Merge lp:~mvo/ubuntu/vivid/ubuntu-core-config/lp1460152-workaround into lp:ubuntu/wily/ubuntu-core-config

Proposed by Michael Vogt on 2015-06-05
Status: Merged
Merged at revision: 22
Proposed branch: lp:~mvo/ubuntu/vivid/ubuntu-core-config/lp1460152-workaround
Merge into: lp:ubuntu/wily/ubuntu-core-config
Diff against target: 94 lines (+59/-0)
5 files modified
debian/changelog (+19/-0)
debian/install (+1/-0)
debian/links (+1/-0)
lib/systemd/system/snappy-workaround-apparmor.service (+11/-0)
usr/bin/snappy-apparmor-lp1460152 (+27/-0)
To merge this branch: bzr merge lp:~mvo/ubuntu/vivid/ubuntu-core-config/lp1460152-workaround
Reviewer Review Type Date Requested Status
Sergio Schvezov (community) Approve on 2015-06-05
Ubuntu branches 2015-06-05 Pending
Review via email: mp+261179@code.launchpad.net
To post a comment you must log in.
Sergio Schvezov (sergiusens) wrote :

ok, I'll manually stage this by:
- installing 15.04 stable
- changing channels.ini to edge
- snappy update'ing
- remount 'other' and insert this
- reboot
- profit

The code looks good, very clever of putting it here instead of the snappy code base itself :-)

I guess
+After=etc-writable.mount
just means after we can write to partitions (the systemd unit names still confuse me a bit).

Michael Vogt (mvo) wrote :

Yeah, there is one more gotach here, there needs to be a "Before=ubuntu-snappy.frameworks-pre.target" to ensure the apparmor re-generation is all done before systemd starts our frameworks/app services.

30. By Michael Vogt on 2015-06-05

lib/systemd/system/snappy-workaround-apparmor.service: add ubuntu-snappy.frameworks-pre.target

Michael Vogt (mvo) wrote :

I added the Before= in r30 but did not test it (sorry! time is short here).

@sergio The testplan looks great, you may need to change both channels.ini to edge, thats the only thing I can thing of. Many many thanks for testing this and lets hope we can land a fix inside apparmor sooon(ish) as I feel that will be much cleaner :)

Michael Vogt (mvo) wrote :

@After> yeah, it means that the writable mounts should all be in place. And yes, its confusing! I'm not even sure this is needed but I added it to be on the safe side.

Sergio Schvezov (sergiusens) wrote :

manual steps worked.

review: Approve
Jamie Strandboge (jdstrand) wrote :

From the bug:
"FYI, the hash approach is slow for the normal case since we always have to perform an sum. Furthermore it doesn't take into account #include'd files that might also change (eg, apparmor is updated and has a different base abstraction). For the workaround, I guess it is ok since the slowdown will only be for a couple of profiles but I would have rather seen us unconditionally invalidating the cache when switching from a to b or vice versa."

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2015-05-27 07:42:14 +0000
3+++ debian/changelog 2015-06-05 11:51:12 +0000
4@@ -1,3 +1,22 @@
5+ubuntu-core-config (0.6.18) UNRELEASED; urgency=low
6+
7+ * revert 'use "transition" for /etc/apparmor.d/cache' change
8+ as we can not pre-create the apparmor cache on livecd-rootfs build
9+ * usr/bin/snappy-apparmor-lp1460152,
10+ lib/systemd/system/snappy-workaround-apparmor.service:
11+ - add workaround for apparmor cache out of sync issue (LP: #1460152)
12+
13+ -- Michael Vogt <michael.vogt@ubuntu.com> Thu, 04 Jun 2015 22:56:29 +0200
14+
15+ubuntu-core-config (0.6.17) wily; urgency=low
16+
17+ * use "transition" for /etc/apparmor.d/cache
18+ (LP: #1460152)
19+ * etc/system-image/config.d/20_snappy.ini:
20+ - fix config file name
21+
22+ -- Michael Vogt <michael.vogt@ubuntu.com> Wed, 03 Jun 2015 09:43:09 +0200
23+
24 ubuntu-core-config (0.6.16) wily; urgency=medium
25
26 * Add /frameworks to writable-paths
27
28=== modified file 'debian/install'
29--- debian/install 2015-02-27 16:40:14 +0000
30+++ debian/install 2015-06-05 11:51:12 +0000
31@@ -1,3 +1,4 @@
32 etc
33 lib
34+usr
35 snappy-extrausers /usr/share/pam-configs/
36
37=== modified file 'debian/links'
38--- debian/links 2015-02-27 16:40:14 +0000
39+++ debian/links 2015-06-05 11:51:12 +0000
40@@ -1,1 +1,2 @@
41 /lib/systemd/system/snappy-set-hostname.service /lib/systemd/system/sysinit.target.requires/snappy-set-hostname.service
42+/lib/systemd/system/snappy-workaround-apparmor.service /lib/systemd/system/multi-user.target.requires/snappy-workaround-apparmor.service
43\ No newline at end of file
44
45=== renamed file 'etc/system-image/config.d/20_snappy.conf' => 'etc/system-image/config.d/20_snappy.ini'
46=== added file 'lib/systemd/system/snappy-workaround-apparmor.service'
47--- lib/systemd/system/snappy-workaround-apparmor.service 1970-01-01 00:00:00 +0000
48+++ lib/systemd/system/snappy-workaround-apparmor.service 2015-06-05 11:51:12 +0000
49@@ -0,0 +1,11 @@
50+# workaround LP: #1460152
51+#
52+[Unit]
53+Description=Workaround apparmor cacheing
54+WantedBy=multi-user.target
55+After=etc-writable.mount
56+Before=ubuntu-snappy.frameworks-pre.target
57+
58+[Service]
59+Type=oneshot
60+ExecStart=/usr/bin/snappy-apparmor-lp1460152
61
62=== added directory 'usr'
63=== added directory 'usr/bin'
64=== added file 'usr/bin/snappy-apparmor-lp1460152'
65--- usr/bin/snappy-apparmor-lp1460152 1970-01-01 00:00:00 +0000
66+++ usr/bin/snappy-apparmor-lp1460152 2015-06-05 11:51:12 +0000
67@@ -0,0 +1,27 @@
68+#!/bin/sh
69+#
70+# workaroudn for LP: #1460152
71+#
72+
73+set -e
74+
75+. /lib/apparmor/functions
76+
77+# check each profile if the cache is out of sync (we can not use
78+# the mtime here because the apparmor seems to be doing the
79+# strictly great check on the mtime)
80+for p in $(find "$PROFILES" -maxdepth 1 -type f); do
81+ profile_md5=$(md5sum "$p")
82+ cached_p="$(echo $p | sed "s#$PROFILES#$PROFILES_CACHE#")"
83+ if [ ! -f "$cached_p" ]; then
84+ continue
85+ fi
86+ profile_md5_marker="$cached_p.profile-md5sum"
87+ cached_md5="$(cat "$profile_md5_marker" || true)"
88+ if [ "$profile_md5" != "$cached_md5" ]; then
89+ # remove, re-generate, update-md5 of cache
90+ rm -f "$cached_p"
91+ "$PARSER" --write-cache --replace "$p"
92+ echo "$profile_md5" > "$profile_md5_marker"
93+ fi
94+done

Subscribers

People subscribed via source and target branches

to all changes: