[Bug 1058356] Re: fails to install when kernel does not provide block_suspend capability

Jamie Strandboge jamie at ubuntu.com
Fri Oct 12 19:48:46 UTC 2012 

** Description changed:

- On our Jenkins builds we're getting a failure to install the cups
- package.  This seems to be because the apparmor profile looks for
- suspend capability but the virtualized builders do not have it.  Here
- seems to be the relevant log:
+ [IMPACT] 
+  * Users upgrading from 12.04 LTS to 12.10 will encounter upgrade errors because 
+    apparmor_parser fails to load new policy on an old kernel. Specifically, the
+    block_suspend capability is new in the 12.10 kernel and does not exist in the
+    12.04 LTS kernel. On upgrade, the cups upstart job calls
+    /lib/init/apparmor-profile-load from upstart, which in turn calls apparmor_parser.
+    apparmor_parser will exit with error on upgrades causing the upstart job to fail
+    no restart, which is performed during the upgrade.
+ 
+ [TESTCASE]
+  * One can either
+    - perform an upgrade from 12.04 to 12.10, or
+    - obtain the apparmor profile from the 12.10 cups package[1], copy it to 
+      /etc/apparmor.d/usr.sbin.cupsd and then perform 'sudo restart cups'. If the
+      bug is not fixed, you will see 'restart: Job failed to restart'. If it is
+      fixed, you will see 'cups start/running, process ####' (note, if cups is not
+      already running you will need to do 'sudo start cups' instead of 'restart').
+ 
+ [1]http://bazaar.launchpad.net/~ubuntu-
+ branches/ubuntu/quantal/cups/quantal/view/head:/debian/local/apparmor-
+ profile
+ 
+ [Regression Potential] 
+  * The regression potential is extremely low. The only change is adding '|| exit 0' to a 
+    shell script.
+ 
+ [Other Info]
+  * This has been discussed with the security team, the release team and foundations and 
+    we all agree this is the best fix at this time.
+ 
+ 
+ Previous report:
+ On our Jenkins builds we're getting a failure to install the cups package.  This seems to be because the apparmor profile looks for suspend capability but the virtualized builders do not have it.  Here seems to be the relevant log:
  
  AppArmor parser error for /etc/apparmor.d/usr.sbin.cupsd in /etc/apparmor.d/usr.sbin.cupsd at line 24: Invalid capability block_suspend.
  start: Job failed to start
  invoke-rc.d: initscript cups, action "start" failed.
  dpkg: error processing cups (--configure):
-  subprocess installed post-installation script returned error exit status 1
+  subprocess installed post-installation script returned error exit status 1
  Errors were encountered while processing:
-  cups
+  cups
  E: Sub-process /usr/bin/dpkg returned an error code (1)
  
  Full log: https://jenkins.qa.ubuntu.com/job/indicator-session-
  ci/label=quantal/16/console

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to upstart in Ubuntu.
https://bugs.launchpad.net/bugs/1058356

Title:
  fails to install when kernel does not provide block_suspend capability

Status in “upstart” package in Ubuntu:
  Fix Committed
Status in “upstart” source package in Quantal:
  Fix Committed

Bug description:
  [IMPACT] 
   * Users upgrading from 12.04 LTS to 12.10 will encounter upgrade errors because 
     apparmor_parser fails to load new policy on an old kernel. Specifically, the
     block_suspend capability is new in the 12.10 kernel and does not exist in the
     12.04 LTS kernel. On upgrade, the cups upstart job calls
     /lib/init/apparmor-profile-load from upstart, which in turn calls apparmor_parser.
     apparmor_parser will exit with error on upgrades causing the upstart job to fail
     no restart, which is performed during the upgrade.

  [TESTCASE]
   * One can either
     - perform an upgrade from 12.04 to 12.10, or
     - obtain the apparmor profile from the 12.10 cups package[1], copy it to 
       /etc/apparmor.d/usr.sbin.cupsd and then perform 'sudo restart cups'. If the
       bug is not fixed, you will see 'restart: Job failed to restart'. If it is
       fixed, you will see 'cups start/running, process ####' (note, if cups is not
       already running you will need to do 'sudo start cups' instead of 'restart').

  [1]http://bazaar.launchpad.net/~ubuntu-
  branches/ubuntu/quantal/cups/quantal/view/head:/debian/local/apparmor-
  profile

  [Regression Potential] 
   * The regression potential is extremely low. The only change is adding '|| exit 0' to a 
     shell script.

  [Other Info]
   * This has been discussed with the security team, the release team and foundations and 
     we all agree this is the best fix at this time.

  
  Previous report:
  On our Jenkins builds we're getting a failure to install the cups package.  This seems to be because the apparmor profile looks for suspend capability but the virtualized builders do not have it.  Here seems to be the relevant log:

  AppArmor parser error for /etc/apparmor.d/usr.sbin.cupsd in /etc/apparmor.d/usr.sbin.cupsd at line 24: Invalid capability block_suspend.
  start: Job failed to start
  invoke-rc.d: initscript cups, action "start" failed.
  dpkg: error processing cups (--configure):
   subprocess installed post-installation script returned error exit status 1
  Errors were encountered while processing:
   cups
  E: Sub-process /usr/bin/dpkg returned an error code (1)

  Full log: https://jenkins.qa.ubuntu.com/job/indicator-session-
  ci/label=quantal/16/console

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/upstart/+bug/1058356/+subscriptions

More information about the foundations-bugs mailing list