[Touch-packages] [Bug 2056802] Re: crypttab does not honor `x-initrd.attach` option
ack, thanks I will mark as invalid.
systemd brings its own crypttab implementation. We try to cover the
differences between the systemd and our implementation in this manpage,
https://manpages.ubuntu.com/manpages/noble/en/man5/crypttab.5.html#on%20different%20crypttab%20formats
** Changed in: systemd (Ubuntu Focal)
Status: Incomplete => Invalid
** Changed in: systemd (Ubuntu Jammy)
Status: Incomplete => Invalid
** Changed in: systemd (Ubuntu Mantic)
Status: Incomplete => Invalid
** Changed in: systemd (Ubuntu Noble)
Status: Incomplete => Invalid
** Changed in: systemd (Ubuntu Noble)
Assignee: Heather Lemon (hypothetical-lemon) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2056802
Title:
crypttab does not honor `x-initrd.attach` option
Status in systemd package in Ubuntu:
Invalid
Status in systemd source package in Bionic:
Won't Fix
Status in systemd source package in Focal:
Invalid
Status in systemd source package in Jammy:
Invalid
Status in systemd source package in Mantic:
Invalid
Status in systemd source package in Noble:
Invalid
Bug description:
From systemd version 245+ an option was added x-initrd.attach
-
Setup this encrypted block device in the initrd, similarly to
systemd.mount(5) units marked with x-initrd.mount.
Although it's not necessary to mark the mount entry for the root file
system with x-initrd.mount, x-initrd.attach is still recommended with
the encrypted block device containing the root file system as
otherwise systemd will attempt to detach the device during the regular
system shutdown while it's still in use. With this option the device
will still be detached but later after the root file system is
unmounted.
All other encrypted block devices that contain file systems mounted in
the initrd should use this option.
Added in version 245. [0]
-
release: noble
systemd version: 253.5-1ubuntu6
Install noble to a vm with virt-manager and encrypt the lvm during subiquity
install.
After successful install,
Modify /etc/crypttab to include the parameter in the 4th column
example:
sda6_crypt UUID=099aae4a-b11b-49a6-a6c4-62939eddf7a0 none luks,x-initrd.attach
update-initramfs -u -k all
During boot or shutdown the logs show
cryptsetup: WARNING: dm_crypt-0: ignoring unknown option x-initrd.attach
There are two separate problems
1. crypttab doesn't recognize x-initrd.attach option in /etc/crypttab file.
cryptsetup: WARNING: dm_crypt-0: ignoring unknown option x-initrd.attach
2. this error happens on shutdown/restart
[systemd-cryptsetup]: Device dm-crypt-0 is still in use.
[systemd-cryptsetup]: Failed to deactivate: Device or resource busy.
The vm does eventually shutdown after throwing the above warnings.
[0]
https://www.freedesktop.org/software/systemd/man/latest/crypttab.html#x-initrd.attach
These patches look like they could fix the issue, The last one might not be
needed.
git format-patch -1 8ce02b87cece09797c1030c778db4180e1e2ce2e
https://github.com/systemd/systemd/commit/8ce02b87cece09797c1030c778db4180e1e2ce2e
git format-patch -1 1dc85eff1d0dff18aaeaae530c91bf53f34b726e
https://github.com/systemd/systemd/commit/1dc85eff1d0dff18aaeaae530c91bf53f34b726e
git format-patch -1 bf1484c70a24cf04c145a9509c8124ffd7fb0879
https://github.com/systemd/systemd/commit/bf1484c70a24cf04c145a9509c8124ffd7fb0879
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2056802/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056802] [NEW] crypttab does not honor `x-initrd.attach` option
Public bug reported: From systemd version 245+ an option was added x-initrd.attach - Setup this encrypted block device in the initrd, similarly to systemd.mount(5) units marked with x-initrd.mount. Although it's not necessary to mark the mount entry for the root file system with x-initrd.mount, x-initrd.attach is still recommended with the encrypted block device containing the root file system as otherwise systemd will attempt to detach the device during the regular system shutdown while it's still in use. With this option the device will still be detached but later after the root file system is unmounted. All other encrypted block devices that contain file systems mounted in the initrd should use this option. Added in version 245. [0] - release: noble systemd version: 253.5-1ubuntu6 Install noble to a vm with virt-manager and encrypt the lvm during subiquity install. After successful install, Modify /etc/crypttab to include the parameter in the 4th column example: sda6_crypt UUID=099aae4a-b11b-49a6-a6c4-62939eddf7a0 none luks,x-initrd.attach update-initramfs -u -k all During boot or shutdown the logs show cryptsetup: WARNING: dm_crypt-0: ignoring unknown option x-initrd.attach There are two separate problems 1. crypttab doesn't recognize x-initrd.attach option in /etc/crypttab file. cryptsetup: WARNING: dm_crypt-0: ignoring unknown option x-initrd.attach 2. this error happens on shutdown/restart [systemd-cryptsetup]: Device dm-crypt-0 is still in use. [systemd-cryptsetup]: Failed to deactivate: Device or resource busy. The vm does eventually shutdown after throwing the above warnings. [0] https://www.freedesktop.org/software/systemd/man/latest/crypttab.html#x-initrd.attach These patches look like they could fix the issue, The last one might not be needed. git format-patch -1 8ce02b87cece09797c1030c778db4180e1e2ce2e https://github.com/systemd/systemd/commit/8ce02b87cece09797c1030c778db4180e1e2ce2e git format-patch -1 1dc85eff1d0dff18aaeaae530c91bf53f34b726e https://github.com/systemd/systemd/commit/1dc85eff1d0dff18aaeaae530c91bf53f34b726e git format-patch -1 bf1484c70a24cf04c145a9509c8124ffd7fb0879 https://github.com/systemd/systemd/commit/bf1484c70a24cf04c145a9509c8124ffd7fb0879 ** Affects: systemd (Ubuntu) Importance: Undecided Assignee: Heather Lemon (hypothetical-lemon) Status: New ** Affects: systemd (Ubuntu Bionic) Importance: Undecided Status: Won't Fix ** Affects: systemd (Ubuntu Focal) Importance: Undecided Status: New ** Affects: systemd (Ubuntu Jammy) Importance: Undecided Status: New ** Affects: systemd (Ubuntu Mantic) Importance: Undecided Status: New ** Affects: systemd (Ubuntu Noble) Importance: Undecided Assignee: Heather Lemon (hypothetical-lemon) Status: New ** Changed in: systemd (Ubuntu) Assignee: (unassigned) => Heather Lemon (hypothetical-lemon) ** Also affects: systemd (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: systemd (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: systemd (Ubuntu Noble) Importance: Undecided Assignee: Heather Lemon (hypothetical-lemon) Status: New ** Also affects: systemd (Ubuntu Mantic) Importance: Undecided Status: New ** Also affects: systemd (Ubuntu Jammy) Importance: Undecided Status: New ** Description changed: From systemd version 245+ an option was added x-initrd.attach, which Setup this encrypted block device in the initrd, similarly to systemd.mount(5) units marked with x-initrd.mount. - Although it's not necessary to mark the mount entry for the root file + Although it's not necessary to mark the mount entry for the root file system with x-initrd.mount, x-initrd.attach is still recommended with the encrypted block device containing the root file system as otherwise systemd will attempt to detach the device during the regular system shutdown while it's still in use. With this option the device will still be detached but later after the root file system is unmounted. All other encrypted block devices that contain file systems mounted in the initrd should use this option. - Added in version 245. [0] + Added in version 245. [0] - - release: noble + release: noble systemd version: 253.5-1ubuntu6 Install noble to a vm with virt-manager and encrypt the lvm during subiquity install. After successful install, - Modify /etc/crypttab to include the parameter in the 4th column + Modify /etc/crypttab to include the parameter in the 4th column example: sda6_crypt UUID=099aae4a-b11b-49a6-a6c4-62939eddf7a0 none luks,x-initrd.attach update-initramfs -u -k all - During boot or shutdown the logs show + During boot or shutdown the logs show cryptsetup: WARNING: dm_crypt-0: ignoring unknown option x-initrd.attach - There are
[Touch-packages] [Bug 2019856] Re: Add missing ARM-cores to support Grace-based systems
v2 fixed lunar header patch ** Patch added: "lp-2019856-lunar-v2-fix-missing-arm-core-support.debdiff" https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/2019856/+attachment/5674703/+files/lp-2019856-lunar-v2-fix-missing-arm-core-support.debdiff ** Tags added: verification-needed-jammy verification-needed-lunar -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/2019856 Title: Add missing ARM-cores to support Grace-based systems Status in util-linux package in Ubuntu: New Status in util-linux source package in Jammy: In Progress Status in util-linux source package in Lunar: In Progress Bug description: [Impact] When running "lscpu" on a Grace-based system + Ubuntu 22.04, it doesn't report a model name: Vendor ID: ARM Model: 0 [Fix] Adding the additional arm_part to sys-utils/lscpu-arm.c solves the problem. The commit below adds the specific codes missing from Jammy's version. https://github.com/util-linux/util- linux/commit/6857cccbb4157d5da34ca98f77a0ac9d68e1e740 [Evidence] When upstream code is compiled, output of lscpu is correctly displayed: Vendor ID: ARM Model name: Neoverse-V2 [What Could Go Wrong] The fix does not apply directly to Jammy's version, as other commits change sys-utils/lscpu-arm.c. The suggestion is only to add the missing arm_part to the list. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/2019856/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2019856] Re: Add missing ARM-cores to support Grace-based systems
fixed header for patch ** Patch added: "lp-2019856v3-jammy-add-arm-core-support.debdiff" https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/2019856/+attachment/5674198/+files/lp-2019856v3-jammy-add-arm-core-support.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/2019856 Title: Add missing ARM-cores to support Grace-based systems Status in util-linux package in Ubuntu: New Status in util-linux source package in Jammy: In Progress Status in util-linux source package in Lunar: In Progress Bug description: [Impact] When running "lscpu" on a Grace-based system + Ubuntu 22.04, it doesn't report a model name: Vendor ID: ARM Model: 0 [Fix] Adding the additional arm_part to sys-utils/lscpu-arm.c solves the problem. The commit below adds the specific codes missing from Jammy's version. https://github.com/util-linux/util- linux/commit/6857cccbb4157d5da34ca98f77a0ac9d68e1e740 [Evidence] When upstream code is compiled, output of lscpu is correctly displayed: Vendor ID: ARM Model name: Neoverse-V2 [What Could Go Wrong] The fix does not apply directly to Jammy's version, as other commits change sys-utils/lscpu-arm.c. The suggestion is only to add the missing arm_part to the list. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/2019856/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2019856] Re: Add missing ARM-cores to support Grace-based systems
adds lunar debdiff ** Patch added: "lp-2019856-add-arm-core-lunar.debdiff" https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/2019856/+attachment/5673899/+files/lp-2019856-add-arm-core-lunar.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/2019856 Title: Add missing ARM-cores to support Grace-based systems Status in util-linux package in Ubuntu: New Status in util-linux source package in Jammy: In Progress Status in util-linux source package in Lunar: In Progress Bug description: [Impact] When running "lscpu" on a Grace-based system + Ubuntu 22.04, it doesn't report a model name: Vendor ID: ARM Model: 0 [Fix] Adding the additional arm_part to sys-utils/lscpu-arm.c solves the problem. The commit below adds the specific codes missing from Jammy's version. https://github.com/util-linux/util- linux/commit/6857cccbb4157d5da34ca98f77a0ac9d68e1e740 [Evidence] When upstream code is compiled, output of lscpu is correctly displayed: Vendor ID: ARM Model name: Neoverse-V2 [What Could Go Wrong] The fix does not apply directly to Jammy's version, as other commits change sys-utils/lscpu-arm.c. The suggestion is only to add the missing arm_part to the list. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/2019856/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2019856] Re: Add missing ARM-cores to support Grace-based systems
adds jammy debdiff ** Patch added: "lp-2019856-add-missing-arm-cores-jammy.debdiff" https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/2019856/+attachment/5673887/+files/lp-2019856-add-missing-arm-cores-jammy.debdiff ** Changed in: util-linux (Ubuntu Jammy) Status: New => In Progress ** Changed in: util-linux (Ubuntu Lunar) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/2019856 Title: Add missing ARM-cores to support Grace-based systems Status in util-linux package in Ubuntu: New Status in util-linux source package in Jammy: In Progress Status in util-linux source package in Lunar: In Progress Bug description: [Impact] When running "lscpu" on a Grace-based system + Ubuntu 22.04, it doesn't report a model name: Vendor ID: ARM Model: 0 [Fix] Adding the additional arm_part to sys-utils/lscpu-arm.c solves the problem. The commit below adds the specific codes missing from Jammy's version. https://github.com/util-linux/util- linux/commit/6857cccbb4157d5da34ca98f77a0ac9d68e1e740 [Evidence] When upstream code is compiled, output of lscpu is correctly displayed: Vendor ID: ARM Model name: Neoverse-V2 [What Could Go Wrong] The fix does not apply directly to Jammy's version, as other commits change sys-utils/lscpu-arm.c. The suggestion is only to add the missing arm_part to the list. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/2019856/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2019856] Re: Add missing ARM-cores to support Grace-based systems
creating testing ppa https://launchpad.net/~hypothetical- lemon/+archive/ubuntu/lp2019856-util-linux ** Changed in: util-linux (Ubuntu Jammy) Assignee: (unassigned) => Heather Lemon (hypothetical-lemon) ** Changed in: util-linux (Ubuntu Lunar) Assignee: (unassigned) => Heather Lemon (hypothetical-lemon) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/2019856 Title: Add missing ARM-cores to support Grace-based systems Status in util-linux package in Ubuntu: New Status in util-linux source package in Jammy: New Status in util-linux source package in Lunar: New Bug description: [Impact] When running "lscpu" on a Grace-based system + Ubuntu 22.04, it doesn't report a model name: Vendor ID: ARM Model: 0 [Fix] Adding the additional arm_part to sys-utils/lscpu-arm.c solves the problem. The commit below adds the specific codes missing from Jammy's version. https://github.com/util-linux/util- linux/commit/6857cccbb4157d5da34ca98f77a0ac9d68e1e740 [Evidence] When upstream code is compiled, output of lscpu is correctly displayed: Vendor ID: ARM Model name: Neoverse-V2 [What Could Go Wrong] The fix does not apply directly to Jammy's version, as other commits change sys-utils/lscpu-arm.c. The suggestion is only to add the missing arm_part to the list. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/2019856/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2019856] Re: Add missing ARM-cores to support Grace-based systems
** Also affects: util-linux (Ubuntu Lunar) Importance: Undecided Status: New ** Also affects: util-linux (Ubuntu Jammy) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/2019856 Title: Add missing ARM-cores to support Grace-based systems Status in util-linux package in Ubuntu: New Status in util-linux source package in Jammy: New Status in util-linux source package in Lunar: New Bug description: [Impact] When running "lscpu" on a Grace-based system + Ubuntu 22.04, it doesn't report a model name: Vendor ID: ARM Model: 0 [Fix] Adding the additional arm_part to sys-utils/lscpu-arm.c solves the problem. The commit below adds the specific codes missing from Jammy's version. https://github.com/util-linux/util- linux/commit/6857cccbb4157d5da34ca98f77a0ac9d68e1e740 [Evidence] When upstream code is compiled, output of lscpu is correctly displayed: Vendor ID: ARM Model name: Neoverse-V2 [What Could Go Wrong] The fix does not apply directly to Jammy's version, as other commits change sys-utils/lscpu-arm.c. The suggestion is only to add the missing arm_part to the list. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/2019856/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1988270] Re: AppArmor fails to start with Yoga UCA libvirt profile on Focal
** Changed in: cloud-archive/yoga Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1988270 Title: AppArmor fails to start with Yoga UCA libvirt profile on Focal Status in Ubuntu Cloud Archive: Confirmed Status in Ubuntu Cloud Archive antelope series: Confirmed Status in Ubuntu Cloud Archive yoga series: Fix Released Status in Ubuntu Cloud Archive zed series: Confirmed Status in apparmor package in Ubuntu: Invalid Status in apparmor source package in Focal: Confirmed Status in apparmor source package in Jammy: Confirmed Bug description: [ Impact ] AppArmor fails to start with yoga-focal uca libvirt profile [ Test Plan ] generate yoga-focal openstack instance juju ssh nova-compute/0 sudo systemctl restart apparmor journalctl -xe # Error message ct 04 15:55:32 juju-6d4862-apparmorbug-9 apparmor.systemd[94081]: AppArmor parser error for /etc/apparmor.d/usr.sbin.libvirtd in /etc/apparmor.d/usr.sbin.li> Oct 04 15:55:32 juju-6d4862-apparmorbug-9 apparmor.systemd[94082]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Oct 04 15:55:32 juju-6d4862-apparmorbug-9 audit[94084]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="u> Oct 04 15:55:32 juju-6d4862-apparmorbug-9 apparmor.systemd[94005]: Error: At least one profile failed to load [ Other Notes ] On a fully patched Ubuntu Focal with Yoga UCA enabled, after installation of libvirt-daemon-system, restarting apparmor would fail with error: Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Restarting AppArmor Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Reloading AppArmor profiles Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6341]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6348]: AppArmor parser error for /etc/apparmor.d in /etc/apparmor.d/usr.sbin.libvirtd at line 29: Invalid capability bpf. Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6413]: AppArmor parser error for /etc/apparmor.d/usr.sbin.libvirtd in /etc/apparmor.d/usr.sbin.libvirtd at line 29: Invalid capability bpf. Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6418]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Error: At least one profile failed to load Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: apparmor.service: Failed with result 'exit-code'. Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: Failed to start Load AppArmor profiles. In addition to bpf, perfmon capability, which is also enabled in /etc/apparmor.d/usr.sbin.libvirtd profile, would lead to the same error. System information: root@ubuntu2004:~# uname -a Linux ubuntu2004.localdomain 5.4.0-125-generic #141-Ubuntu SMP Wed Aug 10 13:42:03 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux root@ubuntu2004:~# dpkg -l libvirt\* Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--= ii libvirt-clients8.0.0-1ubuntu7.1~cloud0 amd64 Programs for the libvirt library ii libvirt-daemon 8.0.0-1ubuntu7.1~cloud0 amd64 Virtualization daemon ii libvirt-daemon-config-network 8.0.0-1ubuntu7.1~cloud0 all Libvirt daemon configuration files (default network) ii libvirt-daemon-config-nwfilter 8.0.0-1ubuntu7.1~cloud0 all Libvirt daemon configuration files (default network filters) un libvirt-daemon-driver-lxc (no description available) ii libvirt-daemon-driver-qemu 8.0.0-1ubuntu7.1~cloud0 amd64 Virtualization daemon QEMU connection driver un libvirt-daemon-driver-storage-gluster (no description available) un libvirt-daemon-driver-storage-iscsi-direct (no description available) un libvirt-daemon-driver-storage-rbd (no description available) un libvirt-daemon-driver-storage-zfs (no description available) un libvirt-daemon-driver-vbox (no
[Touch-packages] [Bug 1988270] Re: AppArmor fails to start with Yoga UCA libvirt profile on Focal
** Also affects: cloud-archive/xena Importance: Undecided Status: New ** Also affects: cloud-archive/antelope Importance: Undecided Assignee: Heather Lemon (hypothetical-lemon) Status: Confirmed ** No longer affects: cloud-archive/xena -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1988270 Title: AppArmor fails to start with Yoga UCA libvirt profile on Focal Status in Ubuntu Cloud Archive: Confirmed Status in Ubuntu Cloud Archive antelope series: Confirmed Status in Ubuntu Cloud Archive yoga series: Confirmed Status in Ubuntu Cloud Archive zed series: Confirmed Status in apparmor package in Ubuntu: Invalid Status in apparmor source package in Focal: Confirmed Status in apparmor source package in Jammy: Confirmed Bug description: [ Impact ] AppArmor fails to start with yoga-focal uca libvirt profile [ Test Plan ] generate yoga-focal openstack instance juju ssh nova-compute/0 sudo systemctl restart apparmor journalctl -xe # Error message ct 04 15:55:32 juju-6d4862-apparmorbug-9 apparmor.systemd[94081]: AppArmor parser error for /etc/apparmor.d/usr.sbin.libvirtd in /etc/apparmor.d/usr.sbin.li> Oct 04 15:55:32 juju-6d4862-apparmorbug-9 apparmor.systemd[94082]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Oct 04 15:55:32 juju-6d4862-apparmorbug-9 audit[94084]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="u> Oct 04 15:55:32 juju-6d4862-apparmorbug-9 apparmor.systemd[94005]: Error: At least one profile failed to load [ Other Notes ] On a fully patched Ubuntu Focal with Yoga UCA enabled, after installation of libvirt-daemon-system, restarting apparmor would fail with error: Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Restarting AppArmor Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Reloading AppArmor profiles Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6341]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6348]: AppArmor parser error for /etc/apparmor.d in /etc/apparmor.d/usr.sbin.libvirtd at line 29: Invalid capability bpf. Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6413]: AppArmor parser error for /etc/apparmor.d/usr.sbin.libvirtd in /etc/apparmor.d/usr.sbin.libvirtd at line 29: Invalid capability bpf. Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6418]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Error: At least one profile failed to load Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: apparmor.service: Failed with result 'exit-code'. Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: Failed to start Load AppArmor profiles. In addition to bpf, perfmon capability, which is also enabled in /etc/apparmor.d/usr.sbin.libvirtd profile, would lead to the same error. System information: root@ubuntu2004:~# uname -a Linux ubuntu2004.localdomain 5.4.0-125-generic #141-Ubuntu SMP Wed Aug 10 13:42:03 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux root@ubuntu2004:~# dpkg -l libvirt\* Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--= ii libvirt-clients8.0.0-1ubuntu7.1~cloud0 amd64 Programs for the libvirt library ii libvirt-daemon 8.0.0-1ubuntu7.1~cloud0 amd64 Virtualization daemon ii libvirt-daemon-config-network 8.0.0-1ubuntu7.1~cloud0 all Libvirt daemon configuration files (default network) ii libvirt-daemon-config-nwfilter 8.0.0-1ubuntu7.1~cloud0 all Libvirt daemon configuration files (default network filters) un libvirt-daemon-driver-lxc (no description available) ii libvirt-daemon-driver-qemu 8.0.0-1ubuntu7.1~cloud0 amd64 Virtualization daemon QEMU connection driver un libvirt-daemon-driver-storage-gluster (no description available) un libvirt-daemon-driver-storage-iscsi-direct (no description available) un libvirt-daemon-driver-storage-rbd
[Touch-packages] [Bug 1964636] Re: Incorrect handling of apparmor `bpf` capability
ack thanks!
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1964636
Title:
Incorrect handling of apparmor `bpf` capability
Status in apparmor package in Ubuntu:
In Progress
Status in snapd package in Ubuntu:
Incomplete
Status in apparmor source package in Focal:
Fix Committed
Bug description:
[ Impact ]
The apparmor_parser before the 3.0 release would build its capability list
from the installed kernel headers. The apparmor_parser was built against a
kernel without support for cap 'bpf'
This was fixed in 3.0 by having a static caps list (with full mapping info)
and the dynamic auto-generated list (against the kernel headers) that is used
to check that the static list has not become stale. In addition the parser can
pull kernel supported caps straight from the apparmor kernel module (it will
however be missing the mapping info).
Backporting the patches from 3.0 fixes the issue.
[ Test Plan ]
Before the fix, the following profile fails loading:
# echo "profile foo { capability bpf, }" | apparmor_parser -Q
AppArmor parser error, in stdin line 1: Invalid capability bpf.
# echo $?
1
After the fix, it works as expected:
# echo "profile foo { capability bpf, }" | apparmor_parser -Q
# echo $?
0
[ Where problems could occur ]
With these changes, the parser can change its behavior based on a few things.
1. the kernel its built against. This would not change behavior when run in a
container vs at system level.
2. If a feature-file is specified, via --features-file, --policy-
features, or --kernel-features. This allows overriding the normal
policy and kernel examination that the parser does when compiling
policy.
3. If /sys/kernel/security/apparmor/features is not available. The
parser will fallback to an old set of features available in a kernel
before the kernel module started exporting what the kernel module
supports on the running kernel.
[ Other Info ]
The patches for focal (apparmor-2.13) can be found at:
https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/
As mentioned before, these patches are already running on apparmor-3.0.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1964636/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1728130] Re: Policy needs improved feature versioning to ensure it is correctly being applied
Is this issue blocked by something?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1728130
Title:
Policy needs improved feature versioning to ensure it is correctly
being applied
Status in apparmor package in Ubuntu:
Confirmed
Status in apparmor source package in Focal:
Fix Committed
Bug description:
[ Impact ]
Currently allows pinning a single feature abi or running in a
developer mode where the full abi available of the current kernel is
enforced.
However this can result in breaking applications in undesirable ways.
If an application is shipped with its own policy, that policy might be
different than the pinned feature abi, which can either result in
denials because features the policy was not developed for are being
enforced.
If the feature version is not pinned then the most recent kernel abi
is taken and applied to policy, which has not been updated. This can
result in denials for userspace effectively breaking userspace. This
is less than ideal for most users as it leads to a bad experience than
they have not opted into and can lead to them disabling security
protections.
[ Test Plan ]
The test can be done with several features. Here we are using mqueue as an
example.
Verify that the kernel that has mqueue mediation support:
root@ubuntu:~# [ -e /sys/kernel/security/apparmor/features/ipc/posix_mqueue ]
&& echo "supports mqueue"
supports mqueue
cd /tmp
pull-ppa-source --ppa georgiag/mqueue-sru apparmor focal
cd apparmor-2.13.3/tests/regression/apparmor/
USE_SYSTEM=1 make
Using the parser from the mqueue-sru PPA, load the profile.
echo "
abi ,
include
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv {
include
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux,
}
" | apparmor_parser -q -r
Run the test, which should fail.
./posix_mq_rcv -c ./posix_mq_snd
FAIL - could not open mq: Permission denied
Now use an abi that does not have mqueue. This simulates a scenario
where a policy was developed before mqueue support was added, so posix
message queues should be allowed by default.
echo "
abi ,
include
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv {
include
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux,
}
" | apparmor_parser -q -r
Run the test again, it should pass.
./posix_mq_rcv -c ./posix_mq_snd
PASS
[ Where problems could occur ]
ABI pinning forces policies that don't have abi specified in their
profile to use the ABI pinned in parser.conf. When the ABI is pinned
and the user is trying to use mediation that is not in the pinned ABI,
they might be confused why it is always being allowed. This can be
circumvented by specifying the correct abi in the profile.
[ Other Info ]
The patches for focal (apparmor-2.13) can be found at:
https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/
apparmor-3.0 already has this feature.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1728130/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1964636] Re: Incorrect handling of apparmor `bpf` capability
Is there something blocking the release for focal?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1964636
Title:
Incorrect handling of apparmor `bpf` capability
Status in apparmor package in Ubuntu:
In Progress
Status in snapd package in Ubuntu:
Incomplete
Status in apparmor source package in Focal:
Fix Committed
Bug description:
[ Impact ]
The apparmor_parser before the 3.0 release would build its capability list
from the installed kernel headers. The apparmor_parser was built against a
kernel without support for cap 'bpf'
This was fixed in 3.0 by having a static caps list (with full mapping info)
and the dynamic auto-generated list (against the kernel headers) that is used
to check that the static list has not become stale. In addition the parser can
pull kernel supported caps straight from the apparmor kernel module (it will
however be missing the mapping info).
Backporting the patches from 3.0 fixes the issue.
[ Test Plan ]
Before the fix, the following profile fails loading:
# echo "profile foo { capability bpf, }" | apparmor_parser -Q
AppArmor parser error, in stdin line 1: Invalid capability bpf.
# echo $?
1
After the fix, it works as expected:
# echo "profile foo { capability bpf, }" | apparmor_parser -Q
# echo $?
0
[ Where problems could occur ]
With these changes, the parser can change its behavior based on a few things.
1. the kernel its built against. This would not change behavior when run in a
container vs at system level.
2. If a feature-file is specified, via --features-file, --policy-
features, or --kernel-features. This allows overriding the normal
policy and kernel examination that the parser does when compiling
policy.
3. If /sys/kernel/security/apparmor/features is not available. The
parser will fallback to an old set of features available in a kernel
before the kernel module started exporting what the kernel module
supports on the running kernel.
[ Other Info ]
The patches for focal (apparmor-2.13) can be found at:
https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/
As mentioned before, these patches are already running on apparmor-3.0.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1964636/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1993353] Re: Add posix message queue IPC mediation
Is there something blocking the release for focal? Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1993353 Title: Add posix message queue IPC mediation Status in apparmor package in Ubuntu: New Status in apparmor source package in Focal: Fix Committed Status in apparmor source package in Jammy: Fix Released Bug description: [ Impact ] We need to add IPC mediation support in the userspace tools, starting with posix message queue. This would improve security and lower the attack surface for applications There is already a proposal upstream: https://gitlab.com/apparmor/apparmor/-/merge_requests/858 [ Test Plan ] In the merge request in the description there are several tests added. There are parser tests that can be run with "make -C parser check" in the project source tree. There are also tests for the python tools that can be run ith "make -C utils check" in the project source tree. There are also regression tests in tests/regression/apparmor. They run with the whole test suite when you run with "sudo make tests", but they can also be run individually with "sudo ./posix_mq.sh" [ Where problems could occur ] There could be problems related to Bug 1728130, where a policy was developed for a set of rules supported by a specific kernel, and if new mediation is available on newer kernels, then there will be some denied rules. Therefore we need to also prevent that from happening. This is already available in apparmor-3.+, but for older versions could be done by backporting the abi patches from apparmor-3.0. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1993353/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1998321] Re: tzdata 2022g release
** Also affects: tzdata (Ubuntu Xenial)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to tzdata in Ubuntu.
https://bugs.launchpad.net/bugs/1998321
Title:
tzdata 2022g release
Status in tzdata package in Ubuntu:
Fix Released
Status in tzdata source package in Xenial:
New
Status in tzdata source package in Bionic:
Fix Released
Status in tzdata source package in Focal:
Fix Released
Status in tzdata source package in Jammy:
Fix Released
Status in tzdata source package in Kinetic:
Fix Released
Bug description:
The 2022g release contains the following changes:
* The northern edge of Chihuahua changes to US timekeeping.
* Much of Greenland stops changing clocks after March 2023.
* Fix some pre-1996 timestamps in northern Canada.
* C89 is now deprecated; please use C99 or later.
* Portability fixes for AIX, libintl, MS-Windows, musl, z/OS
* In C code, use more C23 features if available.
* C23 timegm now supported by default
* Fixes for unlikely integer overflows
Changes to future timestamps:
In the Mexican state of Chihuahua, the border strip near the US will
change to agree with nearby US locations on 2022-11-30. The strip's
western part, represented by Ciudad Juárez, switches from -06 all year
to -07/-06 with US DST rules, like El Paso, TX. The eastern part,
represented by Ojinaga, will observe US DST next year, like Presidio,
TX. (Thanks to Heitor David Pinto.) A new Zone America/Ciudad_Juarez
splits from America/Ojinaga.
Much of Greenland, represented by America/Nuuk, stops observing winter
time after March 2023, so its daylight saving time becomes standard
time. (Thanks to Jonas Nyrup and Jürgen Appel.)
ICU change: https://unicode-org.atlassian.net/browse/ICU-22217
CLDR: https://unicode-org.atlassian.net/browse/CLDR-16181
Verification is done with 'zdump'. The first timezone that gets
changed in the updated package is dumped with 'zdump -v
$region/$timezone_that_changed' (this needs to be greped for in
/usr/share/zoneinfo/). [For example: 'zdump -v Asia/Gaza'.] This is
compared to the same output after the updated package got installed.
If those are different the verification is considered done.
[ Test Case for all releases ]
1) dpkg -s tzdata | grep ^Version
2) zdump -v America/Ciudad_Juarez | grep -v NULL | tail -n 1
-> should have output, last dates should be in 2499
[Test case for releases >= 20.04 LTS]
from datetime import datetime, timedelta
from icu import ICUtzinfo, TimeZone
tz = ICUtzinfo(TimeZone.createTimeZone("America/Ciudad_Juarez"))
assert(tz.utcoffset(datetime(2022, 12, 1)) == timedelta(hours=-7))
[Test Case for releases <= 20.04 LTS]
Additionally, an upstream update of tzdata removed the 'old' SystemV
timezones, so we should ensure that they are kept in Ubuntu 20.04 LTS and
earlier releases. Subsequently, these should be checked for using the following:
diff <(zdump -v America/Phoenix | cut -d' ' -f2-) <(zdump -v SystemV/MST7 |
cut -d' ' -f2-)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tzdata/+bug/1998321/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1728130] Re: Policy needs improved feature versioning to ensure it is correctly being applied
Great! Thank you Georgia.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1728130
Title:
Policy needs improved feature versioning to ensure it is correctly
being applied
Status in apparmor package in Ubuntu:
Confirmed
Status in apparmor source package in Focal:
Fix Committed
Bug description:
[ Impact ]
Currently allows pinning a single feature abi or running in a
developer mode where the full abi available of the current kernel is
enforced.
However this can result in breaking applications in undesirable ways.
If an application is shipped with its own policy, that policy might be
different than the pinned feature abi, which can either result in
denials because features the policy was not developed for are being
enforced.
If the feature version is not pinned then the most recent kernel abi
is taken and applied to policy, which has not been updated. This can
result in denials for userspace effectively breaking userspace. This
is less than ideal for most users as it leads to a bad experience than
they have not opted into and can lead to them disabling security
protections.
[ Test Plan ]
The test can be done with several features. Here we are using mqueue as an
example.
Verify that the kernel that has mqueue mediation support:
root@ubuntu:~# [ -e /sys/kernel/security/apparmor/features/ipc/posix_mqueue ]
&& echo "supports mqueue"
supports mqueue
cd /tmp
pull-ppa-source --ppa georgiag/mqueue-sru apparmor focal
cd apparmor-2.13.3/tests/regression/apparmor/
USE_SYSTEM=1 make
Using the parser from the mqueue-sru PPA, load the profile.
echo "
abi ,
include
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv {
include
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux,
}
" | apparmor_parser -q -r
Run the test, which should fail.
./posix_mq_rcv -c ./posix_mq_snd
FAIL - could not open mq: Permission denied
Now use an abi that does not have mqueue. This simulates a scenario
where a policy was developed before mqueue support was added, so posix
message queues should be allowed by default.
echo "
abi ,
include
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv {
include
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux,
}
" | apparmor_parser -q -r
Run the test again, it should pass.
./posix_mq_rcv -c ./posix_mq_snd
PASS
[ Where problems could occur ]
ABI pinning forces policies that don't have abi specified in their
profile to use the ABI pinned in parser.conf. When the ABI is pinned
and the user is trying to use mediation that is not in the pinned ABI,
they might be confused why it is always being allowed. This can be
circumvented by specifying the correct abi in the profile.
[ Other Info ]
The patches for focal (apparmor-2.13) can be found at:
https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/
apparmor-3.0 already has this feature.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1728130/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1993353] Re: Add posix message queue IPC mediation
### VERIFICATION DONE FOCAL ### * These steps were copied from https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1728130 as they are testing the same components, the setup is similar. * sudo add-apt-repository ppa:apparmor-dev/mqueue-dev sudo apt update # exchange keypair ssh scp linux-* ubuntu@x.x.x.x:~ sudo dpkg -i linux* sudo apt --fix-broken install # edit /etc/default/grub GRUB_DEFAULT='Advanced options for Ubuntu>Ubuntu, with Linux 5.4.0-131-generic' sudo update-grub restart/reboot machine sudo apt-get upgrade apparmor # go find menu entry and update grub /boot/boot.cfg # menuentry 'Ubuntu, with Linux 5.4.0-131-generic' # execute command GRUB_DEFAULT='Advanced options for Ubuntu>Ubuntu, with Linux 5.4.0-131-generic' # should output supports mqueue sudo apt install ubuntu-dev-tools -y pull-ppa-source --ppa georgiag/mqueue-sru apparmor focal sudo apt-get install autoconf libtool -y cd ./libraries/libapparmor/ ./autogen.sh export PYTHONPATH=/tmp/apparmor-2.13.3/libraries/libapparmor/swig/python export PYTHON=/usr/bin/python3 export PYTHON_VERSION=3 export PYTHON_VERSIONS=python3 export USE_SYSTEM=1 make ./configure sudo apt-get install flex dejagnu make sudo make check sudo make install cd binutils make make check make install cd ./libraries/libapparmor sh ./autogen.sh sh ./configure make make check make install cd parser $ make # depends on libapparmor having been built first $ make check # run unit tests cd /tests/regession/apparmor/ sudo make tests # from the main directory make -C parser check # all unit tests pass from the parser. Ran 66 tests in 44.800s PASS Generated 24964 xtransition interaction tests Generated 45132 dbus tests simple.pl .. ok All tests successful. There are deprecation warnings, but those can be ignored. ### VERIFICATION DONE FOCAL ### -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1993353 Title: Add posix message queue IPC mediation Status in apparmor package in Ubuntu: New Status in apparmor source package in Focal: Fix Committed Status in apparmor source package in Jammy: Fix Committed Bug description: [ Impact ] We need to add IPC mediation support in the userspace tools, starting with posix message queue. This would improve security and lower the attack surface for applications There is already a proposal upstream: https://gitlab.com/apparmor/apparmor/-/merge_requests/858 [ Test Plan ] In the merge request in the description there are several tests added. There are parser tests that can be run with "make -C parser check" in the project source tree. There are also tests for the python tools that can be run ith "make -C utils check" in the project source tree. There are also regression tests in tests/regression/apparmor. They run with the whole test suite when you run with "sudo make tests", but they can also be run individually with "sudo ./posix_mq.sh" [ Where problems could occur ] There could be problems related to Bug 1728130, where a policy was developed for a set of rules supported by a specific kernel, and if new mediation is available on newer kernels, then there will be some denied rules. Therefore we need to also prevent that from happening. This is already available in apparmor-3.+, but for older versions could be done by backporting the abi patches from apparmor-3.0. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1993353/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1728130] Re: Policy needs improved feature versioning to ensure it is correctly being applied
### VERIFICATION DONE FOCAL ###
sudo add-apt-repository ppa:apparmor-dev/mqueue-dev
sudo apt update
# exchange keypair ssh
scp linux-* ubuntu@x.x.x.x:~
sudo dpkg -i linux*
sudo apt --fix-broken install
# edit /etc/default/grub
GRUB_DEFAULT='Advanced options for Ubuntu>Ubuntu, with Linux 5.4.0-131-generic'
sudo update-grub
restart/reboot machine
sudo apt-get upgrade apparmor
# go find menu entry and update grub
/boot/boot.cfg
# menuentry 'Ubuntu, with Linux 5.4.0-131-generic'
# execute command
GRUB_DEFAULT='Advanced options for Ubuntu>Ubuntu, with Linux 5.4.0-131-generic'
# should output
supports mqueue
sudo apt install ubuntu-dev-tools -y
pull-ppa-source --ppa georgiag/mqueue-sru apparmor focal
sudo apt-get install autoconf libtool -y
cd ./libraries/libapparmor/
./autogen.sh
export PYTHONPATH=/tmp/apparmor-2.13.3/libraries/libapparmor/swig/python
export PYTHON=/usr/bin/python3
export PYTHON_VERSION=3
export PYTHON_VERSIONS=python3
export USE_SYSTEM=1 make
./configure
sudo apt-get install flex dejagnu
make
sudo make check
sudo make install
cd binutils
make
make check
make install
cd ./libraries/libapparmor
sh ./autogen.sh
sh ./configure
make
make check
make install
cd parser
$ make # depends on libapparmor having been built first
$ make check
# run unit tests
cd /tests/regession/apparmor/
sudo make tests
sudo su
echo "
abi ,
include
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv {
include
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux,
}
" | apparmor_parser -q -r
# run command
./posix_mq_rcv -c ./posix_mq_snd
FAIL - could not open mq: Permission denied
# we see this fail error
# make sure there is enough permissions to execute
sudo chmod 777 posix_mq_rcv
./posix_mq_rcv -c ./posix_mq_snd
PASS
### VERIFICATION DONE FOCAL ###
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1728130
Title:
Policy needs improved feature versioning to ensure it is correctly
being applied
Status in apparmor package in Ubuntu:
Confirmed
Status in apparmor source package in Focal:
Fix Committed
Bug description:
[ Impact ]
Currently allows pinning a single feature abi or running in a
developer mode where the full abi available of the current kernel is
enforced.
However this can result in breaking applications in undesirable ways.
If an application is shipped with its own policy, that policy might be
different than the pinned feature abi, which can either result in
denials because features the policy was not developed for are being
enforced.
If the feature version is not pinned then the most recent kernel abi
is taken and applied to policy, which has not been updated. This can
result in denials for userspace effectively breaking userspace. This
is less than ideal for most users as it leads to a bad experience than
they have not opted into and can lead to them disabling security
protections.
[ Test Plan ]
The test can be done with several features. Here we are using mqueue as an
example.
Verify that the kernel that has mqueue mediation support:
root@ubuntu:~# [ -e /sys/kernel/security/apparmor/features/ipc/posix_mqueue ]
&& echo "supports mqueue"
supports mqueue
cd /tmp
pull-ppa-source --ppa georgiag/mqueue-sru apparmor focal
cd apparmor-2.13.3/tests/regression/apparmor/
USE_SYSTEM=1 make
Using the parser from the mqueue-sru PPA, load the profile.
echo "
abi ,
include
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv {
include
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux,
}
" | apparmor_parser -q -r
Run the test, which should fail.
./posix_mq_rcv -c ./posix_mq_snd
FAIL - could not open mq: Permission denied
Now use an abi that does not have mqueue. This simulates a scenario
where a policy was developed before mqueue support was added, so posix
message queues should be allowed by default.
echo "
abi ,
include
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv {
include
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux,
}
" | apparmor_parser -q -r
Run the test again, it should pass.
./posix_mq_rcv -c ./posix_mq_snd
PASS
[ Where problems could occur ]
ABI pinning forces policies that don't have abi specified in their
profile to use the ABI pinned in parser.conf. When the ABI is pinned
and the user is trying to use mediation that is not in the pinned ABI,
they might be confused why it is always being allowed. This can be
circumvented by specifying the correct abi in the profile.
[ Other Info ]
The patches for focal (apparmor-2.13) can be found at:
https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/
apparmor-3.0 already has this feature.
To manage notifications about this bug go to:
[Touch-packages] [Bug 1728130] Re: Policy needs improved feature versioning to ensure it is correctly being applied
*Note I have not done any extra testing outside of the testing steps
listed, which it would probably be a good idea to do so.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1728130
Title:
Policy needs improved feature versioning to ensure it is correctly
being applied
Status in apparmor package in Ubuntu:
Confirmed
Status in apparmor source package in Focal:
Fix Committed
Bug description:
[ Impact ]
Currently allows pinning a single feature abi or running in a
developer mode where the full abi available of the current kernel is
enforced.
However this can result in breaking applications in undesirable ways.
If an application is shipped with its own policy, that policy might be
different than the pinned feature abi, which can either result in
denials because features the policy was not developed for are being
enforced.
If the feature version is not pinned then the most recent kernel abi
is taken and applied to policy, which has not been updated. This can
result in denials for userspace effectively breaking userspace. This
is less than ideal for most users as it leads to a bad experience than
they have not opted into and can lead to them disabling security
protections.
[ Test Plan ]
The test can be done with several features. Here we are using mqueue as an
example.
Verify that the kernel that has mqueue mediation support:
root@ubuntu:~# [ -e /sys/kernel/security/apparmor/features/ipc/posix_mqueue ]
&& echo "supports mqueue"
supports mqueue
cd /tmp
pull-ppa-source --ppa georgiag/mqueue-sru apparmor focal
cd apparmor-2.13.3/tests/regression/apparmor/
USE_SYSTEM=1 make
Using the parser from the mqueue-sru PPA, load the profile.
echo "
abi ,
include
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv {
include
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux,
}
" | apparmor_parser -q -r
Run the test, which should fail.
./posix_mq_rcv -c ./posix_mq_snd
FAIL - could not open mq: Permission denied
Now use an abi that does not have mqueue. This simulates a scenario
where a policy was developed before mqueue support was added, so posix
message queues should be allowed by default.
echo "
abi ,
include
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv {
include
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux,
}
" | apparmor_parser -q -r
Run the test again, it should pass.
./posix_mq_rcv -c ./posix_mq_snd
PASS
[ Where problems could occur ]
ABI pinning forces policies that don't have abi specified in their
profile to use the ABI pinned in parser.conf. When the ABI is pinned
and the user is trying to use mediation that is not in the pinned ABI,
they might be confused why it is always being allowed. This can be
circumvented by specifying the correct abi in the profile.
[ Other Info ]
The patches for focal (apparmor-2.13) can be found at:
https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/
apparmor-3.0 already has this feature.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1728130/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1996619] Re: Setfont error due to deprecated PIO_FONTX ioctl
### VERIFICATION DONE JAMMY ### sudo apt-get update sudo apt install qemu-kvm libvirt-clients libvirt-daemon-system virtinst bridge-utils -y sudo systemctl enable libvirtd sudo systemctl status libvirtd wget https://releases.ubuntu.com/jammy/ubuntu-22.04.1-live-server- amd64.iso sudo chown ubuntu:ubuntu ubuntu-22.04.1-live-server-amd64.iso sudo chmod +rwx ubuntu-22.04.1-live-server-amd64.iso *you will get a permission denied if you don't do this part* virsh list sudo virt-install --location='./ubuntu-22.04.1-live-server-amd64.iso', --name=setfont-repo01 --vcpus=2 --memory=2048 --disk size=10 --console pty,target_type=virtio --serial pty --graphics none --boot=uefi,kernel='/boot/vmlinuz',initrd='/boot/initrd.img',kernel_args='console=/dev/ttyS0' --extra-args='console=ttyS0,115200n8 serial' --debug select Tab-> Help -> Enter Shell sudo apt-cache policy kbd # Check version installed Installed: 2.3.0-3ubuntu4 #Error message thrown in logs root@ubuntu-server:/# setfont $SNAP/subiquity.psf setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device ### ENABLE PROPOSED ### # create new VM for kinetic sudo virt-install --location='./ubuntu-22.04.1-live-server-amd64.iso', --name=setfont-repo03 --vcpus=2 --memory=2048 --disk size=10 --console pty,target_type=virtio --serial pty --graphics none --boot=uefi,kernel='/boot/vmlinuz',initrd='/boot/initrd.img',kernel_args='console=/dev/ttyS0' --extra-args='console=ttyS0,115200n8 serial' --debug select Enter -> Tab-> Help -> Enter Shell # update /etc/apt/sources.list deb http://archive.ubuntu.com/ubuntu jammy-proposed universe multiverse restricted main sudo apt --only-upgrade install kbd Check version installed sudo apt-cache policy kbd Installed: 2.3.0-3ubuntu4.22.04 # execute command setfont $SNAP/subiquity.psf bash: # no error messages thrown # we don't have any error messages being thrown in the logs - /var/log/installer/subiquity-client-debug.log # if you need to log back into the vm virsh list virsh console setfont-repo03 # notes ctl+5 = exit rich console command or CTRL+] ### VERIFICATION DONE KINETIC ### ** Tags removed: verification-needed-jammy verification-needed-kinetic ** Tags added: verification-done-jammy verification-done-kinetic -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to kbd in Ubuntu. https://bugs.launchpad.net/bugs/1996619 Title: Setfont error due to deprecated PIO_FONTX ioctl Status in subiquity: Invalid Status in kbd package in Ubuntu: Fix Released Status in kbd source package in Jammy: Fix Committed Status in kbd source package in Kinetic: Fix Committed Bug description: [Impact] There is an error message that get thrown in in syslog. There is a suggestion to fix by upgrading the KDB package to version 2.5.1+ (upstream) has a fix. It is caused by this line in subiquity https://github.com/canonical/subiquity/blob/46f671d14d57a5da6bc3d60b1da6715b43954f0d/bin/subiquity-service#L11 It's due to PIO_FONTX ioctl removed from kernel since 5.12 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff2047fb755d4415ec3c70ac799889371151796d In 2.4.5 of kbd which provide setfont in user space, they already switched over to use KDFONTOP only. [ Test Plan ] ### REPRODUCER STEPS ### # install libvirt sudo apt install qemu qemu-kvm libvirt-clients libvirt-daemon-system virtinst bridge-utils sudo systemctl enable libvirtd sudo systemctl start libvirtd # check libvirtd process is running virsh virsh list # get iso wget https://releases.ubuntu.com/22.04/ubuntu-22.04.1-live-server-amd64.iso # install vm sudo virt-install --cdrom='./ubuntu-22.04.1-live-server-amd64.iso' --name=setfont-repo --vcpus=2 --memory=2048 --disk size=20 --serial pty --graphics none --boot=uefi --debug # you can either do the full install, the error will be in the /var/log/installer.log file # or on the first page of the installer press Tab-> go to Help, -> Shell and cd /var/log/ grep setfont* syslog # to show error message cd to /snap/subiquity/3698 #execute setfont $SNAP/subiquity.psf # error root@ubuntu-server:/snap/subiquity/3698# setfont $SNAP/subiquity.psf setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device # grep grep setfont* syslog Nov 14 18:22:11 ubuntu-server console-setup.sh[1107]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device Nov 14 18:22:29 ubuntu-server subiquity.subiquity-service[1878]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device [ Where problems could occur ] There could be a failure to correctly parse fonts. https://man7.org/linux/man-pages/man8/setfont.8.html
[Touch-packages] [Bug 1996619] Re: Setfont error due to deprecated PIO_FONTX ioctl
### VERIFICATION DONE KINETIC ### sudo apt-get update sudo apt install qemu-kvm libvirt-clients libvirt-daemon-system virtinst bridge-utils -y sudo systemctl enable libvirtd sudo systemctl status libvirtd wget https://releases.ubuntu.com/kinetic/ubuntu-22.10-live-server- amd64.iso virsh list sudo chown -R ubuntu:ubuntu ubuntu-22.10-live-server-amd64.iso * you will get a permission denied if you don't do this part* sudo virt-install --location='./ubuntu-22.10-live-server-amd64.iso', --name=setfont-repo --vcpus=2 --memory=2048 --disk size=10 --console pty,target_type=virtio --serial pty --graphics none --boot=uefi,kernel='/boot/vmlinuz',initrd='/boot/initrd.img',kernel_args='console=/dev/ttyS0' --extra-args='console=ttyS0,115200n8 serial' --debug virsh console setfont-repo select Tab-> Help -> Enter Shell sudo apt-cache policy kbd kbd package version previous 2.3.0-3ubuntu4 #Error message thrown in logs root@ubuntu-server:/# setfont $SNAP/subiquity.psf setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device ### ENABLE PROPOSED ### # create new VM for kinetic sudo virt-install --location='./ubuntu-22.10-live-server-amd64.iso', --name=setfont-repo03 --vcpus=2 --memory=2048 --disk size=10 --console pty,target_type=virtio --serial pty --graphics none --boot=uefi,kernel='/boot/vmlinuz',initrd='/boot/initrd.img',kernel_args='console=/dev/ttyS0' --extra-args='console=ttyS0,115200n8 serial' --debug select Tab-> Help -> Enter Shell # edit sources.list deb http://archive.ubuntu.com/ubuntu kinetic-proposed universe multiverse restricted main sudo apt-get upgrade kbd Check version installed sudo apt-cache policy kbd Candidate: 2.3.0-3ubuntu4.22.10 sudo apt --only-upgrade install kbd # execute command $SNAP/subiquity.psf bash: /snap/subiquity/4003/subiquity.psf: Permission denied # we get a permission denied, not an ioctl error # we don't have any error messages being thrown in the logs - /var/log/installer/subiquity-client-debug.log # if you need to log back into the vm virsh list virsh console setfont-repo03 # notes ctl+5 = exit rich console command or CTRL+] ### VERIFICATION DONE KINETIC ### -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to kbd in Ubuntu. https://bugs.launchpad.net/bugs/1996619 Title: Setfont error due to deprecated PIO_FONTX ioctl Status in subiquity: Invalid Status in kbd package in Ubuntu: Fix Released Status in kbd source package in Jammy: Fix Committed Status in kbd source package in Kinetic: Fix Committed Bug description: [Impact] There is an error message that get thrown in in syslog. There is a suggestion to fix by upgrading the KDB package to version 2.5.1+ (upstream) has a fix. It is caused by this line in subiquity https://github.com/canonical/subiquity/blob/46f671d14d57a5da6bc3d60b1da6715b43954f0d/bin/subiquity-service#L11 It's due to PIO_FONTX ioctl removed from kernel since 5.12 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff2047fb755d4415ec3c70ac799889371151796d In 2.4.5 of kbd which provide setfont in user space, they already switched over to use KDFONTOP only. [ Test Plan ] ### REPRODUCER STEPS ### # install libvirt sudo apt install qemu qemu-kvm libvirt-clients libvirt-daemon-system virtinst bridge-utils sudo systemctl enable libvirtd sudo systemctl start libvirtd # check libvirtd process is running virsh virsh list # get iso wget https://releases.ubuntu.com/22.04/ubuntu-22.04.1-live-server-amd64.iso # install vm sudo virt-install --cdrom='./ubuntu-22.04.1-live-server-amd64.iso' --name=setfont-repo --vcpus=2 --memory=2048 --disk size=20 --serial pty --graphics none --boot=uefi --debug # you can either do the full install, the error will be in the /var/log/installer.log file # or on the first page of the installer press Tab-> go to Help, -> Shell and cd /var/log/ grep setfont* syslog # to show error message cd to /snap/subiquity/3698 #execute setfont $SNAP/subiquity.psf # error root@ubuntu-server:/snap/subiquity/3698# setfont $SNAP/subiquity.psf setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device # grep grep setfont* syslog Nov 14 18:22:11 ubuntu-server console-setup.sh[1107]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device Nov 14 18:22:29 ubuntu-server subiquity.subiquity-service[1878]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device [ Where problems could occur ] There could be a failure to correctly parse fonts. https://man7.org/linux/man-pages/man8/setfont.8.html [Other Notes] # github link to upstream repo & commit https://github.com/legionus/kbd
[Touch-packages] [Bug 1996619] Re: Setfont error due to deprecated PIO_FONTX ioctl
I started testing this yesterday, but got stuck on the rich console not showing/continuing after I created the vrish vm with sudo virt-install --cdrom='./ubuntu-22.04.1-live-server-amd64.iso' --name=setfont-repo --vcpus=2 --memory=2048 --disk size=10 --serial pty --graphics none --boot=uefi --debug the virsh console setfont-repo shows this in the terminal Connected to domain 'setfont-repo' Escape character is ^] (Ctrl + ]) but no text console -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to kbd in Ubuntu. https://bugs.launchpad.net/bugs/1996619 Title: Setfont error due to deprecated PIO_FONTX ioctl Status in subiquity: Invalid Status in kbd package in Ubuntu: Fix Released Status in kbd source package in Jammy: Fix Committed Status in kbd source package in Kinetic: Fix Committed Bug description: [Impact] There is an error message that get thrown in in syslog. There is a suggestion to fix by upgrading the KDB package to version 2.5.1+ (upstream) has a fix. It is caused by this line in subiquity https://github.com/canonical/subiquity/blob/46f671d14d57a5da6bc3d60b1da6715b43954f0d/bin/subiquity-service#L11 It's due to PIO_FONTX ioctl removed from kernel since 5.12 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff2047fb755d4415ec3c70ac799889371151796d In 2.4.5 of kbd which provide setfont in user space, they already switched over to use KDFONTOP only. [ Test Plan ] ### REPRODUCER STEPS ### # install libvirt sudo apt install qemu qemu-kvm libvirt-clients libvirt-daemon-system virtinst bridge-utils sudo systemctl enable libvirtd sudo systemctl start libvirtd # check libvirtd process is running virsh virsh list # get iso wget https://releases.ubuntu.com/22.04/ubuntu-22.04.1-live-server-amd64.iso # install vm sudo virt-install --cdrom='./ubuntu-22.04.1-live-server-amd64.iso' --name=setfont-repo --vcpus=2 --memory=2048 --disk size=20 --serial pty --graphics none --boot=uefi --debug # you can either do the full install, the error will be in the /var/log/installer.log file # or on the first page of the installer press Tab-> go to Help, -> Shell and cd /var/log/ grep setfont* syslog # to show error message cd to /snap/subiquity/3698 #execute setfont $SNAP/subiquity.psf # error root@ubuntu-server:/snap/subiquity/3698# setfont $SNAP/subiquity.psf setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device # grep grep setfont* syslog Nov 14 18:22:11 ubuntu-server console-setup.sh[1107]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device Nov 14 18:22:29 ubuntu-server subiquity.subiquity-service[1878]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device [ Where problems could occur ] There could be a failure to correctly parse fonts. https://man7.org/linux/man-pages/man8/setfont.8.html [Other Notes] # github link to upstream repo & commit https://github.com/legionus/kbd https://github.com/legionus/kbd/commit/2b68ba3ef22e6f68dcd9dc5c7fc47f72761f3764 To manage notifications about this bug go to: https://bugs.launchpad.net/subiquity/+bug/1996619/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1988270] Re: AppArmor fails to start with Yoga UCA libvirt profile on Focal
### VERIFICATION DONE FOCAL ###
# previous apparmor version
apt-cache policy apparmor
package name: apparmor
package version: 2.13.3-7ubuntu5.1
series: Focal
kernel: Linux 5.4.0-136-generic
# before enabling -proposed
generate focal-yoga instance
juju ssh nova-compute/0
# verify no apparmor errors in logs
cat /var/log/syslog | grep Error
# verify apparmor is running
sudo systemctl status apparmor
# trigger error
sudo systemctl restart apparmor
# The apparmor service never successfully restarts
Job for apparmor.service failed because the control process exited with error
code.
See "systemctl status apparmor.service" and "journalctl -xe" for details
cat /var/log/syslog
Error messages in syslog:
Jan 11 15:46:14 juju-5c2ee8-appbug-9 apparmor.systemd[52695]: AppArmor parser
error for /etc/apparmor.d in /etc/apparmor.d/usr.sbin.libvirtd at line 29:
Invalid capability bpf.
Jan 11 15:46:14 juju-5c2ee8-appbug-9 apparmor.systemd[52669]: Error: At least
one profile failed to load
Jan 11 15:46:14 juju-5c2ee8-appbug-9 systemd[1]: apparmor.service: Main process
exited, code=exited, status=1/FAILURE
### Enable proposed ###
# testing with focal-yoga
Apparmor version tested - 2.13.3-7ubuntu5.2
sudo apt-cache policy apparmor
sudo vim /etc/apt/sources.list
# add -proposed
deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal-proposed main universe
# save and exit
sudo apt-get update
sudo apt-get upgrade apparmor -y
sudo systemctl restart apparmor
systemctl status apparmor
Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset:
enabled)
Active: active (exited) since Wed 2023-01-11 15:55:19 UTC; 20s ago
tail -n 1000 /var/log/syslog
# no errors are thrown by apparmor
Jan 11 15:54:41 juju-5c2ee8-appbug-9 systemd[1]: Reloading.
Jan 11 15:55:19 juju-5c2ee8-appbug-9 systemd[1]: Starting Load AppArmor
profiles...
Jan 11 15:55:19 juju-5c2ee8-appbug-9 apparmor.systemd[66497]: Restarting
AppArmor
Jan 11 15:55:19 juju-5c2ee8-appbug-9 apparmor.systemd[66497]: Reloading
AppArmor profiles
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.612010] kauditd_printk_skb:
9 callbacks suppressed
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.612013] audit: type=1400
audit(1673452519.139:106): apparmor="STATUS" operation="profile_replace"
info="same as current profile, skipping" profile="unconfined"
name="nvidia_modprobe" pid=66503 comm="apparmor_parser"
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.612022] audit: type=1400
audit(1673452519.139:107): apparmor="STATUS" operation="profile_replace"
info="same as current profile, skipping" profile="unconfined"
name="nvidia_modprobe//kmod" pid=66503 comm="apparmor_parser"
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.612179] audit: type=1400
audit(1673452519.139:108): apparmor="STATUS" operation="profile_replace"
profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action"
pid=66502 comm="apparmor_parser"
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.612183] audit: type=1400
audit(1673452519.139:109): apparmor="STATUS" operation="profile_replace"
profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=66502
comm="apparmor_parser"
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.612186] audit: type=1400
audit(1673452519.139:110): apparmor="STATUS" operation="profile_replace"
profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=66502
comm="apparmor_parser"
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.612187] audit: type=1400
audit(1673452519.139:111): apparmor="STATUS" operation="profile_replace"
profile="unconfined" name="/{,usr/}sbin/dhclient" pid=66502
comm="apparmor_parser"
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.614725] audit: type=1400
audit(1673452519.139:112): apparmor="STATUS" operation="profile_replace"
profile="unconfined" name="/usr/bin/man" pid=66504 comm="apparmor_parser"
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.614729] audit: type=1400
audit(1673452519.139:113): apparmor="STATUS" operation="profile_replace"
profile="unconfined" name="man_filter" pid=66504 comm="apparmor_parser"
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.614731] audit: type=1400
audit(1673452519.139:114): apparmor="STATUS" operation="profile_replace"
profile="unconfined" name="man_groff" pid=66504 comm="apparmor_parser"
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.618860] audit: type=1400
audit(1673452519.143:115): apparmor="STATUS" operation="profile_replace"
info="same as current profile, skipping" profile="unconfined"
name="/usr/sbin/tcpdump" pid=66505 comm="apparmor_parser"
Jan 11 15:55:19 juju-5c2ee8-appbug-9 apparmor.systemd[66525]: Skipping profile
in /etc/apparmor.d/disable: usr.bin.nova-compute
Jan 11 15:55:19 juju-5c2ee8-appbug-9 apparmor.systemd[66526]: Skipping profile
in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Jan 11 15:55:19 juju-5c2ee8-appbug-9 systemd[1]: Finished Load AppArmor
[Touch-packages] [Bug 1964636] Re: Incorrect handling of apparmor `bpf` capability
Lukasz is correct, we should be diligent in backporting the upstream patches.
In regards to testing it's important to ensure apparmor and its new features
work as intended with no errors in logs.
As well as apparmor not quitting after a restart. All three effected LP's
should be thoroughly tested.
There are over 20 patches being backported from upstream apparmor3.0
They fall into 3 categories.
1. capabilities improvements (maintain and generate the capabilities list used
by apparmor)
2. abi [0]
3. mqueue
[0]
https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorpolicyfeaturesabi#why-
were-feature-abi-rules-added
Most of the cap* patches are around generating and maintaining a list of
supported capabilities.
the first 2 caps (cap1 & cap2) introduce new scripts to generate a list of
current capabilities and
apparmor-bash related profiles.
# cap1-Generate-CAPABILITIES-in-a-script-due-to-make-4.3.patch
there is a new command under /common
./list_capabilities.sh
# code that generates a list of capabilities
CAP_AUDIT_CONTROL
CAP_AUDIT_READ
CAP_AUDIT_WRITE
...
CAP_CHOWN
# new python script to create vim profiles with
python create-apparmor.vim.py
# generates a new file called apparmor.vim.in
# cap2-parser-Move-to-a-pre-generated-cap_names.h.patch
use a pre-generated list of capabilities so that all capabilities are
supported even when building against older kernels.
The rest of the cap* patches are code cleanup related.
@sli2100 I hope that answers some of the concern about capabilities
patches.
I will work on testing the other 3 affected LP's (1988270, 1728130, 1993353).
So a total of 4 Lp's will be addressed.
Please let me know if I/someone else can elaborate on the testing that
needs to happen before approval.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1964636
Title:
Incorrect handling of apparmor `bpf` capability
Status in apparmor package in Ubuntu:
In Progress
Status in snapd package in Ubuntu:
Incomplete
Status in apparmor source package in Focal:
Fix Committed
Bug description:
[ Impact ]
The apparmor_parser before the 3.0 release would build its capability list
from the installed kernel headers. The apparmor_parser was built against a
kernel without support for cap 'bpf'
This was fixed in 3.0 by having a static caps list (with full mapping info)
and the dynamic auto-generated list (against the kernel headers) that is used
to check that the static list has not become stale. In addition the parser can
pull kernel supported caps straight from the apparmor kernel module (it will
however be missing the mapping info).
Backporting the patches from 3.0 fixes the issue.
[ Test Plan ]
Before the fix, the following profile fails loading:
# echo "profile foo { capability bpf, }" | apparmor_parser -Q
AppArmor parser error, in stdin line 1: Invalid capability bpf.
# echo $?
1
After the fix, it works as expected:
# echo "profile foo { capability bpf, }" | apparmor_parser -Q
# echo $?
0
[ Where problems could occur ]
With these changes, the parser can change its behavior based on a few things.
1. the kernel its built against. This would not change behavior when run in a
container vs at system level.
2. If a feature-file is specified, via --features-file, --policy-
features, or --kernel-features. This allows overriding the normal
policy and kernel examination that the parser does when compiling
policy.
3. If /sys/kernel/security/apparmor/features is not available. The
parser will fallback to an old set of features available in a kernel
before the kernel module started exporting what the kernel module
supports on the running kernel.
[ Other Info ]
The patches for focal (apparmor-2.13) can be found at:
https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/
As mentioned before, these patches are already running on apparmor-3.0.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1964636/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1964636] Re: Incorrect handling of apparmor `bpf` capability
In regards to @sil2100 questions, I can review the patches(~24) and
double check any use cases.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1964636
Title:
Incorrect handling of apparmor `bpf` capability
Status in apparmor package in Ubuntu:
In Progress
Status in snapd package in Ubuntu:
Incomplete
Status in apparmor source package in Focal:
Fix Committed
Bug description:
[ Impact ]
The apparmor_parser before the 3.0 release would build its capability list
from the installed kernel headers. The apparmor_parser was built against a
kernel without support for cap 'bpf'
This was fixed in 3.0 by having a static caps list (with full mapping info)
and the dynamic auto-generated list (against the kernel headers) that is used
to check that the static list has not become stale. In addition the parser can
pull kernel supported caps straight from the apparmor kernel module (it will
however be missing the mapping info).
Backporting the patches from 3.0 fixes the issue.
[ Test Plan ]
Before the fix, the following profile fails loading:
# echo "profile foo { capability bpf, }" | apparmor_parser -Q
AppArmor parser error, in stdin line 1: Invalid capability bpf.
# echo $?
1
After the fix, it works as expected:
# echo "profile foo { capability bpf, }" | apparmor_parser -Q
# echo $?
0
[ Where problems could occur ]
With these changes, the parser can change its behavior based on a few things.
1. the kernel its built against. This would not change behavior when run in a
container vs at system level.
2. If a feature-file is specified, via --features-file, --policy-
features, or --kernel-features. This allows overriding the normal
policy and kernel examination that the parser does when compiling
policy.
