[Bug 2015596] Re: Mismatched apparmor features on HWE kernel roll
John Chittum
2015596 at bugs.launchpad.net
Fri Apr 7 20:06:09 UTC 2023
MP:
https://code.launchpad.net/~jchittum/livecd-rootfs/+git/livecd-
rootfs/+merge/440607
** Description changed:
In Ubuntu 22.04, the HWE kernel has rolled to 5.19. the 5.19 kernel
includes the apparmor feature for ipc/posix_mqueue. livecd-rootfs only
contains features for the 5.15 kernel, thus missing ipc/posix_mqueue.
This leads to snap_preseed having a mismatch in features, and the
preseed is not optimized. in a cloud environment this can lead to boot
delays of between 5 and 10s (rough measurements observed while
debugging)
livecd-rootfs bind mounts apparmor features in
functions/setup_mountpoint. This occurs early in the process when the
- final kernel is unknown.
+ final kernel is unknown. This only affects 22.04 at this time, but a
+ fix, when committed, should also be in the main branch, to ensure future
+ compatibility
+
+ TESTING
+
+ a failing system will present issues when checking `snap debug seeding`
+
+ example bad output:
+
+ 'preseed-system-key': {'apparmor-features': ['caps', 'dbus', 'domain', 'file',
+ 'mount', 'namespaces', 'network',
+ 'network_v8', 'policy', 'ptrace',
+ 'query', 'rlimit', 'signal'],
+ 'apparmor-parser-features': ['cap-audit-read',
+ 'cap-bpf', 'mqueue',
+ 'qipcrtr-socket', 'unsafe',
+ 'xdp'],
+ 'apparmor-parser-mtime': 1666191120,
+ 'build-id': '79b62e11a4cf60b38c3e2449d220a6078db42607',
+ 'cgroup-version': '2',
+ 'nfs-home': False,
+ 'overlay-root': '',
+ 'seccomp-compiler-version': 'd9242946c125eab1ac4e30a3a7f48ee885551585 '
+ '2.5.4 '
+ 'c3c9b282ef3c8dfcc3124b2aeaef62f56b813bfd21f8806b30a6c9dbc2e6e58d '
+ 'bpf-actlog',
+ 'seccomp-features': ['allow', 'errno', 'kill_process',
+ 'kill_thread', 'log', 'trace',
+ 'trap', 'user_notif'],
+ 'version': 10},
+ 'preseeded': True,
+ 'seed-completion': '5.765s',
+ 'seed-restart-system-key': {'apparmor-features': ['caps', 'dbus', 'domain',
+ 'file', 'ipc', 'mount',
+ 'namespaces', 'network',
+ 'network_v8', 'policy',
+ 'ptrace', 'query', 'rlimit',
+ 'signal'],
+ 'apparmor-parser-features': ['cap-audit-read',
+ 'cap-bpf', 'mqueue',
+ 'qipcrtr-socket',
+ 'unsafe', 'xdp'],
+ 'apparmor-parser-mtime': 1666191120,
+ 'build-id': '79b62e11a4cf60b38c3e2449d220a6078db42607',
+ 'cgroup-version': '2',
+ 'nfs-home': False,
+ 'overlay-root': '',
+ 'seccomp-compiler-version': 'd9242946c125eab1ac4e30a3a7f48ee885551585 '
+ '2.5.4 '
+ 'c3c9b282ef3c8dfcc3124b2aeaef62f56b813bfd21f8806b30a6c9dbc2e6e58d '
+ 'bpf-actlog',
+ 'seccomp-features': ['allow', 'errno',
+ 'kill_process', 'kill_thread',
+ 'log', 'trace', 'trap',
+ 'user_notif'],
+ 'version': 10},
+ 'seeded': True}
+
+ This shows the comparison between what was seeded ('preseed-system-key'
+ and the running system 'seed-restart-system-key')
+
+ a passing test will only have times:
+
+ {'image-preseeding': '9.238s',
+ 'preseeded': True,
+ 'seed-completion': '9.726s',
+ 'seeded': True}
+
+ to test:
+
+ 1. create an image with an HWE kernel (for CPC this is ec2, gce, azure, oracle)
+ 2. register image in cloud
+ 3. run an instance
+ 4. check `snap debug seeding`
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to livecd-rootfs in Ubuntu.
