Rmpi, OpenCPU, and Apparmor: DENIED request for “/

2019-08-03 08:00发布

I have an R package that sends out a job to the OpenMPI cluster I have running by means of the Rmpi package. All works as expected within an R session run from the console. However, when I try to execute the relevant function with from my OpenCPU server like this (details changed to protect the innocent):

curl -XPOST http://99.999.999.99/ocpu/library/MyPackage/R/my_cluster_function

I get this error:

R call failed: process died.

(Other, non-cluster calling functions within the package work as expected via OpenCPU). I noticed in /var/log/kern.log a variety of requests being DENIED by apparmor, and I have been able to resolve most of them by adding entries into /etc/apparmor.d/opencpu.d/custom to allow OpenMPI to access the files it needs. However, I cannot resolve these two issues (again, IP address changed) related to "open" requests for location "/":

Oct 26 03:49:58 99.999.999.99 kernel: [142952.551234] type=1400 audit(1414295398.849:957): apparmor="DENIED" operation="open" profile="opencpu-main" name="/" pid=22486 comm="orted" requested_mask="r" denied_mask="r" fsuid=33 ouid=0
Oct 26 03:49:58 99.999.999.99 kernel: [142952.556422] type=1400 audit(1414295398.857:958): apparmor="DENIED" operation="open" profile="opencpu-main" name="/" pid=22485 comm="apache2" requested_mask="r" denied_mask="r" fsuid=33 ouid=0

Adding this to my apparmor rules did not help:

/* r,

Two questions:

  1. Why is opencpu trying to read from my root level directory (or does this mean something else)?
  2. More urgently, how can I resolve this apparmor issue?

Thanks.

1条回答
家丑人穷心不美
2楼-- · 2019-08-03 08:04

You might need to add both apparmor rules

/ r,
/* r,

The first rule allows directory listing of / and the second rule allows read access to any file under /.

I don't understand why Rmpi wants to read / or why were you getting process died error instead of access denied. Are you sure the problem is completely resolved?

查看更多
登录 后发表回答