)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":8108,"name":"Nobuto Murata","email":"nobuto.murata@canonical.com","username":"nobuto-m"},"change_message_id":"8c45b165b8640758933db14ef6ab4e0620d71568","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"aefa44ea_001388d3","updated":"2022-06-28 04:27:33.000000000","message":"\n\u003e 2022-06-28 03:29:52.057053 | focal-medium | 2022-06-28 03:29:52 [INFO] Timed out waiting for \u0027glance-mysql-router/0\u0027. The workload status message is \u0027Failed to connect to MySQL\u0027 which is not one of \u0027[\u0027ready\u0027, \u0027Ready\u0027, \u0027Unit is ready\u0027]\u0027\n","commit_id":"cf0f464391df509e752c6010964efe2aca10ef89"},{"author":{"_account_id":10366,"name":"Hemanth N","email":"hemanth.nakkina@canonical.com","username":"Hemanth"},"change_message_id":"b0ebb669617ebee45977d059ca22c06d1d76c2c7","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"6c1d3b6b_a6a118a4","updated":"2022-06-28 02:55:24.000000000","message":"LGTM! Lets wait for CI test results.","commit_id":"cf0f464391df509e752c6010964efe2aca10ef89"},{"author":{"_account_id":8108,"name":"Nobuto Murata","email":"nobuto.murata@canonical.com","username":"nobuto-m"},"change_message_id":"1fcf3b5e580d733e3ea3d6683e4203228b76f262","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"8831d50f_2d365fad","updated":"2022-06-25 03:00:47.000000000","message":"charm-recheck","commit_id":"cf0f464391df509e752c6010964efe2aca10ef89"},{"author":{"_account_id":8108,"name":"Nobuto Murata","email":"nobuto.murata@canonical.com","username":"nobuto-m"},"change_message_id":"5cc8c1017519f2251095e85140c1357f36ce6f9a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"39b902ba_0ebc8786","updated":"2022-06-25 03:25:37.000000000","message":"charm-recheck\n\n\u003e 2022-06-25 03:22:08.663275 | jammy-medium |   \"msg\": \"\u0027/usr/bin/apt-get dist-upgrade \u0027 failed: E: Could not get lock /var/lib/dpkg/lock-frontend. It is held by process 2069 (apt-get)\\nE: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), is another process using it?\\n\",","commit_id":"cf0f464391df509e752c6010964efe2aca10ef89"},{"author":{"_account_id":8108,"name":"Nobuto Murata","email":"nobuto.murata@canonical.com","username":"nobuto-m"},"change_message_id":"8ef22f185f4806b2af3df67aef00eb1c04b55aba","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"39f4626a_84710a96","updated":"2022-06-28 00:26:11.000000000","message":"charm-recheck\n\n\u003e 2022-06-27 14:58:45.687890 | focal-medium | zaza.model.ModelTimeout: Work state not achieved within timeout.","commit_id":"cf0f464391df509e752c6010964efe2aca10ef89"},{"author":{"_account_id":8108,"name":"Nobuto Murata","email":"nobuto.murata@canonical.com","username":"nobuto-m"},"change_message_id":"65fc3ee5fc57a60faf06749bd6722f0af3149eab","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"08a24dd6_dd9c423f","updated":"2022-06-28 06:40:37.000000000","message":"charm-recheck\n\n\u003e 2022-06-28 05:08:36 WARNING unit.mysql-innodb-cluster/2.install logger.go:60 W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal-updates/InRelease  Temporary failure resolving \u0027archive.ubuntu.com\n","commit_id":"cf0f464391df509e752c6010964efe2aca10ef89"},{"author":{"_account_id":8108,"name":"Nobuto Murata","email":"nobuto.murata@canonical.com","username":"nobuto-m"},"change_message_id":"9c1a0463a0756b2dd50ff0d6da2559042e4db776","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"67f7c6f7_a9705046","updated":"2022-06-28 23:27:00.000000000","message":"charm-recheck\n\n\u003e 2022-06-28 14:20:39.952498 | focal-medium | 2022-06-28 14:20:39 [ERROR] unit-mysql-innodb-cluster-1.log: 2022-06-28 14:16:59 DEBUG unit.mysql-innodb-cluster/1.install logger.go:60   Temporary failure resolving \u0027archive.ubuntu.com\u0027\n\nA good thing is that I didn\u0027t have to download the full crashdump thanks to:\nhttps://github.com/openstack-charmers/zaza/pull/518","commit_id":"cf0f464391df509e752c6010964efe2aca10ef89"},{"author":{"_account_id":8108,"name":"Nobuto Murata","email":"nobuto.murata@canonical.com","username":"nobuto-m"},"change_message_id":"8e376f5860ac87446373a05ee8e1d58ad0f61ac6","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"d5674364_8716b712","updated":"2022-06-27 13:30:54.000000000","message":"charm-recheck\n\nhttps://github.com/openstack-charmers/zosci-config/pull/208","commit_id":"cf0f464391df509e752c6010964efe2aca10ef89"},{"author":{"_account_id":10058,"name":"Erlon R. Cruz","email":"erlon.rodrigues.cruz@canonical.com","username":"sombrafam"},"change_message_id":"b583da7062919926f009cc7d672e555368d63768","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"eeaa252c_47dab217","updated":"2022-06-28 11:24:01.000000000","message":"charm-recheck ","commit_id":"cf0f464391df509e752c6010964efe2aca10ef89"},{"author":{"_account_id":8108,"name":"Nobuto Murata","email":"nobuto.murata@canonical.com","username":"nobuto-m"},"change_message_id":"fd02ddf50aaa19a596b88634d7a66a60f205f70c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"f8437a41_0684b398","updated":"2022-06-28 04:28:08.000000000","message":"charm-recheck ","commit_id":"cf0f464391df509e752c6010964efe2aca10ef89"}],"templates/usr.bin.nova-compute":[{"author":{"_account_id":10058,"name":"Erlon R. Cruz","email":"erlon.rodrigues.cruz@canonical.com","username":"sombrafam"},"change_message_id":"a024b8ca0b2f38b0c9a50f3cc6afc6fc0bd657a8","unresolved":true,"context_lines":[{"line_number":31,"context_line":"  deny /* w,"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"  /bin/* rix,"},{"line_number":34,"context_line":"  /dev/ r,"},{"line_number":35,"context_line":"  /dev/disk/** r,"},{"line_number":36,"context_line":"  /dev/disk/by-id/* r,"},{"line_number":37,"context_line":"  /dev/mapper/control wr,"}],"source_content_type":"application/octet-stream","patch_set":3,"id":"31fe2adb_4f93d09d","line":34,"updated":"2022-06-27 13:25:31.000000000","message":"Hi Nobuto-San,\n\nThanks for the detailed explanation. I had this concern mostly from looking at other entries, like `/dev/nbd* rw`. I can\u0027t tell all the possible problem ramifications related to from using `/dev/*` vs `/dev/vd*`, but the correct policy would always to concede the minimum permission possible for any kind of restrictive filter. The filter you mention (/dev/disk/**) likely did that because of the complex and unpredictable possible naming which I believe is not the case here.\n\nBut looking closely at the error log, I can see that lsscsi is explicitly trying to open read /dev/. So, it would not work using my suggestion.","commit_id":"cf0f464391df509e752c6010964efe2aca10ef89"},{"author":{"_account_id":10058,"name":"Erlon R. Cruz","email":"erlon.rodrigues.cruz@canonical.com","username":"sombrafam"},"change_message_id":"cd5882b1c942df0d44874ac92c05a7c3803aabc3","unresolved":true,"context_lines":[{"line_number":31,"context_line":"  deny /* w,"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"  /bin/* rix,"},{"line_number":34,"context_line":"  /dev/ r,"},{"line_number":35,"context_line":"  /dev/disk/** r,"},{"line_number":36,"context_line":"  /dev/disk/by-id/* r,"},{"line_number":37,"context_line":"  /dev/mapper/control wr,"}],"source_content_type":"application/octet-stream","patch_set":3,"id":"620a3956_9b661e3b","line":34,"range":{"start_line":34,"start_character":2,"end_line":34,"end_character":10},"updated":"2022-06-24 