:58:40 ps1100r audit[2170]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.spdk-lspci" pid=2170 comm="apparmor_parser" Jun 15 19:58:40 ps1100r audit[2172]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.spdk-top" pid=2172 comm="apparmor_parser" Jun 15 19:58:40 ps1100r audit[2171]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.spdk-tgt" pid=2171 comm="apparmor_parser" Jun 15 19:58:40 ps1100r audit[2173]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.spdk-trace" pid=2173 comm="apparmor_parser" Jun 15 19:58:40 ps1100r audit[2174]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.spdk-trace-record" pid=2174 comm="apparmor_parser" Jun 15 19:58:40 ps1100r audit[2175]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.spdkcli" pid=2175 comm="apparmor_parser" Jun 15 19:58:40 ps1100r audit[2176]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.vhost" pid=2176 comm="apparmor_parser" Jun 15 19:58:40 ps1100r audit[2179]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.spdk" pid=2179 comm="apparmor_parser" Jun 15 19:58:53 ps1100r audit[2293]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.gen-nvme" pid=2293 comm="apparmor_parser" Jun 15 19:58:53 ps1100r audit[2298]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.nvmf-tgt" pid=2298 comm="apparmor_parser" Jun 15 19:58:53 ps1100r audit[2295]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.iscsi-tgt" pid=2295 comm="apparmor_parser" Jun 15 19:58:53 ps1100r audit[2292]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.accel-perf" pid=2292 comm="apparmor_parser" Jun 15 19:58:53 ps1100r audit[2297]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.nvme-perf" pid=2297 comm="apparmor_parser" Jun 15 19:58:53 ps1100r audit[2296]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.iscsi-top" pid=2296 comm="apparmor_parser" Jun 15 19:58:53 ps1100r audit[2299]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.rpc" pid=2299 comm="apparmor_parser" Jun 15 19:58:53 ps1100r audit[2294]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.ioat-perf" pid=2294 comm="apparmor_parser" Jun 15 19:58:53 ps1100r audit[2300]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.setup" pid=2300 comm="apparmor_parser" Jun 15 19:58:53 ps1100r audit[2303]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.spdk-top" pid=2303 comm="apparmor_parser" Jun 15 19:58:54 ps1100r audit[2302]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.spdk-tgt" pid=2302 comm="apparmor_parser" Jun 15 19:58:54 ps1100r audit[2301]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.spdk-lspci" pid=2301 comm="apparmor_parser" Jun 15 19:58:54 ps1100r audit[2304]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.spdk-trace" pid=2304 comm="apparmor_parser" Jun 15 19:58:54 ps1100r audit[2305]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.spdk-trace-record" pid=2305 comm="apparmor_parser" Jun 15 19:58:54 ps1100r audit[2307]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.vhost" pid=2307 comm="apparmor_parser" Jun 15 19:58:54 ps1100r audit[2306]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.spdkcli" pid=2306 comm="apparmor_parser" Jun 15 19:58:54 ps1100r audit[2309]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.spdk" pid=2309 comm="apparmor_parser" Jun 15 19:58:56 ps1100r audit[2427]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.iscsi-top" pid=2427 comm="apparmor_parser" Jun 15 19:58:56 ps1100r audit[2423]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.accel-perf" pid=2423 comm="apparmor_parser" Jun 15 19:58:56 ps1100r audit[2429]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.nvmf-tgt" pid=2429 comm="apparmor_parser" Jun 15 19:58:56 ps1100r audit[2424]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.gen-nvme" pid=2424 comm="apparmor_parser" Jun 15 19:58:56 ps1100r audit[2430]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.rpc" pid=2430 comm="apparmor_parser" Jun 15 19:58:56 ps1100r audit[2425]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.ioat-perf" pid=2425 comm="apparmor_parser" Jun 15 19:58:56 ps1100r audit[2426]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.iscsi-tgt" pid=2426 comm="apparmor_parser" Jun 15 19:58:56 ps1100r audit[2428]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.nvme-perf" pid=2428 comm="apparmor_parser" Jun 15 19:58:56 ps1100r audit[2432]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.spdk-lspci" pid=2432 comm="apparmor_parser" Jun 15 19:58:56 ps1100r audit[2433]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.spdk-tgt" pid=2433 comm="apparmor_parser" Jun 15 19:58:56 ps1100r audit[2431]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.setup" pid=2431 comm="apparmor_parser" Jun 15 19:58:56 ps1100r audit[2434]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.spdk-top" pid=2434 comm="apparmor_parser" Jun 15 19:58:56 ps1100r audit[2436]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.spdk-trace-record" pid=2436 comm="apparmor_parser" Jun 15 19:58:56 ps1100r audit[2435]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.spdk-trace" pid=2435 comm="apparmor_parser" Jun 15 19:58:56 ps1100r audit[2437]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.spdkcli" pid=2437 comm="apparmor_parser" Jun 15 19:58:56 ps1100r audit[2438]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.vhost" pid=2438 comm="apparmor_parser" Jun 15 19:58:56 ps1100r audit[2441]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.spdk" pid=2441 comm="apparmor_parser" Jun 15 19:58:57 ps1100r audit[2464]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.gen-nvme" pid=2464 comm="apparmor_parser" Jun 15 19:58:57 ps1100r audit[2469]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.nvmf-tgt" pid=2469 comm="apparmor_parser" Jun 15 19:58:57 ps1100r audit[2463]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.accel-perf" pid=2463 comm="apparmor_parser" Jun 15 19:58:57 ps1100r audit[2470]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.rpc" pid=2470 comm="apparmor_parser" Jun 15 19:58:57 ps1100r audit[2466]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.iscsi-tgt" pid=2466 comm="apparmor_parser" Jun 15 19:58:57 