3. If /sys/kernel/security/apparmor/features is not available. The
parser will fallback to an old set of features available in a kernel
before the kernel module started exporting what the kernel module
supports on the running kernel.
[ Other Info ]
The patches for focal (apparmor-2.13) can be found at:
https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/
As mentioned before, these patches are already running on apparmor-3.0.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1964636/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1964636] Re: Incorrect handling of apparmor `bpf` capability
I did a quick test with apparmor focal-yoga and -proposed this morning
to verify it fixes https://bugs.launchpad.net/cloud-archive/+bug/1988270
# testing with focal-yoga
Apparmor version tested - 2.13.3-7ubuntu5.2
generate focal-yoga instance
juju ssh nova-compute/0
sudo apt-cache policy apparmor
sudo vim /etc/apt/sources.list
# add -proposed
deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal-proposed main universe
# save and exit
sudo apt-get upgrade apparmor
sudo systemctl restart apparmor
tail -n 1000 /var/log/syslog
# no errors are thrown by apparmor
Jan 9 15:27:40 juju-3151fe-testapparmor-9 apparmor.systemd[62260]: Restarting
AppArmor
Jan 9 15:27:40 juju-3151fe-testapparmor-9 apparmor.systemd[62260]: Reloading
AppArmor profiles
Jan 9 15:27:40 juju-3151fe-testapparmor-9 apparmor.systemd[62274]: Skipping
profile in /etc/apparmor.d/disable: usr.bin.nova-compute
Jan 9 15:27:40 juju-3151fe-testapparmor-9 kernel: [ 1440.404862] audit:
type=1400 audit(1673278060.118:74): apparmor="STATUS"
operation="profile_replace" info="same as current profile, skipping"
profile="unconfined" name="virt-aa-helper" pid=62273 comm="apparmor_parser"
Jan 9 15:27:40 juju-3151fe-testapparmor-9 kernel: [ 1440.406888] audit:
type=1400 audit(1673278060.118:75): apparmor="STATUS"
operation="profile_replace" info="same as current profile, skipping"
profile="unconfined" name="/usr/bin/man" pid=62275 comm="apparmor_parser"
Jan 9 15:27:40 juju-3151fe-testapparmor-9 kernel: [ 1440.406890] audit:
type=1400 audit(1673278060.118:76): apparmor="STATUS"
operation="profile_replace" info="same as current profile, skipping"
profile="unconfined" name="man_filter" pid=62275 comm="apparmor_parser"
Jan 9 15:27:40 juju-3151fe-testapparmor-9 kernel: [ 1440.406892] audit:
type=1400 audit(1673278060.118:77): apparmor="STATUS"
operation="profile_replace" info="same as current profile, skipping"
profile="unconfined" name="man_groff" pid=62275 comm="apparmor_parser"
Jan 9 15:27:40 juju-3151fe-testapparmor-9 kernel: [ 1440.408833] audit:
type=1400 audit(1673278060.122:78): apparmor="STATUS"
operation="profile_replace" info="same as current profile, skipping"
profile="unconfined" name="/usr/lib/snapd/snap-confine" pid=62276
comm="apparmor_parser"
Jan 9 15:27:40 juju-3151fe-testapparmor-9 kernel: [ 1440.408838] audit:
type=1400 audit(1673278060.122:79): apparmor="STATUS"
operation="profile_replace" info="same as current profile, skipping"
profile="unconfined"
name="/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=62276
comm="apparmor_parser"
Jan 9 15:27:40 juju-3151fe-testapparmor-9 kernel: [ 1440.415917] audit:
type=1400 audit(1673278060.130:80): apparmor="STATUS"
operation="profile_replace" info="same as current profile, skipping"
profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action"
pid=62277 comm="apparmor_parser"
Jan 9 15:27:40 juju-3151fe-testapparmor-9 kernel: [ 1440.415921] audit:
type=1400 audit(1673278060.130:81): apparmor="STATUS"
operation="profile_replace" info="same as current profile, skipping"
profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=62277
comm="apparmor_parser"
Jan 9 15:27:40 juju-3151fe-testapparmor-9 kernel: [ 1440.415924] audit:
type=1400 audit(1673278060.130:82): apparmor="STATUS"
operation="profile_replace" info="same as current profile, skipping"
profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=62277
comm="apparmor_parser"
Jan 9 15:27:40 juju-3151fe-testapparmor-9 kernel: [ 1440.415926] audit:
type=1400 audit(1673278060.130:83): apparmor="STATUS"
operation="profile_replace" info="same as current profile, skipping"
profile="unconfined" name="/{,usr/}sbin/dhclient" pid=62277
comm="apparmor_parser"
Jan 9 15:27:40 juju-3151fe-testapparmor-9 apparmor.systemd[62279]: Skipping
profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Jan 9 15:27:40 juju-3151fe-testapparmor-9 systemd[1]: Finished Load AppArmor
profiles.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1964636
Title:
Incorrect handling of apparmor `bpf` capability
Status in apparmor package in Ubuntu:
In Progress
Status in snapd package in Ubuntu:
Incomplete
Status in apparmor source package in Focal:
Fix Committed
Bug description:
[ Impact ]
The apparmor_parser before the 3.0 release would build its capability list
from the installed kernel headers. The apparmor_parser was built against a
kernel without support for cap 'bpf'
This was fixed in 3.0 by having a static caps list (with full mapping info)
and the dynamic auto-generated list (against the kernel headers) that is used
to check that the static list has not become stale. In addition the parser can
pull kernel supported caps straight from the apparmor kernel module (it will
however be missing the mapping info).
[Touch-packages] [Bug 1996619] Re: Setfont error due to deprecated PIO_FONTX ioctl
fix version for kinetic ** Patch added: "lp1996619kinetic-fix-version03.debdiff" https://bugs.launchpad.net/subiquity/+bug/1996619/+attachment/5635976/+files/lp1996619kinetic-fix-version03.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to kbd in Ubuntu. https://bugs.launchpad.net/bugs/1996619 Title: Setfont error due to deprecated PIO_FONTX ioctl Status in subiquity: Invalid Status in kbd package in Ubuntu: Fix Released Status in kbd source package in Jammy: In Progress Status in kbd source package in Kinetic: In Progress Bug description: [Impact] There is an error message that get thrown in in syslog. There is a suggestion to fix by upgrading the KDB package to version 2.5.1+ (upstream) has a fix. It is caused by this line in subiquity https://github.com/canonical/subiquity/blob/46f671d14d57a5da6bc3d60b1da6715b43954f0d/bin/subiquity-service#L11 It's due to PIO_FONTX ioctl removed from kernel since 5.12 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff2047fb755d4415ec3c70ac799889371151796d In 2.4.5 of kbd which provide setfont in user space, they already switched over to use KDFONTOP only. [ Test Plan ] ### REPRODUCER STEPS ### # install libvirt sudo apt install qemu qemu-kvm libvirt-clients libvirt-daemon-system virtinst bridge-utils sudo systemctl enable libvirtd sudo systemctl start libvirtd # check libvirtd process is running virsh virsh list # get iso wget https://releases.ubuntu.com/22.04/ubuntu-22.04.1-live-server-amd64.iso # install vm sudo virt-install --cdrom='./ubuntu-22.04.1-live-server-amd64.iso' --name=setfont-repo --vcpus=2 --memory=2048 --disk size=20 --serial pty --graphics none --boot=uefi --debug # you can either do the full install, the error will be in the /var/log/installer.log file # or on the first page of the installer press Tab-> go to Help, -> Shell and cd /var/log/ grep setfont* syslog # to show error message cd to /snap/subiquity/3698 #execute setfont $SNAP/subiquity.psf # error root@ubuntu-server:/snap/subiquity/3698# setfont $SNAP/subiquity.psf setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device # grep grep setfont* syslog Nov 14 18:22:11 ubuntu-server console-setup.sh[1107]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device Nov 14 18:22:29 ubuntu-server subiquity.subiquity-service[1878]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device [ Where problems could occur ] There could be a failure to correctly parse fonts. https://man7.org/linux/man-pages/man8/setfont.8.html [Other Notes] # github link to upstream repo & commit https://github.com/legionus/kbd https://github.com/legionus/kbd/commit/2b68ba3ef22e6f68dcd9dc5c7fc47f72761f3764 To manage notifications about this bug go to: https://bugs.launchpad.net/subiquity/+bug/1996619/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1996619] Re: Setfont error due to deprecated PIO_FONTX ioctl
Updated headers, fix version for jammy ** Patch added: "lp1996619kinetic-fix-version03.debdiff" https://bugs.launchpad.net/subiquity/+bug/1996619/+attachment/5635975/+files/lp1996619kinetic-fix-version03.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to kbd in Ubuntu. https://bugs.launchpad.net/bugs/1996619 Title: Setfont error due to deprecated PIO_FONTX ioctl Status in subiquity: Invalid Status in kbd package in Ubuntu: Fix Released Status in kbd source package in Jammy: In Progress Status in kbd source package in Kinetic: In Progress Bug description: [Impact] There is an error message that get thrown in in syslog. There is a suggestion to fix by upgrading the KDB package to version 2.5.1+ (upstream) has a fix. It is caused by this line in subiquity https://github.com/canonical/subiquity/blob/46f671d14d57a5da6bc3d60b1da6715b43954f0d/bin/subiquity-service#L11 It's due to PIO_FONTX ioctl removed from kernel since 5.12 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff2047fb755d4415ec3c70ac799889371151796d In 2.4.5 of kbd which provide setfont in user space, they already switched over to use KDFONTOP only. [ Test Plan ] ### REPRODUCER STEPS ### # install libvirt sudo apt install qemu qemu-kvm libvirt-clients libvirt-daemon-system virtinst bridge-utils sudo systemctl enable libvirtd sudo systemctl start libvirtd # check libvirtd process is running virsh virsh list # get iso wget https://releases.ubuntu.com/22.04/ubuntu-22.04.1-live-server-amd64.iso # install vm sudo virt-install --cdrom='./ubuntu-22.04.1-live-server-amd64.iso' --name=setfont-repo --vcpus=2 --memory=2048 --disk size=20 --serial pty --graphics none --boot=uefi --debug # you can either do the full install, the error will be in the /var/log/installer.log file # or on the first page of the installer press Tab-> go to Help, -> Shell and cd /var/log/ grep setfont* syslog # to show error message cd to /snap/subiquity/3698 #execute setfont $SNAP/subiquity.psf # error root@ubuntu-server:/snap/subiquity/3698# setfont $SNAP/subiquity.psf setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device # grep grep setfont* syslog Nov 14 18:22:11 ubuntu-server console-setup.sh[1107]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device Nov 14 18:22:29 ubuntu-server subiquity.subiquity-service[1878]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device [ Where problems could occur ] There could be a failure to correctly parse fonts. https://man7.org/linux/man-pages/man8/setfont.8.html [Other Notes] # github link to upstream repo & commit https://github.com/legionus/kbd https://github.com/legionus/kbd/commit/2b68ba3ef22e6f68dcd9dc5c7fc47f72761f3764 To manage notifications about this bug go to: https://bugs.launchpad.net/subiquity/+bug/1996619/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1996619] Re: Setfont error due to deprecated PIO_FONTX ioctl
