### VERIFICATION DONE FOCAL ### # previous apparmor version apt-cache policy apparmor package name: apparmor package version: 2.13.3-7ubuntu5.1 series: Focal kernel: Linux 5.4.0-136-generic
# before enabling -proposed generate focal-yoga instance juju ssh nova-compute/0 # verify no apparmor errors in logs cat /var/log/syslog | grep Error # verify apparmor is running sudo systemctl status apparmor # trigger error sudo systemctl restart apparmor # The apparmor service never successfully restarts Job for apparmor.service failed because the control process exited with error code. See "systemctl status apparmor.service" and "journalctl -xe" for details cat /var/log/syslog Error messages in syslog: Jan 11 15:46:14 juju-5c2ee8-appbug-9 apparmor.systemd[52695]: AppArmor parser error for /etc/apparmor.d in /etc/apparmor.d/usr.sbin.libvirtd at line 29: Invalid capability bpf. Jan 11 15:46:14 juju-5c2ee8-appbug-9 apparmor.systemd[52669]: Error: At least one profile failed to load Jan 11 15:46:14 juju-5c2ee8-appbug-9 systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE ### Enable proposed ### # testing with focal-yoga Apparmor version tested - 2.13.3-7ubuntu5.2 sudo apt-cache policy apparmor sudo vim /etc/apt/sources.list # add -proposed deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal-proposed main universe # save and exit sudo apt-get update sudo apt-get upgrade apparmor -y sudo systemctl restart apparmor systemctl status apparmor Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: active (exited) since Wed 2023-01-11 15:55:19 UTC; 20s ago tail -n 1000 /var/log/syslog # no errors are thrown by apparmor Jan 11 15:54:41 juju-5c2ee8-appbug-9 systemd[1]: Reloading. Jan 11 15:55:19 juju-5c2ee8-appbug-9 systemd[1]: Starting Load AppArmor profiles... Jan 11 15:55:19 juju-5c2ee8-appbug-9 apparmor.systemd[66497]: Restarting AppArmor Jan 11 15:55:19 juju-5c2ee8-appbug-9 apparmor.systemd[66497]: Reloading AppArmor profiles Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.612010] kauditd_printk_skb: 9 callbacks suppressed Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.612013] audit: type=1400 audit(1673452519.139:106): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="nvidia_modprobe" pid=66503 comm="apparmor_parser" Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.612022] audit: type=1400 audit(1673452519.139:107): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="nvidia_modprobe//kmod" pid=66503 comm="apparmor_parser" Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.612179] audit: type=1400 audit(1673452519.139:108): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=66502 comm="apparmor_parser" Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.612183] audit: type=1400 audit(1673452519.139:109): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=66502 comm="apparmor_parser" Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.612186] audit: type=1400 audit(1673452519.139:110): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=66502 comm="apparmor_parser" Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.612187] audit: type=1400 audit(1673452519.139:111): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/{,usr/}sbin/dhclient" pid=66502 comm="apparmor_parser" Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.614725] audit: type=1400 audit(1673452519.139:112): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/bin/man" pid=66504 comm="apparmor_parser" Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.614729] audit: type=1400 audit(1673452519.139:113): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="man_filter" pid=66504 comm="apparmor_parser" Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.614731] audit: type=1400 audit(1673452519.139:114): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="man_groff" pid=66504 comm="apparmor_parser" Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.618860] audit: type=1400 audit(1673452519.143:115): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/usr/sbin/tcpdump" pid=66505 comm="apparmor_parser" Jan 11 15:55:19 juju-5c2ee8-appbug-9 apparmor.systemd[66525]: Skipping profile in /etc/apparmor.d/disable: usr.bin.nova-compute Jan 11 15:55:19 juju-5c2ee8-appbug-9 apparmor.systemd[66526]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jan 11 15:55:19 juju-5c2ee8-appbug-9 systemd[1]: Finished Load AppArmor profiles. # Conclusion Apparmor is working as intended # Additional functional tests after upgrade sudo apparmor_status apparmor module is loaded. 31 profiles are loaded. 31 profiles are in enforce mode. /snap/snapd/17950/usr/lib/snapd/snap-confine ... snap.lxd.lxd snap.lxd.migrate virt-aa-helper If there is additional testing needed, please add a comment. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1988270 Title: AppArmor fails to start with Yoga UCA libvirt profile on Focal Status in Ubuntu Cloud Archive: Confirmed Status in Ubuntu Cloud Archive yoga series: Confirmed Status in Ubuntu Cloud Archive zed series: Confirmed Status in apparmor package in Ubuntu: Invalid Status in apparmor source package in Focal: Confirmed Status in apparmor source package in Jammy: Confirmed Bug description: [ Impact ] AppArmor fails to start with yoga-focal uca libvirt profile [ Test Plan ] generate yoga-focal openstack instance juju ssh nova-compute/0 sudo systemctl restart apparmor journalctl -xe # Error message ct 04 15:55:32 juju-6d4862-apparmorbug-9 apparmor.systemd[94081]: AppArmor parser error for /etc/apparmor.d/usr.sbin.libvirtd in /etc/apparmor.d/usr.sbin.li> Oct 04 15:55:32 juju-6d4862-apparmorbug-9 apparmor.systemd[94082]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Oct 04 15:55:32 juju-6d4862-apparmorbug-9 audit[94084]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="u> Oct 04 15:55:32 juju-6d4862-apparmorbug-9 apparmor.systemd[94005]: Error: At least one profile failed to load [ Other Notes ] On a fully patched Ubuntu Focal with Yoga UCA enabled, after installation of libvirt-daemon-system, restarting apparmor would fail with error: Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Restarting AppArmor Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Reloading AppArmor profiles Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6341]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6348]: AppArmor parser error for /etc/apparmor.d in /etc/apparmor.d/usr.sbin.libvirtd at line 29: Invalid capability bpf. Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6413]: AppArmor parser error for /etc/apparmor.d/usr.sbin.libvirtd in /etc/apparmor.d/usr.sbin.libvirtd at line 29: Invalid capability bpf. Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6418]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Error: At least one profile failed to load Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: apparmor.service: Failed with result 'exit-code'. Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: Failed to start Load AppArmor profiles. In addition to bpf, perfmon capability, which is also enabled in /etc/apparmor.d/usr.sbin.libvirtd profile, would lead to the same error. System information: root@ubuntu2004:~# uname -a Linux ubuntu2004.localdomain 5.4.0-125-generic #141-Ubuntu SMP Wed Aug 10 13:42:03 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux root@ubuntu2004:~# dpkg -l libvirt\* Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==========================================-=======================-============-============================================================= ii libvirt-clients 8.0.0-1ubuntu7.1~cloud0 amd64 Programs for the libvirt library ii libvirt-daemon 8.0.0-1ubuntu7.1~cloud0 amd64 Virtualization daemon ii libvirt-daemon-config-network 8.0.0-1ubuntu7.1~cloud0 all Libvirt daemon configuration files (default network) ii libvirt-daemon-config-nwfilter 8.0.0-1ubuntu7.1~cloud0 all Libvirt daemon configuration files (default network filters) un libvirt-daemon-driver-lxc <none> <none> (no description available) ii libvirt-daemon-driver-qemu 8.0.0-1ubuntu7.1~cloud0 amd64 Virtualization daemon QEMU connection driver un libvirt-daemon-driver-storage-gluster <none> <none> (no description available) un libvirt-daemon-driver-storage-iscsi-direct <none> <none> (no description available) un libvirt-daemon-driver-storage-rbd <none> <none> (no description available) un libvirt-daemon-driver-storage-zfs <none> <none> (no description available) un libvirt-daemon-driver-vbox <none> <none> (no description available) un libvirt-daemon-driver-xen <none> <none> (no description available) ii libvirt-daemon-system 8.0.0-1ubuntu7.1~cloud0 amd64 Libvirt daemon configuration files ii libvirt-daemon-system-systemd 8.0.0-1ubuntu7.1~cloud0 all Libvirt daemon configuration files (systemd) un libvirt-daemon-system-sysv <none> <none> (no description available) un libvirt-login-shell <none> <none> (no description available) un libvirt-sanlock <none> <none> (no description available) ii libvirt0:amd64 8.0.0-1ubuntu7.1~cloud0 amd64 library for interfacing with different virtualization systems root@ubuntu2004:~# dpkg -l apparmor\* Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-=======================-=================-============-====================================== ii apparmor 2.13.3-7ubuntu5.1 amd64 user-space parser utility for AppArmor un apparmor-profiles-extra <none> <none> (no description available) un apparmor-utils <none> <none> (no description available) To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1988270/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