ps1100r audit[2465]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.ioat-perf" pid=2465 comm="apparmor_parser" Jun 15 19:58:57 ps1100r audit[2473]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.spdk-tgt" pid=2473 comm="apparmor_parser" Jun 15 19:58:57 ps1100r audit[2467]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.iscsi-top" pid=2467 comm="apparmor_parser" Jun 15 19:58:57 ps1100r audit[2471]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.setup" pid=2471 comm="apparmor_parser" Jun 15 19:58:57 ps1100r audit[2472]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.spdk-lspci" pid=2472 comm="apparmor_parser" Jun 15 19:58:57 ps1100r audit[2475]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.spdk-trace" pid=2475 comm="apparmor_parser" Jun 15 19:58:57 ps1100r audit[2474]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.spdk-top" pid=2474 comm="apparmor_parser" Jun 15 19:58:57 ps1100r audit[2468]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.nvme-perf" pid=2468 comm="apparmor_parser" Jun 15 19:58:57 ps1100r audit[2476]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.spdk-trace-record" pid=2476 comm="apparmor_parser" Jun 15 19:58:57 ps1100r audit[2478]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.vhost" pid=2478 comm="apparmor_parser" Jun 15 19:58:57 ps1100r audit[2477]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.spdkcli" pid=2477 comm="apparmor_parser" Jun 15 19:58:57 ps1100r audit[2480]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.spdk" pid=2480 comm="apparmor_parser" Jun 15 19:58:58 ps1100r audit[2538]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.setup" pid=2538 comm="apparmor_parser" Jun 15 19:58:58 ps1100r audit[2540]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.spdk" pid=2540 comm="apparmor_parser" Jun 15 19:58:58 ps1100r audit[2541]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.spdk.accel-perf" pid=2541 comm="apparmor_parser" Jun 15 19:58:58 ps1100r audit[2544]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.spdk.iscsi-tgt" pid=2544 comm="apparmor_parser" Jun 15 19:58:58 ps1100r audit[2543]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.spdk.ioat-perf" pid=2543 comm="apparmor_parser" Jun 15 19:58:58 ps1100r audit[2542]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.spdk.gen-nvme" pid=2542 comm="apparmor_parser" Jun 15 19:58:58 ps1100r audit[2548]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.spdk.rpc" pid=2548 comm="apparmor_parser" Jun 15 19:58:58 ps1100r audit[2547]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.spdk.nvmf-tgt" pid=2547 comm="apparmor_parser" Jun 15 19:58:58 ps1100r audit[2545]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.spdk.iscsi-top" pid=2545 comm="apparmor_parser" Jun 15 19:58:58 ps1100r audit[2549]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.spdk.spdk-lspci" pid=2549 comm="apparmor_parser" Jun 15 19:58:58 ps1100r audit[2551]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.spdk.spdk-top" pid=2551 comm="apparmor_parser" Jun 15 19:58:58 ps1100r audit[2550]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.spdk.spdk-tgt" pid=2550 comm="apparmor_parser" Jun 15 19:58:58 ps1100r audit[2546]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.spdk.nvme-perf" pid=2546 comm="apparmor_parser" Jun 15 19:58:58 ps1100r audit[2552]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.spdk.spdk-trace" pid=2552 comm="apparmor_parser" Jun 15 19:58:58 ps1100r audit[2554]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.spdk.spdkcli" pid=2554 comm="apparmor_parser" Jun 15 19:58:58 ps1100r audit[2555]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.spdk.vhost" pid=2555 comm="apparmor_parser" Jun 15 19:58:58 ps1100r audit[2553]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.spdk.spdk-trace-record" pid=2553 comm="apparmor_parser" Jun 15 19:58:59 ps1100r audit[2583]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.spdk.setup" pid=2583 comm="apparmor_parser" Jun 15 19:58:59 ps1100r audit[2585]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.spdk" pid=2585 comm="apparmor_parser" Jun 15 19:58:59 ps1100r audit[2587]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.spdk.gen-nvme" pid=2587 comm="apparmor_parser" Jun 15 19:58:59 ps1100r audit[2586]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.spdk.accel-perf" pid=2586 comm="apparmor_parser" Jun 15 19:58:59 ps1100r audit[2590]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.spdk.iscsi-top" pid=2590 comm="apparmor_parser" Jun 15 19:58:59 ps1100r audit[2592]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.spdk.nvmf-tgt" pid=2592 comm="apparmor_parser" Jun 15 19:58:59 ps1100r audit[2591]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.spdk.nvme-perf" pid=2591 comm="apparmor_parser" Jun 15 19:58:59 ps1100r audit[2589]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.spdk.iscsi-tgt" pid=2589 comm="apparmor_parser" Jun 15 19:58:59 ps1100r audit[2588]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.spdk.ioat-perf" pid=2588 comm="apparmor_parser" Jun 15 19:58:59 ps1100r audit[2593]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.spdk.rpc" pid=2593 comm="apparmor_parser" Jun 15 19:58:59 ps1100r audit[2594]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.spdk.spdk-lspci" pid=2594 comm="apparmor_parser" Jun 15 19:58:59 ps1100r audit[2595]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.spdk.spdk-tgt" pid=2595 comm="apparmor_parser" Jun 15 19:58:59 ps1100r audit[2597]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.spdk.spdk-trace" pid=2597 comm="apparmor_parser" Jun 15 19:58:59 ps1100r audit[2596]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.spdk.spdk-top" pid=2596 comm="apparmor_parser" Jun 15 19:58:59 ps1100r audit[2598]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.spdk.spdk-trace-record" pid=2598 comm="apparmor_parser" Jun 15 19:58:59 ps1100r audit[2600]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.spdk.vhost" pid=2600 comm="apparmor_parser" Jun 15 19:58:59 ps1100r audit[2599]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.spdk.spdkcli" pid=2599 comm="apparmor_parser"