https://bugs.launchpad.net/bugs/2015596
Title:
Mismatched apparmor features on HWE kernel roll
Status in livecd-rootfs package in Ubuntu:
New
Bug description:
In Ubuntu 22.04, the HWE kernel has rolled to 5.19. the 5.19 kernel
includes the apparmor feature for ipc/posix_mqueue. livecd-rootfs only
contains features for the 5.15 kernel, thus missing ipc/posix_mqueue.
This leads to snap_preseed having a mismatch in features, and the
preseed is not optimized. in a cloud environment this can lead to boot
delays of between 5 and 10s (rough measurements observed while
debugging)
livecd-rootfs bind mounts apparmor features in
functions/setup_mountpoint. This occurs early in the process when the
final kernel is unknown. This only affects 22.04 at this time, but a
fix, when committed, should also be in the main branch, to ensure
future compatibility
TESTING
a failing system will present issues when checking `snap debug
seeding`
example bad output:
'preseed-system-key': {'apparmor-features': ['caps', 'dbus', 'domain', 'file',
'mount', 'namespaces', 'network',
'network_v8', 'policy', 'ptrace',
'query', 'rlimit', 'signal'],
'apparmor-parser-features': ['cap-audit-read',
'cap-bpf', 'mqueue',
'qipcrtr-socket', 'unsafe',
'xdp'],
'apparmor-parser-mtime': 1666191120,
'build-id': '79b62e11a4cf60b38c3e2449d220a6078db42607',
'cgroup-version': '2',
'nfs-home': False,
'overlay-root': '',
'seccomp-compiler-version': 'd9242946c125eab1ac4e30a3a7f48ee885551585 '
'2.5.4 '
'c3c9b282ef3c8dfcc3124b2aeaef62f56b813bfd21f8806b30a6c9dbc2e6e58d '
'bpf-actlog',
'seccomp-features': ['allow', 'errno', 'kill_process',
'kill_thread', 'log', 'trace',
'trap', 'user_notif'],
'version': 10},
'preseeded': True,
'seed-completion': '5.765s',
'seed-restart-system-key': {'apparmor-features': ['caps', 'dbus', 'domain',
'file', 'ipc', 'mount',
'namespaces', 'network',
'network_v8', 'policy',
'ptrace', 'query', 'rlimit',
'signal'],
'apparmor-parser-features': ['cap-audit-read',
'cap-bpf', 'mqueue',
'qipcrtr-socket',
'unsafe', 'xdp'],
'apparmor-parser-mtime': 1666191120,
'build-id': '79b62e11a4cf60b38c3e2449d220a6078db42607',
'cgroup-version': '2',
'nfs-home': False,
'overlay-root': '',
'seccomp-compiler-version': 'd9242946c125eab1ac4e30a3a7f48ee885551585 '
'2.5.4 '
'c3c9b282ef3c8dfcc3124b2aeaef62f56b813bfd21f8806b30a6c9dbc2e6e58d '
'bpf-actlog',
'seccomp-features': ['allow', 'errno',
'kill_process', 'kill_thread',
'log', 'trace', 'trap',
'user_notif'],
'version': 10},
'seeded': True}
This shows the comparison between what was seeded ('preseed-system-
key' and the running system 'seed-restart-system-key')
a passing test will only have times:
{'image-preseeding': '9.238s',
'preseeded': True,
'seed-completion': '9.726s',
'seeded': True}
to test:
1. create an image with an HWE kernel (for CPC this is ec2, gce, azure, oracle)
2. register image in cloud
3. run an instance
4. check `snap debug seeding`
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/livecd-rootfs/+bug/2015596/+subscriptions
More information about the foundations-bugs
mailing list