Ubuntu
rsyslog package

Merge ~ahasenack/ubuntu/+source/rsyslog:lunar-rsyslog-apparmor-armhf into ubuntu/+source/rsyslog:ubuntu/devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/rsyslog
  3. lunar-rsyslog-apparmor-armhf
  4. Merge into ubuntu/devel
Proposed by Andreas Hasenack
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merged at revision: 0f3515d46d6c3d01902eac4e8719dfd0bad80083
Proposed branch: ~ahasenack/ubuntu/+source/rsyslog:lunar-rsyslog-apparmor-armhf
Merge into: ubuntu/+source/rsyslog:ubuntu/devel
Diff against target: 164 lines (+51/-45)
6 files modified
debian/changelog (+8/-0)
debian/tests/control (+3/-3)
debian/tests/simple-logger (+3/-14)
debian/tests/simple-mysql (+1/-14)
debian/tests/simple-pgsql (+1/-14)
debian/tests/utils (+35/-0)
Reviewer Review Type Date Requested Status
Bryce Harrington (community) Approve
git-ubuntu bot Approve
Canonical Server Reporter Pending
Review via email: mp+437884@code.launchpad.net

Description of the change

Quick fix for the linked bug, where apparmor cannot be enforced/changed/loaded in our armhf DEP8 infrastructure.

PPA with amd64, arm64, and armhf: https://launchpad.net/~ahasenack/+archive/ubuntu/lunar-rsyslog-apparmor-armhf/+packages

Tests passed:
Results: (from http://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-lunar-rsyslog-apparmor-armhf/?format=plain)
  rsyslog @ amd64:
    24.02.23 01:44:24 Log 🗒️ ✅ Triggers: rsyslog/8.2302.0-1ubuntu2~ppa2
  rsyslog @ arm64:
    24.02.23 00:31:32 Log 🗒️ ✅ Triggers: rsyslog/8.2302.0-1ubuntu2~ppa2
  rsyslog @ armhf:
    24.02.23 00:23:26 Log 🗒️ ✅ Triggers: rsyslog/8.2302.0-1ubuntu2~ppa2

Notice how in the amrhf case enforcing the apparmor profile fails, but we continue:
(...)
autopkgtest [00:14:14]: test simple-logger: [-----------------------
Enforcing the /etc/apparmor.d/usr.sbin.rsyslogd apparmor profile
Setting /etc/apparmor.d/usr.sbin.rsyslogd to enforce mode.

ERROR: /sbin/apparmor_parser: Unable to replace "rsyslogd". Permission denied; attempted to load a profile while confined?

Error, ignoring and continuing
Logging message: logger-test-value=0e667633-5126-49b8-9116-ece55acc870b
(...)

To post a comment you must log in.
Revision history for this message
Bryce Harrington (bryce) wrote :

Solution LGTM, although I'd suggest a few wording changes to help future troubleshooters. See inline comments.

With those changes applied, +1, no need for 2nd round of review.
If you disagree, feel free to bounce back to me for more chat.

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: ahasenack, bryce
Uploaders: ahasenack, bryce
MP auto-approved

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I made some changes to make it fail if the apparmor profile cannot be enforced, if:
a) it's ubuntu
b) it's armhf

New run is green:
Results: (from http://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-lunar-rsyslog-apparmor-armhf/?format=plain)
  rsyslog @ amd64:
    28.02.23 18:43:26 Log 🗒️ ✅ Triggers: rsyslog/8.2302.0-1ubuntu2~ppa4
  rsyslog @ arm64:
    28.02.23 18:28:03 Log 🗒️ ✅ Triggers: rsyslog/8.2302.0-1ubuntu2~ppa4
  rsyslog @ armhf:
    28.02.23 18:16:18 Log 🗒️ ✅ Triggers: rsyslog/8.2302.0-1ubuntu2~ppa4

non-armhf logs this:
...
autopkgtest [18:31:57]: test simple-mysql: [-----------------------
Enforcing the /etc/apparmor.d/usr.sbin.rsyslogd apparmor profile
Setting /etc/apparmor.d/usr.sbin.rsyslogd to enforce mode.
...

armhf logs this:
...
autopkgtest [18:12:54]: test simple-mysql: [-----------------------
Enforcing the /etc/apparmor.d/usr.sbin.rsyslogd apparmor profile

ERROR: /sbin/apparmor_parser: Unable to replace "rsyslogd". Permission denied; attempted to load a profile while confined?

Setting /etc/apparmor.d/usr.sbin.rsyslogd to enforce mode.
Warning, failed to enforce apparmor profile.
On armhf and Ubuntu DEP8 infrastructure, this is not a fatal error.
See #2008393 for details.
...