alexmurray · June 26, 2020, 6:05am

Thanks - the output is not truncated this time but I cannot see any evidence that strict confinement is causing any issues for spdk from this output - there are no policy violations - is spdk operating correctly?

jdstrand · July 24, 2020, 5:58pm

@manjo - ping, can you answer @alexmurray’s question?

alexmurray · August 4, 2020, 11:37am

@manjo - since we’ve not heard back from you, we are removing this request from our review queue. When you have more time to respond, simply do so here and we can add the request back to the queue. Thanks

manjo · August 6, 2020, 8:52pm

Sorry, for the delayed response. With strict confinement SPDK works partially, ie NVMEof over TCP works, but for NVMEof over RDMA to work it needs to access the _re0 devices etc and that fails. But using a classic confinement I am able to use all the features of SPDK.

alexmurray · August 10, 2020, 5:34am

Can you please paste any AppArmor denials or similar error messages etc that you see when trying to access these _re0 devices? Also I am not familiar with NVMEof over RDMA - can you explain what devices spdk needs access to in this scenario? Perhaps they are already covered by an existing interface or could be added to an existing one (or a new interface created) so that spdk can support this use-case with strict confinement. Please provide any additional information so we can help to understand this use-case.

emitorino · August 18, 2020, 6:55pm

@manjo ping, can you please provide the requested information?

manjo · August 18, 2020, 7:27pm

Yes I am waiting on the system to be available for testing.

alexmurray · September 2, 2020, 4:56am

@manjo just checking in to see if you have been able to get the requested information.

manjo · September 2, 2020, 6:17am

alexmurray
    September 2
@manjo just checking in to see if you have been able to get the requested information.

Visit Topic or reply to this email to respond.

To unsubscribe from these emails, click here.

emitorino · September 17, 2020, 5:38pm

@manjo ping, can you please provide the requested information? Thanks!

alexmurray · September 29, 2020, 4:44am

@manjo - since we’ve not heard back from you, we are removing this request from our review queue. When you have more time to respond, simply do so here and we can add the request back to the queue. Thanks