AppArmor

Bug #1871148
Comment #17

Comment 17 for bug 1871148

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2020-04-08:

#17

Seth, the service starts fine if snapd is not installed and the mountpoint is not present.

$ sudo systemctl status apparmor
● apparmor.service - Load AppArmor profiles
     Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
     Active: active (exited) since Wed 2020-04-08 07:05:57 CDT; 3min 9s ago
       Docs: man:apparmor(7)
             https://gitlab.com/apparmor/apparmor/wikis/home/
    Process: 309 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=0/SUCCESS)
   Main PID: 309 (code=exited, status=0/SUCCESS)

Apr 08 07:05:58 sec-focal-amd64 apparmor.systemd[309]: Restarting AppArmor
Apr 08 07:05:58 sec-focal-amd64 apparmor.systemd[309]: Reloading AppArmor profiles
Apr 08 07:05:58 sec-focal-amd64 apparmor.systemd[320]: Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox
Apr 08 07:05:58 sec-focal-amd64 apparmor.systemd[325]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Warning: journal has been rotated since unit was started, output may be incomplete.

The service is not delayed on boot:

$ sudo systemd-analyze critical-chain apparmor.service
The time when unit became active or started is printed after the "@" character.
The time the unit took to start is printed after the "+" character.

apparmor.service +183ms
└─local-fs.target @526ms
  └─run-user-125-gvfs.mount @6.196s
    └─run-user-125.mount @5.831s
      └─local-fs-pre.target @526ms
        └─keyboard-setup.service @195ms +330ms
          └─systemd-journald.socket @173ms
            └─system.slice @170ms
              └─-.slice @170ms

Compare this with before snapd was removed:

apparmor.service +278ms
└─local-fs.target @1.073s
  └─run-user-125-gvfs.mount @10.509s
    └─run-user-125.mount @9.900s
      └─local-fs-pre.target @756ms
        └─keyboard-setup.service @369ms +386ms
          └─systemd-journald.socket @334ms
            └─system.slice @329ms
              └─-.slice @329ms

The systemd documentation (https://www.freedesktop.org/software/systemd/man/systemd.unit.html) say:

"RequiresMountsFor: Takes a space-separated list of absolute paths. Automatically adds dependencies of type Requires= and After= for all mount units required to access the specified path."

Furthermore, I read the systemd code and for each RequiresMountsFor entry, it will start with the entry, then see if there are mount entries for each path going up to '/', only adding the Requires and After if there is a .mount unit (that it may have synthesized from /etc/fstab) for this path. Eg:

snapd is not installed, systemd will:
* check if /var/lib/snapd/apparmor/profiles .mount entry exists. no, so do nothing
* check if /var/lib/snapd/apparmor .mount entry exists. no, so do nothing
* check if /var/lib/snapd .mount entry exists. no, so do nothing
* check if /var/lib .mount entry exists. no, so do nothing
* check if /var .mount entry exists. no, so do nothing
* check if / .mount entry exists. yes, so add this (will be satisfied by local-fs.target)

snapd is installed with no zfs-on-root, systemd will:
* check if /var/lib/snapd/apparmor/profiles .mount entry exists. no, so do nothing
* check if /var/lib/snapd/apparmor .mount entry exists. no, so do nothing
* check if /var/lib/snapd .mount entry exists. no, so do nothing
* check if /var/lib .mount entry exists. no, so do nothing
* check if /var .mount entry exists. no, so do nothing
* check if / .mount entry exists. yes, so add this (will be satisfied by local-fs.target)

snapd is installed with zfs-on-root, systemd will:
* check if /var/lib/snapd/apparmor/profiles .mount entry exists. no, so do nothing
* check if /var/lib/snapd/apparmor .mount entry exists. no, so do nothing
* check if /var/lib/snapd .mount entry exists. no, so do nothing
* check if /var/lib .mount entry exists. yes, so add this
* check if /var .mount entry exists. no, so do nothing
* check if / .mount entry exists. yes, so add this (will be satisfied by local-fs.target)

Seth, the service starts fine if snapd is not installed and the mountpoint is not present.

The service is not delayed on boot:

Compare this with before snapd was removed:

The systemd documentation (https://www.freedesktop.org/software/systemd/man/systemd.unit.html) say:

"RequiresMountsFor: Takes a space-separated list of absolute paths. Automatically adds dependencies of type Requires= and After= for all mount units required to access the specified path."

snapd is not installed, systemd will:
 * check if /var/lib/snapd/apparmor/profiles .mount entry exists. no, so do nothing
 * check if /var/lib/snapd/apparmor .mount entry exists. no, so do nothing
 * check if /var/lib/snapd .mount entry exists. no, so do nothing
 * check if /var/lib .mount entry exists. no, so do nothing
 * check if /var .mount entry exists. no, so do nothing
 * check if / .mount entry exists. yes, so add this (will be satisfied by local-fs.target)

snapd is installed with no zfs-on-root, systemd will:
 * check if /var/lib/snapd/apparmor/profiles .mount entry exists. no, so do nothing
 * check if /var/lib/snapd/apparmor .mount entry exists. no, so do nothing
 * check if /var/lib/snapd .mount entry exists. no, so do nothing
 * check if /var/lib .mount entry exists. no, so do nothing
 * check if /var .mount entry exists. no, so do nothing
 * check if / .mount entry exists. yes, so add this (will be satisfied by local-fs.target)

snapd is installed with zfs-on-root, systemd will:
 * check if /var/lib/snapd/apparmor/profiles .mount entry exists. no, so do nothing
 * check if /var/lib/snapd/apparmor .mount entry exists. no, so do nothing
 * check if /var/lib/snapd .mount entry exists. no, so do nothing
 * check if /var/lib .mount entry exists. yes, so add this
 * check if /var .mount entry exists. no, so do nothing
 * check if / .mount entry exists. yes, so add this (will be satisfied by local-fs.target)