Ubuntu
rsyslog package

Merge ~ahasenack/ubuntu/+source/rsyslog:lunar-rsyslog-apparmor-armhf into ubuntu/+source/rsyslog:ubuntu/devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/rsyslog
  3. lunar-rsyslog-apparmor-armhf
  4. Merge into ubuntu/devel
Proposed by Andreas Hasenack
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merged at revision: 0f3515d46d6c3d01902eac4e8719dfd0bad80083
Proposed branch: ~ahasenack/ubuntu/+source/rsyslog:lunar-rsyslog-apparmor-armhf
Merge into: ubuntu/+source/rsyslog:ubuntu/devel
Diff against target: 164 lines (+51/-45)
6 files modified
debian/changelog (+8/-0)
debian/tests/control (+3/-3)
debian/tests/simple-logger (+3/-14)
debian/tests/simple-mysql (+1/-14)
debian/tests/simple-pgsql (+1/-14)
debian/tests/utils (+35/-0)
Reviewer Review Type Date Requested Status
Bryce Harrington (community) Approve
git-ubuntu bot Approve
Canonical Server Reporter Pending
Review via email: mp+437884@code.launchpad.net

Description of the change

Quick fix for the linked bug, where apparmor cannot be enforced/changed/loaded in our armhf DEP8 infrastructure.

PPA with amd64, arm64, and armhf: https://launchpad.net/~ahasenack/+archive/ubuntu/lunar-rsyslog-apparmor-armhf/+packages

Tests passed:
Results: (from http://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-lunar-rsyslog-apparmor-armhf/?format=plain)
  rsyslog @ amd64:
    24.02.23 01:44:24 Log 🗒️ ✅ Triggers: rsyslog/8.2302.0-1ubuntu2~ppa2
  rsyslog @ arm64:
    24.02.23 00:31:32 Log 🗒️ ✅ Triggers: rsyslog/8.2302.0-1ubuntu2~ppa2
  rsyslog @ armhf:
    24.02.23 00:23:26 Log 🗒️ ✅ Triggers: rsyslog/8.2302.0-1ubuntu2~ppa2

Notice how in the amrhf case enforcing the apparmor profile fails, but we continue:
(...)
autopkgtest [00:14:14]: test simple-logger: [-----------------------
Enforcing the /etc/apparmor.d/usr.sbin.rsyslogd apparmor profile
Setting /etc/apparmor.d/usr.sbin.rsyslogd to enforce mode.

ERROR: /sbin/apparmor_parser: Unable to replace "rsyslogd". Permission denied; attempted to load a profile while confined?

Error, ignoring and continuing
Logging message: logger-test-value=0e667633-5126-49b8-9116-ece55acc870b
(...)

To post a comment you must log in.
Revision history for this message
Bryce Harrington (bryce) wrote :

Solution LGTM, although I'd suggest a few wording changes to help future troubleshooters. See inline comments.

With those changes applied, +1, no need for 2nd round of review.
If you disagree, feel free to bounce back to me for more chat.

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: ahasenack, bryce
Uploaders: ahasenack, bryce
MP auto-approved

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I made some changes to make it fail if the apparmor profile cannot be enforced, if:
a) it's ubuntu
b) it's armhf

New run is green:
Results: (from http://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-lunar-rsyslog-apparmor-armhf/?format=plain)
  rsyslog @ amd64:
    28.02.23 18:43:26 Log 🗒️ ✅ Triggers: rsyslog/8.2302.0-1ubuntu2~ppa4
  rsyslog @ arm64:
    28.02.23 18:28:03 Log 🗒️ ✅ Triggers: rsyslog/8.2302.0-1ubuntu2~ppa4
  rsyslog @ armhf:
    28.02.23 18:16:18 Log 🗒️ ✅ Triggers: rsyslog/8.2302.0-1ubuntu2~ppa4

non-armhf logs this:
...
autopkgtest [18:31:57]: test simple-mysql: [-----------------------
Enforcing the /etc/apparmor.d/usr.sbin.rsyslogd apparmor profile
Setting /etc/apparmor.d/usr.sbin.rsyslogd to enforce mode.
...

armhf logs this:
...
autopkgtest [18:12:54]: test simple-mysql: [-----------------------
Enforcing the /etc/apparmor.d/usr.sbin.rsyslogd apparmor profile

ERROR: /sbin/apparmor_parser: Unable to replace "rsyslogd". Permission denied; attempted to load a profile while confined?