17:35:41.000000000","message":"We should restrict this a bit more if possible. \n\n```\n/dev/vd* r\n```\n?","commit_id":"cf0f464391df509e752c6010964efe2aca10ef89"},{"author":{"_account_id":8108,"name":"Nobuto Murata","email":"nobuto.murata@canonical.com","username":"nobuto-m"},"change_message_id":"9bf429c5c0c999c017eaa9ae31b7878588b6843d","unresolved":true,"context_lines":[{"line_number":31,"context_line":"  deny /* w,"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"  /bin/* rix,"},{"line_number":34,"context_line":"  /dev/ r,"},{"line_number":35,"context_line":"  /dev/disk/** r,"},{"line_number":36,"context_line":"  /dev/disk/by-id/* r,"},{"line_number":37,"context_line":"  /dev/mapper/control wr,"}],"source_content_type":"application/octet-stream","patch_set":3,"id":"6b76733a_f77228a3","line":34,"range":{"start_line":34,"start_character":2,"end_line":34,"end_character":10},"in_reply_to":"4a67760b_11f57c1e","updated":"2022-06-25 02:26:32.000000000","message":"Also, I don\u0027t believe `/dev/vd* r` is a limited scope than `/dev/ r`. The former has a read permission to the content of the file (drive in this case), but the latter only gives a read permission to the directory because of non wildcard policy (`ls /dev/` basically).\n\nIt\u0027s worth noting that nova-compute policy has the following permission already, which is way more power to me:\n  /dev/disk/** r,\n  /dev/disk/by-id/* r,","commit_id":"cf0f464391df509e752c6010964efe2aca10ef89"},{"author":{"_account_id":8108,"name":"Nobuto Murata","email":"nobuto.murata@canonical.com","username":"nobuto-m"},"change_message_id":"2dc54326ee3bc4a393136813b722e62e1654c369","unresolved":true,"context_lines":[{"line_number":31,"context_line":"  deny /* w,"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"  /bin/* rix,"},{"line_number":34,"context_line":"  /dev/ r,"},{"line_number":35,"context_line":"  /dev/disk/** r,"},{"line_number":36,"context_line":"  /dev/disk/by-id/* r,"},{"line_number":37,"context_line":"  /dev/mapper/control wr,"}],"source_content_type":"application/octet-stream","patch_set":3,"id":"4a67760b_11f57c1e","line":34,"range":{"start_line":34,"start_character":2,"end_line":34,"end_character":10},"in_reply_to":"620a3956_9b661e3b","updated":"2022-06-25 00:32:52.000000000","message":"Is that actually possible? I\u0027m not sure. \"lsscsi\" is basically \"ls\" to list devices in the directory and here is the log.\n\n```\n2022-06-24 14:38:41.910 171033 ERROR oslo_messaging.rpc.server [req-2604a2be-8fb0-438c-9c3d-d74106458755 b2062b97055a415eb23484562f0d2fcf 4441eef28bf5454aa7c9cbdd101b9da3 - 66035521156a4f578f43d215ceaf0e7b 66035521156a4f578f43d215ceaf0e7b] Exception during message handling: oslo_concurrency.processutils.ProcessExecutionError: Unexpected error while running command.\nCommand: tee -a /sys/bus/scsi/drivers/sd/None:None:None:None/rescan\nExit code: 1\nStdout: \u00271\u0027\nStderr: \"tee: \u0027/sys/bus/scsi/drivers/sd/None:None:None:None/rescan\u0027: No such file or directory\\n\"\n```\n\n\n\n\n```\nJun 24 14:38:41 alert-glider kernel: audit: type\u003d1400 audit(1656081521.808:5286): apparmor\u003d\"DENIED\" operation\u003d\"open\" profile\u003d\"/usr/bin/nova-compute\" name\u003d\"/sys/bus/scsi/devices/\" pid\u003d277732 comm\u003d\"lsscsi\" requested_mask\u003d\"r\" denied_mask\u003d\"r\" fsuid\u003d64060 ouid\u003d0\n```\n\n\n\n\n```\n2022-06-24 14:45:59.147 171033 ERROR oslo_messaging.rpc.server [req-65c9705d-5e96-44d1-89df-bd306670d03e b2062b97055a415eb23484562f0d2fcf 4441eef28bf5454aa7c9cbdd101b9da3 - 66035521156a4f578f43d215ceaf0e7b 6\n6035521156a4f578f43d215ceaf0e7b] Exception during message handling: oslo_concurrency.processutils.ProcessExecutionError: Unexpected error while running command.