Bug 1074429 - [20180101] AppArmor cannot be started in Kubic
[20180101] AppArmor cannot be started in Kubic
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: AppArmor
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Christian Boltz
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-01-03 08:16 UTC by Dominique Leuenberger
Modified: 2021-12-01 22:35 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dominique Leuenberger 2018-01-03 08:16:48 UTC
With snapshot 20180101, apparmor was updated to version 2.12, which seems to be responsible for the new openQA failure seen on Tumbleweed Kubic:

apparmor does not get successfully started, as it seems to try to write to locations it's not supposed to.

The journal shows:

● apparmor.service - Load AppArmor profiles
    Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
    Active: failed (Result: exit-code) since Tue 2018-01-02 17:15:44 UTC; 3min 34s ago
   Process: 461 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=1/FAILURE)
  Main PID: 461 (code=exited, status=1/FAILURE)
       CPU: 221ms
 
 Jan 02 17:15:43 localhost apparmor.systemd[461]: mkstemp: Read-only file system
 Jan 02 17:15:43 localhost apparmor.systemd[461]: Error: /etc/apparmor.d/usr.lib.dovecot.dovecot-auth failed to load
 Jan 02 17:15:43 localhost apparmor.systemd[461]: mkstemp: Read-only file system
 Jan 02 17:15:43 localhost apparmor.systemd[461]: Error: /etc/apparmor.d/usr.lib.dovecot.dovecot-lda failed to load
 Jan 02 17:15:43 localhost apparmor.systemd[461]: mkstemp: Read-only file system
 Jan 02 17:15:43 localhost apparmor.systemd[461]: Error: /etc/apparmor.d/usr.lib.dovecot.imap failed to load
 Jan 02 17:15:44 localhost systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
 Jan 02 17:15:44 localhost systemd[1]: Failed to start Load AppArmor profiles.
 Jan 02 17:15:44 localhost systemd[1]: apparmor.service: Unit entered failed state.
 Jan 02 17:15:44 localhost systemd[1]: apparmor.service: Failed with result 'exit-code'.

https://openqa.opensuse.org/tests/572483#step/journal_check/14
Comment 1 Thorsten Kukuk 2018-01-03 09:24:41 UTC
Known problem [bsc#1069906], looks like the errors are now no longer ignored ...
Comment 2 Swamp Workflow Management 2018-01-04 15:30:22 UTC
This is an autogenerated message for OBS integration:
This bug (1074429) was mentioned in
https://build.opensuse.org/request/show/561675 Factory / apparmor
Comment 3 Christian Boltz 2018-01-09 23:37:18 UTC
Since snapshot 20180107, cache write failures were "downgraded" to a warning which should solve the obvious part of this bug.

Note that Kubic will probably never get a profile cache (unless someone runs "rcapparmor reload" while /var/lib/apparmor/cache/ is mounted rw) which has an impact on boot time.

Thorsten and Richard, is this something you could help with? 
I know that pre-compiling the cache is possible (AFAIK it was done for Ubuntu Phone, and I'm also sure upstream will tell us how), but my non-existing knownledge about Kubic which makes it hard to come up with a fix ;-)
Comment 4 Thorsten Kukuk 2018-01-10 12:46:56 UTC
You can precompile the cache with:

for profile in $PROFILE_DIR/*; do
  apparmor_parser $ABSTRACTIONS --skip-read-cache --write-cache --skip-kernel-load $profile
done

Do that with a service file and/or timer, which runs at the end of the boot process or some time after the boot process.

This only works, if the profile is loaded, even if writing the cache fails. In the past, if writing the cache fails, the profile was not loaded! If this is still the case, then you need a systemd.service running after local-fs.target is reached, doing a rcapparmor reload.
Comment 5 Thorsten Kukuk 2018-01-11 15:00:02 UTC
The problem still exist, only with another error message:
Jan 11 14:56:06 localhost apparmor.systemd[510]: Restarting AppArmor
Jan 11 14:56:06 localhost apparmor.systemd[510]: Reloading AppArmor profiles
Jan 11 14:56:07 localhost apparmor.systemd[510]: Failed setting up policy cache (/etc/apparmor.d/cache): Read-only file system
Jan 11 14:56:07 localhost apparmor.systemd[510]: Error: /etc/apparmor.d/bin.ping failed to load
Jan 11 14:56:07 localhost apparmor.systemd[510]: Failed setting up policy cache (/etc/apparmor.d/cache): Read-only file system
Jan 11 14:56:07 localhost apparmor.systemd[510]: Error: /etc/apparmor.d/sbin.klogd failed to load
...
Jan 11 14:56:07 localhost systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Jan 11 14:56:07 localhost systemd[1]: Failed to start Load AppArmor profiles.
Jan 11 14:56:07 localhost systemd[1]: apparmor.service: Unit entered failed state.
Jan 11 14:56:07 localhost systemd[1]: apparmor.service: Failed with result 'exit-code'.
Comment 6 Thorsten Kukuk 2018-01-12 09:10:22 UTC
Submitted a trivial fix for the new errors. All profiles are now loaded, but of course no cache will be created.
Comment 7 Swamp Workflow Management 2018-01-16 21:30:10 UTC
This is an autogenerated message for OBS integration:
This bug (1074429) was mentioned in
https://build.opensuse.org/request/show/566495 Factory / apparmor
Comment 8 Christian Boltz 2018-04-15 20:27:42 UTC
I'm just packaging AppArmor 2.13, which allows to ship a pre-built cache :-)
Comment 9 Swamp Workflow Management 2018-04-20 00:10:20 UTC
This is an autogenerated message for OBS integration:
This bug (1074429) was mentioned in
https://build.opensuse.org/request/show/598829 Factory / apparmor
Comment 10 Christian Boltz 2018-05-31 18:53:15 UTC
With AppArmor 2.13 (which is in Tumbleweed for a while), this is fixed :-)
Comment 11 Richard Brown 2019-09-26 14:53:07 UTC
clearing obsolete NEEDINFO