Setting /etc/apparmor.d/usr.sbin.rsyslogd to enforce mode.
Warning, failed to enforce apparmor profile.
On armhf and Ubuntu DEP8 infrastructure, this is not a fatal error.
See #2008393 for details.
...

Please take another look

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I also updated the bug with a link to at least some of the setup that is done for armhf lxd containers in the autopkgtest infrastructure, but even with those settings, I couldn't reproduce the apparmor blockage in my pi4 arm64 host with armhf lxd.

Revision history for this message
Bryce Harrington (bryce) wrote :

Ooh, I like this a lot, it nicely limits the handling to armhf specifically, and gives much better feedback to the tester.

Couple formatting notes below but otherwise LGTM, +1.

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Funny those tab/spaces changes, that was a copy/paste with the mouse from one file to d/t/utils. Somehow that "created" some tabs, heh. Fixed.

I also moved the return to the end, and reset rc to zero if it's ubuntu + armhf, so we don't fail in that case.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Retested and uploaded:

Uploading rsyslog_8.2302.0-1ubuntu2.dsc
Uploading rsyslog_8.2302.0-1ubuntu2.debian.tar.xz
Uploading rsyslog_8.2302.0-1ubuntu2_source.buildinfo
Uploading rsyslog_8.2302.0-1ubuntu2_source.changes

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index dfcec4e..bf142e1 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,11 @@
6+rsyslog (8.2302.0-1ubuntu2) lunar; urgency=medium
7+
8+ * d/t/simple-*, d/t/control: ignore aa-enforce error, which can happen
9+ on armhf in the Ubuntu DEP8 infrastructure, and allow-stderr for
10+ these tests (LP: #2008393)
11+
12+ -- Andreas Hasenack <andreas@canonical.com> Thu, 23 Feb 2023 18:56:07 -0300
13+
14 rsyslog (8.2302.0-1ubuntu1) lunar; urgency=medium
15
16 * Merge with Debian unstable. Remaining changes:
17diff --git a/debian/tests/control b/debian/tests/control
18index 89703c0..0593972 100644
19--- a/debian/tests/control
20+++ b/debian/tests/control
21@@ -4,16 +4,16 @@ Restrictions: needs-root allow-stderr
22
23 Tests: simple-logger
24 Depends: rsyslog, bsdutils, apparmor-utils, uuid-runtime
25-Restrictions: needs-root
26+Restrictions: needs-root allow-stderr
27
28 Tests: simple-mysql
29 # rsyslog-mysql has to be installed by the test script, because it pulls in dbconfig-common
30 # which will be setup *before* mysql-server is configured and running, which fails.
31 Depends: bsdutils, apparmor-utils, mysql-server, uuid-runtime
32-Restrictions: needs-root
33+Restrictions: needs-root allow-stderr
34
35 Tests: simple-pgsql
36 # rsyslog-pgsql has to be installed by the test script, because it pulls in dbconfig-common
37 # which will be setup *before* postgresql is configured and running, which fails.
38 Depends: bsdutils, apparmor-utils, postgresql, postgresql-client, uuid-runtime
39-Restrictions: needs-root
40+Restrictions: needs-root allow-stderr
41diff --git a/debian/tests/simple-logger b/debian/tests/simple-logger
42index 1c38834..b625712 100755
43--- a/debian/tests/simple-logger
44+++ b/debian/tests/simple-logger
45@@ -3,21 +3,10 @@
46 set -e
47 set -o pipefail
48
49-# make sure we are confined and in enforce mode for this test, if supported
50-apparmor_profile="/etc/apparmor.d/usr.sbin.rsyslogd"
51-if [ ! -d /etc/apparmor.d/rsyslog.d ]; then
52- echo "No /etc/apparmor.d/rsyslog directory, not touching apparmor status"
53-
54-elif [ ! -f "${apparmor_profile}" ]; then
55- echo "No ${apparmor_profile} file, not touching apparmor status"
56-
57-elif ! aa-status --enabled 2>/dev/null; then
58- echo "Apparmor disabled (aa-status)"
59+source debian/tests/utils
60
61-else
62- echo "Enforcing the ${apparmor_profile} apparmor profile"
63- aa-enforce "${apparmor_profile}"
64-fi
65+# make sure we are confined and in enforce mode for this test, if supported
66+try_enforce_apparmor
67
68 message="logger-test-value=$(uuidgen)"
69
70diff --git a/debian/tests/simple-mysql b/debian/tests/simple-mysql
71index 036f1af..c0d0c9e 100755
72--- a/debian/tests/simple-mysql
73+++ b/debian/tests/simple-mysql
74@@ -6,20 +6,7 @@ set -o pipefail
75 source debian/tests/utils
76
77 # make sure we are confined and in enforce mode for this test, if supported
78-apparmor_profile="/etc/apparmor.d/usr.sbin.rsyslogd"
79-if [ ! -d /etc/apparmor.d/rsyslog.d ]; then
80- echo "No /etc/apparmor.d/rsyslog directory, not touching apparmor status"
81-
82-elif [ ! -f "${apparmor_profile}" ]; then
83- echo "No ${apparmor_profile} file, not touching apparmor status"
84-
85-elif ! aa-status --enabled 2>/dev/null; then
86- echo "Apparmor disabled (aa-status)"
87-
88-else
89- echo "Enforcing the ${apparmor_profile} apparmor profile"
90- aa-enforce "${apparmor_profile}"
91-fi
92+try_enforce_apparmor
93
94 # Installing rsyslog-mysql without having a mysql DB already configured on
95 # localhost fails, because the dbconfig-common postinst runs before the mysql
96diff --git a/debian/tests/simple-pgsql b/debian/tests/simple-pgsql
97index 9f4c163..a09f3a8 100755
98--- a/debian/tests/simple-pgsql
99+++ b/debian/tests/simple-pgsql
100@@ -6,20 +6,7 @@ set -o pipefail
101 source debian/tests/utils
102
103 # make sure we are confined and in enforce mode for this test, if supported
104-apparmor_profile="/etc/apparmor.d/usr.sbin.rsyslogd"
105-if [ ! -d /etc/apparmor.d/rsyslog.d ]; then
106- echo "No /etc/apparmor.d/rsyslog directory, not touching apparmor status"
107-
108-elif [ ! -f "${apparmor_profile}" ]; then
109- echo "No ${apparmor_profile} file, not touching apparmor status"
110-
111-elif ! aa-status --enabled 2>/dev/null; then
112- echo "Apparmor disabled (aa-status)"
113-
114-else
115- echo "Enforcing the ${apparmor_profile} apparmor profile"
116- aa-enforce "${apparmor_profile}"
117-fi
118+try_enforce_apparmor
119
120 # Installing rsyslog-pgsql without having a postgresq DB already configured on
121 # localhost fails, because the dbconfig-common postinst runs before the
122diff --git a/debian/tests/utils b/debian/tests/utils
123index 5d503ef..ecc942b 100644
124--- a/debian/tests/utils
125+++ b/debian/tests/utils
126@@ -39,3 +39,38 @@ check_db_for_message() {
127 return 1
128 fi
129 }
130+
131+try_enforce_apparmor() {
132+ local apparmor_profile="/etc/apparmor.d/usr.sbin.rsyslogd"
133+ local -i rc=0
134+
135+ if [ ! -d /etc/apparmor.d/rsyslog.d ]; then
136+ echo "No /etc/apparmor.d/rsyslog directory, not touching apparmor status"
137+
138+ elif [ ! -f "${apparmor_profile}" ]; then
139+ echo "No ${apparmor_profile} file, not touching apparmor status"
140+
141+ elif ! aa-status --enabled 2>/dev/null; then
142+ echo "Apparmor disabled (aa-status)"
143+
144+ else
145+ echo "Enforcing the ${apparmor_profile} apparmor profile"
146+ aa-enforce "${apparmor_profile}" || rc=$?
147+ if [ ${rc} -ne 0 ]; then
148+ # This can fail on armhf in the Ubuntu DEP8 infrastructure
149+ # because that environment restricts changing apparmor profiles.
150+ # (See LP: #2008393)
151+ arch=$(dpkg --print-architecture)
152+ vendor=$(dpkg-vendor --query Vendor)
153+ if [ "${arch}" = "armhf" ] && [ "${vendor}" = "Ubuntu" ]; then
154+ echo "WARNING: failed to enforce apparmor profile."
155+ echo "On armhf and Ubuntu DEP8 infrastructure, this is not a fatal error."
156+ echo "See #2008393 for details."
157+ rc=0
158+ else
159+ echo "ERROR: failed to enforce apparmor profile"
160+ fi
161+ fi
162+ fi
163+ return ${rc}
164+}

Subscribers

People subscribed via source and target branches