Please take another look

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I also updated the bug with a link to at least some of the setup that is done for armhf lxd containers in the autopkgtest infrastructure, but even with those settings, I couldn't reproduce the apparmor blockage in my pi4 arm64 host with armhf lxd.

Revision history for this message
Bryce Harrington (bryce) wrote :

Ooh, I like this a lot, it nicely limits the handling to armhf specifically, and gives much better feedback to the tester.

Couple formatting notes below but otherwise LGTM, +1.

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Funny those tab/spaces changes, that was a copy/paste with the mouse from one file to d/t/utils. Somehow that "created" some tabs, heh. Fixed.

I also moved the return to the end, and reset rc to zero if it's ubuntu + armhf, so we don't fail in that case.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Retested and uploaded:

Uploading rsyslog_8.2302.0-1ubuntu2.dsc
Uploading rsyslog_8.2302.0-1ubuntu2.debian.tar.xz
Uploading rsyslog_8.2302.0-1ubuntu2_source.buildinfo
Uploading rsyslog_8.2302.0-1ubuntu2_source.changes

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index dfcec4e..bf142e1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
1rsyslog (8.2302.0-1ubuntu2) lunar; urgency=medium
2
3 * d/t/simple-*, d/t/control: ignore aa-enforce error, which can happen
4 on armhf in the Ubuntu DEP8 infrastructure, and allow-stderr for
5 these tests (LP: #2008393)
6
7 -- Andreas Hasenack <andreas@canonical.com> Thu, 23 Feb 2023 18:56:07 -0300
8
1rsyslog (8.2302.0-1ubuntu1) lunar; urgency=medium9rsyslog (8.2302.0-1ubuntu1) lunar; urgency=medium
210
3 * Merge with Debian unstable. Remaining changes:11 * Merge with Debian unstable. Remaining changes:
diff --git a/debian/tests/control b/debian/tests/control
index 89703c0..0593972 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -4,16 +4,16 @@ Restrictions: needs-root allow-stderr
44
5Tests: simple-logger5Tests: simple-logger
6Depends: rsyslog, bsdutils, apparmor-utils, uuid-runtime6Depends: rsyslog, bsdutils, apparmor-utils, uuid-runtime
7Restrictions: needs-root7Restrictions: needs-root allow-stderr
88
9Tests: simple-mysql9Tests: simple-mysql
10# rsyslog-mysql has to be installed by the test script, because it pulls in dbconfig-common10# rsyslog-mysql has to be installed by the test script, because it pulls in dbconfig-common
11# which will be setup *before* mysql-server is configured and running, which fails.11# which will be setup *before* mysql-server is configured and running, which fails.
12Depends: bsdutils, apparmor-utils, mysql-server, uuid-runtime12Depends: bsdutils, apparmor-utils, mysql-server, uuid-runtime
13Restrictions: needs-root13Restrictions: needs-root allow-stderr
1414
15Tests: simple-pgsql15Tests: simple-pgsql
16# rsyslog-pgsql has to be installed by the test script, because it pulls in dbconfig-common16# rsyslog-pgsql has to be installed by the test script, because it pulls in dbconfig-common
17# which will be setup *before* postgresql is configured and running, which fails.17# which will be setup *before* postgresql is configured and running, which fails.
18Depends: bsdutils, apparmor-utils, postgresql, postgresql-client, uuid-runtime18Depends: bsdutils, apparmor-utils, postgresql, postgresql-client, uuid-runtime
19Restrictions: needs-root19Restrictions: needs-root allow-stderr
diff --git a/debian/tests/simple-logger b/debian/tests/simple-logger
index 1c38834..b625712 100755
--- a/debian/tests/simple-logger
+++ b/debian/tests/simple-logger
@@ -3,21 +3,10 @@
3set -e3set -e
4set -o pipefail4set -o pipefail
55
6# make sure we are confined and in enforce mode for this test, if supported6source debian/tests/utils
7apparmor_profile="/etc/apparmor.d/usr.sbin.rsyslogd"
8if [ ! -d /etc/apparmor.d/rsyslog.d ]; then
9 echo "No /etc/apparmor.d/rsyslog directory, not touching apparmor status"
10
11elif [ ! -f "${apparmor_profile}" ]; then
12 echo "No ${apparmor_profile} file, not touching apparmor status"
13
14elif ! aa-status --enabled 2>/dev/null; then
15 echo "Apparmor disabled (aa-status)"
167
17else8# make sure we are confined and in enforce mode for this test, if supported
18 echo "Enforcing the ${apparmor_profile} apparmor profile"9try_enforce_apparmor
19 aa-enforce "${apparmor_profile}"
20fi
2110
22message="logger-test-value=$(uuidgen)"11message="logger-test-value=$(uuidgen)"
2312
diff --git a/debian/tests/simple-mysql b/debian/tests/simple-mysql
index 036f1af..c0d0c9e 100755
--- a/debian/tests/simple-mysql
+++ b/debian/tests/simple-mysql
@@ -6,20 +6,7 @@ set -o pipefail
6source debian/tests/utils6source debian/tests/utils
77
8# make sure we are confined and in enforce mode for this test, if supported8# make sure we are confined and in enforce mode for this test, if supported
9apparmor_profile="/etc/apparmor.d/usr.sbin.rsyslogd"9try_enforce_apparmor
10if [ ! -d /etc/apparmor.d/rsyslog.d ]; then
11 echo "No /etc/apparmor.d/rsyslog directory, not touching apparmor status"
12
13elif [ ! -f "${apparmor_profile}" ]; then
14 echo "No ${apparmor_profile} file, not touching apparmor status"
15
16elif ! aa-status --enabled 2>/dev/null; then
17 echo "Apparmor disabled (aa-status)"
18
19else
20 echo "Enforcing the ${apparmor_profile} apparmor profile"
21 aa-enforce "${apparmor_profile}"
22fi
2310
24# Installing rsyslog-mysql without having a mysql DB already configured on11# Installing rsyslog-mysql without having a mysql DB already configured on
25# localhost fails, because the dbconfig-common postinst runs before the mysql12# localhost fails, because the dbconfig-common postinst runs before the mysql
diff --git a/debian/tests/simple-pgsql b/debian/tests/simple-pgsql
index 9f4c163..a09f3a8 100755
--- a/debian/tests/simple-pgsql
+++ b/debian/tests/simple-pgsql
@@ -6,20 +6,7 @@ set -o pipefail
6source debian/tests/utils6source debian/tests/utils
77
8# make sure we are confined and in enforce mode for this test, if supported8# make sure we are confined and in enforce mode for this test, if supported
9apparmor_profile="/etc/apparmor.d/usr.sbin.rsyslogd"9try_enforce_apparmor
10if [ ! -d /etc/apparmor.d/rsyslog.d ]; then
11 echo "No /etc/apparmor.d/rsyslog directory, not touching apparmor status"
12
13elif [ ! -f "${apparmor_profile}" ]; then
14 echo "No ${apparmor_profile} file, not touching apparmor status"
15
16elif ! aa-status --enabled 2>/dev/null; then
17 echo "Apparmor disabled (aa-status)"
18
19else
20 echo "Enforcing the ${apparmor_profile} apparmor profile"
21 aa-enforce "${apparmor_profile}"
22fi
2310
24# Installing rsyslog-pgsql without having a postgresq DB already configured on11# Installing rsyslog-pgsql without having a postgresq DB already configured on
25# localhost fails, because the dbconfig-common postinst runs before the12# localhost fails, because the dbconfig-common postinst runs before the
diff --git a/debian/tests/utils b/debian/tests/utils
index 5d503ef..ecc942b 100644
--- a/debian/tests/utils
+++ b/debian/tests/utils
@@ -39,3 +39,38 @@ check_db_for_message() {
39 return 139 return 1
40 fi40 fi
41}41}
42
43try_enforce_apparmor() {
44 local apparmor_profile="/etc/apparmor.d/usr.sbin.rsyslogd"
45 local -i rc=0
46
47 if [ ! -d /etc/apparmor.d/rsyslog.d ]; then
48 echo "No /etc/apparmor.d/rsyslog directory, not touching apparmor status"
49
50 elif [ ! -f "${apparmor_profile}" ]; then
51 echo "No ${apparmor_profile} file, not touching apparmor status"
52
53 elif ! aa-status --enabled 2>/dev/null; then
54 echo "Apparmor disabled (aa-status)"
55
56 else
57 echo "Enforcing the ${apparmor_profile} apparmor profile"
58 aa-enforce "${apparmor_profile}" || rc=$?
59 if [ ${rc} -ne 0 ]; then
60 # This can fail on armhf in the Ubuntu DEP8 infrastructure
61 # because that environment restricts changing apparmor profiles.
62 # (See LP: #2008393)
63 arch=$(dpkg --print-architecture)
64 vendor=$(dpkg-vendor --query Vendor)
65 if [ "${arch}" = "armhf" ] && [ "${vendor}" = "Ubuntu" ]; then
66 echo "WARNING: failed to enforce apparmor profile."
67 echo "On armhf and Ubuntu DEP8 infrastructure, this is not a fatal error."
68 echo "See #2008393 for details."
69 rc=0
70 else
71 echo "ERROR: failed to enforce apparmor profile"
72 fi
73 fi
74 fi
75 return ${rc}
76}

Subscribers

People subscribed via source and target branches