NVMe-TCP on Debian/Ubuntu - AppArmor Configuration

Linux

Audience
Public
Product
FlashBlade
FlashArray
Technology Integrations
Linux
Source Type
Documentation

Understanding AppArmor (Ubuntu Default)

AppArmor vs SELinux:

  • AppArmor: Path-based mandatory access control

  • Enabled by default on Ubuntu

  • Available but not default on Debian

  • Simpler than SELinux for most use cases

Check AppArmor status:

sudo aa-status

# Check if AppArmor is enabled
sudo systemctl status apparmor

AppArmor Profiles for NVMe-TCP

Check for denials:

# View AppArmor messages in syslog
sudo dmesg | grep -i apparmor
sudo journalctl | grep -i apparmor

# Check audit log
sudo grep -i apparmor /var/log/syslog

AppArmor and NVMe-TCP:

Tip:

Note: NVMe-TCP uses native NVMe multipathing, NOT dm-multipath (multipathd). There is no multipathd service for NVMe-TCP, so you don't need to create AppArmor profiles for it.

If you have custom applications accessing NVMe devices:

# Install AppArmor utilities
sudo apt install -y apparmor-utils

# Check if any AppArmor denials related to NVMe
sudo dmesg | grep -i apparmor | grep nvme

# If you have custom scripts accessing NVMe devices,
# you may need to add these permissions to their profiles:
# /dev/nvme* rw,
# /sys/class/nvme/** r,
# /sys/devices/**/nvme*/** r,

AppArmor Best Practices

  1. Use complain mode for testing:

    # Test NVMe connections
    sudo nvme connect -t tcp -a <portal_ip> -s 4420 -n <nqn>
    
    # Check for any AppArmor denials
    sudo dmesg | grep -i apparmor
  2. Never disable AppArmor in production (Ubuntu):

    • Use complain mode for troubleshooting.

    • Create proper profiles for custom applications.

    • Document custom profiles.

  3. Monitor for denials:

    # Real-time monitoring
    sudo tail -f /var/log/syslog | grep -i apparmor