** Changed in: pollinate (Ubuntu) Importance: Undecided => Critical -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2119237
Title: Pollinate on Questing fails while reading from /tmp Status in apparmor package in Ubuntu: In Progress Status in pollinate package in Ubuntu: Confirmed Bug description: 1. What is the problem On Questing, pollinate fails because it is unable to read from /tmp On an Azure VM this was first noticed with this AppArmor denied log: 'Jul 19 21:42:00 alan-questing-base-qmnqdpkjhr kernel: audit: type=1400 audit(1752961320.498:173): apparmor="DENIED" operation="open" class="file" profile="curl" name="/tmp/pollinate.MUbjijIRZipY/challenge" pid=989 comm="curl" requested_mask="r" denied_mask="r" fsuid=105 ouid=105' We started seeing this log appear after the images started including AppArmor 4.1.1-0ubuntu3, changelog: https://launchpad.net/ubuntu/+source/apparmor/4.1.1-0ubuntu3 This version of AppArmor introduced a profile for curl which allows writing but not reading from /tmp From reviewing the source I believe pollinate is reading from /tmp when it use's curls --data @filename flag to send POST data. The relevant source code is: if curl --connect-timeout "${WAIT}" --max-time "${WAIT}" -A "${USER_AGENT}" -o- -v --trace-time --data @${f1} ${CURL_OPTS} ${server} >"${out}" 2>"${err}"; then from https://git.launchpad.net/ubuntu/+source/pollinate/tree/pollinate#n234 2. Steps to reproduce with LXD # Get the questing image assets from before the apparmor update wget https://cloud-images.ubuntu.com/questing/20250617/questing-server-cloudimg-amd64-lxd.tar.xz wget https://cloud-images.ubuntu.com/questing/20250617/questing-server-cloudimg-amd64-root.tar.xz # Import the image in lxc, this returns a fingerprint lxc image import questing-server-cloudimg-amd64-lxd.tar.xz questing-server-cloudimg-amd64-root.tar.xz --alias lp2119237 # Start a container from this image lxc launch local:lp2119237 pollinate-testing lxc exec pollinate-testing /bin/bash apt list --installed pollinate apt list --installed apparmor # running pollinate works pollinate # Update apparmor which will bring in the new curl profile apt update apt-get install --only-upgrade apparmor # running with --reseed is necessary after the first time # this will fail because we have updated apparmor and the curl profile now blocks pollinate from reading from /tmp pollinate --reseed <13>Jul 31 15:47:51 pollinate[2159]: system was previously seeded at [2025-07-31 15:46:39.391715413 +0000] <13>Jul 31 15:47:51 pollinate[2159]: client sent challenge to [https://entropy.ubuntu.com/] <13>Jul 31 15:47:51 pollinate[2159]: WARNING: Network communication failed [26] curl: Failed to open /tmp/pollinate.rGrxuFK3fHGU/challenge curl: option --data: error encountered when reading a file curl: try 'curl --help' or 'curl --manual' for more information # To clean up afterwards lxc delete --force pollinate-testing To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2119237/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