\nCommand: tee -a /sys/bus/scsi/drivers/sd/None:None:None:None/rescan\nExit code: 1\nStdout: \u00271\u0027\nStderr: \"tee: \u0027/sys/bus/scsi/drivers/sd/None:None:None:None/rescan\u0027: No such file or directory\\n\"\n```\n\n\n\n\n```\nJun 24 14:45:59 alert-glider kernel: audit: type\u003d1400 audit(1656081959.056:5288): apparmor\u003d\"DENIED\" operation\u003d\"open\" profile\u003d\"/usr/bin/nova-compute\" name\u003d\"/dev/\" pid\u003d285365 comm\u003d\"lsscsi\" requested_mask\u003d\"r\" denied_mask\u003d\"r\" fsuid\u003d64060 ouid\u003d0\n```","commit_id":"cf0f464391df509e752c6010964efe2aca10ef89"},{"author":{"_account_id":8108,"name":"Nobuto Murata","email":"nobuto.murata@canonical.com","username":"nobuto-m"},"change_message_id":"4a4c3f9a2dcdfa5aaa5955c4cf79b585d289232c","unresolved":true,"context_lines":[{"line_number":31,"context_line":"  deny /* w,"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"  /bin/* rix,"},{"line_number":34,"context_line":"  /dev/ r,"},{"line_number":35,"context_line":"  /dev/disk/** r,"},{"line_number":36,"context_line":"  /dev/disk/by-id/* r,"},{"line_number":37,"context_line":"  /dev/mapper/control wr,"}],"source_content_type":"application/octet-stream","patch_set":3,"id":"503535bf_ee8393c1","line":34,"range":{"start_line":34,"start_character":2,"end_line":34,"end_character":10},"in_reply_to":"6b76733a_f77228a3","updated":"2022-06-25 02:38:23.000000000","message":"For the record, here is the actual output of lsscsi.\n\n[without /dev/ r]\n\n```\n$ sudo -H -u nova aa-exec -p /usr/bin/nova-compute -- lsscsi\n[2:0:0:0]    disk    LIO-ORG  IBLOCK           4.0   -        \n```\n\n[with /dev/ r]\n\n```\nsudo -H -u nova aa-exec -p /usr/bin/nova-compute -- lsscsi\n[2:0:0:0]    disk    LIO-ORG  IBLOCK           4.0   /dev/sda \n```\n\nAnd /dev/sda is the iSCSI device.\n\n```\n$ ll /dev/disk/by-path/ | grep sda\nlrwxrwxrwx 1 root root   9 Jun 24 14:31 ip-192.168.151.128:3260-iscsi-iqn.2010-10.org.openstack:volume-f345d1e7-1326-4f7f-a0b9-ed40fe81432a-lun-0 -\u003e ../../sda\nlrwxrwxrwx 1 root root  10 Jun 24 14:31 ip-192.168.151.128:3260-iscsi-iqn.2010-10.org.openstack:volume-f345d1e7-1326-4f7f-a0b9-ed40fe81432a-lun-0-part1 -\u003e ../../sda1\nlrwxrwxrwx 1 root root  11 Jun 24 14:31 ip-192.168.151.128:3260-iscsi-iqn.2010-10.org.openstack:volume-f345d1e7-1326-4f7f-a0b9-ed40fe81432a-lun-0-part15 -\u003e ../../sda15\n```","commit_id":"cf0f464391df509e752c6010964efe2aca10ef89"},{"author":{"_account_id":10058,"name":"Erlon R. Cruz","email":"erlon.rodrigues.cruz@canonical.com","username":"sombrafam"},"change_message_id":"cd5882b1c942df0d44874ac92c05a7c3803aabc3","unresolved":true,"context_lines":[{"line_number":97,"context_line":"  /{usr/,}sbin/e2label rix,"},{"line_number":98,"context_line":"  /{usr/,}sbin/tune2fs rix,"},{"line_number":99,"context_line":"  /sys/block/ r,"},{"line_number":100,"context_line":"  /sys/bus/scsi/devices/ r,"},{"line_number":101,"context_line":"  /sys/class/fc_host/{,**} r,"},{"line_number":102,"context_line":"  /sys/class/iscsi_host/ r,"},{"line_number":103,"context_line":"  /sys/class/iscsi_session/ r,"}],"source_content_type":"application/octet-stream","patch_set":3,"id":"cfe11dfe_37a9f4bf","line":100,"range":{"start_line":100,"start_character":2,"end_line":100,"end_character":24},"updated":"2022-06-24 17:35:41.000000000","message":"here as well if there is any common prefix in the volume names.","commit_id":"cf0f464391df509e752c6010964efe2aca10ef89"}]}