** Description changed: [Impact] There is an error message that get thrown in in syslog. There is a suggestion to fix by upgrading the KDB package to version 2.5.1+ or to understand the root cause and troubleshoot as to why it's broken and resolve it there. It is caused by this line in subiquity https://github.com/canonical/subiquity/blob/46f671d14d57a5da6bc3d60b1da6715b43954f0d/bin/subiquity-service#L11 It's due to PIO_FONTX ioctl removed from kernel since 5.12 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff2047fb755d4415ec3c70ac799889371151796d In 2.4.5 of kbd which provide setfont in user space, they already switched over to use KDFONTOP only. [ Test Plan ] ### REPRODUCER STEPS ### # install libvirt sudo apt install qemu qemu-kvm libvirt-clients libvirt-daemon-system virtinst bridge-utils sudo systemctl enable libvirtd sudo systemctl start libvirtd # check libvirtd process is running virsh virsh list # get iso wget https://releases.ubuntu.com/22.04/ubuntu-22.04.1-live-server-amd64.iso # install vm sudo virt-install --cdrom='./ubuntu-22.04.1-live-server-amd64.iso' --name=setfont-repo --vcpus=2 --memory=2048 --disk size=20 --serial pty --graphics none --boot=uefi --debug # you can either do the full install, the error will be in the /var/log/installer.log file # or on the first page of the installer press Tab-> go to Help, -> Shell and cd /var/log/ grep setfont* syslog # to show error message cd to /snap/subiquity/3698 #execute setfont $SNAP/subiquity.psf # error root@ubuntu-server:/snap/subiquity/3698# setfont $SNAP/subiquity.psf setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device # grep grep setfont* syslog Nov 14 18:22:11 ubuntu-server console-setup.sh[1107]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device Nov 14 18:22:29 ubuntu-server subiquity.subiquity-service[1878]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device + [ Where problems could occur ] - [ Where problems could occur ] + There could be a failure to correctly parse fonts. + https://man7.org/linux/man-pages/man8/setfont.8.html + + + [Other Notes] + + # github link to upstream repo & commit + https://github.com/legionus/kbd + https://github.com/legionus/kbd/commit/2b68ba3ef22e6f68dcd9dc5c7fc47f72761f3764 ** Description changed: [Impact] There is an error message that get thrown in in syslog. - There is a suggestion to fix by upgrading the KDB package to version 2.5.1+ or - to understand the root cause and troubleshoot as to why it's broken and resolve - it there. + There is a suggestion to fix by upgrading the KDB package to version 2.5.1+ (upstream) has a fix. It is caused by this line in subiquity https://github.com/canonical/subiquity/blob/46f671d14d57a5da6bc3d60b1da6715b43954f0d/bin/subiquity-service#L11 It's due to PIO_FONTX ioctl removed from kernel since 5.12 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff2047fb755d4415ec3c70ac799889371151796d In 2.4.5 of kbd which provide setfont in user space, they already switched over to use KDFONTOP only. [ Test Plan ] ### REPRODUCER STEPS ### # install libvirt sudo apt install qemu qemu-kvm libvirt-clients libvirt-daemon-system virtinst bridge-utils sudo systemctl enable libvirtd sudo systemctl start libvirtd # check libvirtd process is running virsh virsh list # get iso wget https://releases.ubuntu.com/22.04/ubuntu-22.04.1-live-server-amd64.iso # install vm sudo virt-install --cdrom='./ubuntu-22.04.1-live-server-amd64.iso' --name=setfont-repo --vcpus=2 --memory=2048 --disk size=20 --serial pty --graphics none --boot=uefi --debug # you can either do the full install, the error will be in the /var/log/installer.log file # or on the first page of the installer press Tab-> go to Help, -> Shell and cd /var/log/ grep setfont* syslog # to show error message cd to /snap/subiquity/3698 #execute setfont $SNAP/subiquity.psf # error root@ubuntu-server:/snap/subiquity/3698# setfont $SNAP/subiquity.psf setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device # grep grep setfont* syslog Nov 14 18:22:11 ubuntu-server console-setup.sh[1107]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device Nov 14 18:22:29 ubuntu-server subiquity.subiquity-service[1878]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device [ Where problems could occur ] - There could be a failure to
[Touch-packages] [Bug 1996619] Re: Setfont error due to deprecated PIO_FONTX ioctl
** Tags removed: verification-needed-jammy verification-needed-kinetic ** Description changed: + [Impact] + There is an error message that get thrown in in syslog. - There is a suggestion to fix by upgrading the KDB package to version 2.5.1+ or - to understand the root cause and troubleshoot as to why it's broken and resolve + There is a suggestion to fix by upgrading the KDB package to version 2.5.1+ or + to understand the root cause and troubleshoot as to why it's broken and resolve it there. It is caused by this line in subiquity https://github.com/canonical/subiquity/blob/46f671d14d57a5da6bc3d60b1da6715b43954f0d/bin/subiquity-service#L11 It's due to PIO_FONTX ioctl removed from kernel since 5.12 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff2047fb755d4415ec3c70ac799889371151796d In 2.4.5 of kbd which provide setfont in user space, they already switched over to use KDFONTOP only. ### REPRODUCER STEPS ### # install libvirt sudo apt install qemu qemu-kvm libvirt-clients libvirt-daemon-system virtinst bridge-utils sudo systemctl enable libvirtd sudo systemctl start libvirtd - # check libvirtd process is running - virsh - virsh list + # check libvirtd process is running + virsh + virsh list # get iso wget https://releases.ubuntu.com/22.04/ubuntu-22.04.1-live-server-amd64.iso - # install vm + # install vm sudo virt-install --cdrom='./ubuntu-22.04.1-live-server-amd64.iso' --name=setfont-repo --vcpus=2 --memory=2048 --disk size=20 --serial pty --graphics none --boot=uefi --debug - # you can either do the full install, - the error will be in the /var/log/installer.log file + # you can either do the full install, + the error will be in the /var/log/installer.log file - # or on the first page of the installer press Tab-> go to Help, -> Shell + # or on the first page of the installer press Tab-> go to Help, -> Shell and cd /var/log/ grep setfont* syslog - # to show error message cd to + # to show error message cd to /snap/subiquity/3698 - #execute + #execute setfont $SNAP/subiquity.psf - + # error root@ubuntu-server:/snap/subiquity/3698# setfont $SNAP/subiquity.psf setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device - # grep - grep setfont* syslog + # grep + grep setfont* syslog Nov 14 18:22:11 ubuntu-server console-setup.sh[1107]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device Nov 14 18:22:29 ubuntu-server subiquity.subiquity-service[1878]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device ** Description changed: [Impact] There is an error message that get thrown in in syslog. There is a suggestion to fix by upgrading the KDB package to version 2.5.1+ or to understand the root cause and troubleshoot as to why it's broken and resolve it there. It is caused by this line in subiquity https://github.com/canonical/subiquity/blob/46f671d14d57a5da6bc3d60b1da6715b43954f0d/bin/subiquity-service#L11 It's due to PIO_FONTX ioctl removed from kernel since 5.12 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff2047fb755d4415ec3c70ac799889371151796d In 2.4.5 of kbd which provide setfont in user space, they already switched over to use KDFONTOP only. + + [ Test Plan ] ### REPRODUCER STEPS ### # install libvirt sudo apt install qemu qemu-kvm libvirt-clients libvirt-daemon-system virtinst bridge-utils sudo systemctl enable libvirtd sudo systemctl start libvirtd # check libvirtd process is running virsh virsh list # get iso wget https://releases.ubuntu.com/22.04/ubuntu-22.04.1-live-server-amd64.iso # install vm sudo virt-install --cdrom='./ubuntu-22.04.1-live-server-amd64.iso' --name=setfont-repo --vcpus=2 --memory=2048 --disk size=20 --serial pty --graphics none --boot=uefi --debug # you can either do the full install, the error will be in the /var/log/installer.log file # or on the first page of the installer press Tab-> go to Help, -> Shell and cd /var/log/ grep setfont* syslog # to show error message cd to /snap/subiquity/3698 #execute setfont $SNAP/subiquity.psf # error root@ubuntu-server:/snap/subiquity/3698# setfont $SNAP/subiquity.psf setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device # grep grep setfont* syslog Nov 14 18:22:11 ubuntu-server console-setup.sh[1107]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device Nov 14 18:22:29 ubuntu-server subiquity.subiquity-service[1878]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate
[Touch-packages] [Bug 1996619] Re: Setfont error due to deprecated PIO_FONTX ioctl
kinetic revised debdiff ** Patch added: "lp1996619kinetic-revised.debdiff" https://bugs.launchpad.net/ubuntu/+source/kbd/+bug/1996619/+attachment/5635163/+files/lp1996619kinetic-revised.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to kbd in Ubuntu. https://bugs.launchpad.net/bugs/1996619 Title: Setfont error due to deprecated PIO_FONTX ioctl Status in subiquity: Invalid Status in kbd package in Ubuntu: Fix Released Status in kbd source package in Jammy: In Progress Status in kbd source package in Kinetic: In Progress Bug description: There is an error message that get thrown in in syslog. There is a suggestion to fix by upgrading the KDB package to version 2.5.1+ or to understand the root cause and troubleshoot as to why it's broken and resolve it there. It is caused by this line in subiquity https://github.com/canonical/subiquity/blob/46f671d14d57a5da6bc3d60b1da6715b43954f0d/bin/subiquity-service#L11 It's due to PIO_FONTX ioctl removed from kernel since 5.12 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff2047fb755d4415ec3c70ac799889371151796d In 2.4.5 of kbd which provide setfont in user space, they already switched over to use KDFONTOP only. ### REPRODUCER STEPS ### # install libvirt sudo apt install qemu qemu-kvm libvirt-clients libvirt-daemon-system virtinst bridge-utils sudo systemctl enable libvirtd sudo systemctl start libvirtd # check libvirtd process is running virsh virsh list # get iso wget https://releases.ubuntu.com/22.04/ubuntu-22.04.1-live-server-amd64.iso # install vm sudo virt-install --cdrom='./ubuntu-22.04.1-live-server-amd64.iso' --name=setfont-repo --vcpus=2 --memory=2048 --disk size=20 --serial pty --graphics none --boot=uefi --debug # you can either do the full install, the error will be in the /var/log/installer.log file # or on the first page of the installer press Tab-> go to Help, -> Shell and cd /var/log/ grep setfont* syslog # to show error message cd to /snap/subiquity/3698 #execute setfont $SNAP/subiquity.psf # error root@ubuntu-server:/snap/subiquity/3698# setfont $SNAP/subiquity.psf setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device # grep grep setfont* syslog Nov 14 18:22:11 ubuntu-server console-setup.sh[1107]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device Nov 14 18:22:29 ubuntu-server subiquity.subiquity-service[1878]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device To manage notifications about this bug go to: https://bugs.launchpad.net/subiquity/+bug/1996619/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1996619] Re: Setfont error due to deprecated PIO_FONTX ioctl
revised jammy debdiff ** Patch added: "lp1996619jammy-revised.debdiff" https://bugs.launchpad.net/ubuntu/+source/kbd/+bug/1996619/+attachment/5635162/+files/lp1996619jammy-revised.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to kbd in Ubuntu. https://bugs.launchpad.net/bugs/1996619 Title: Setfont error due to deprecated PIO_FONTX ioctl Status in subiquity: Invalid Status in kbd package in Ubuntu: Fix Released Status in kbd source package in Jammy: In Progress Status in kbd source package in Kinetic: In Progress Bug description: There is an error message that get thrown in in syslog. There is a suggestion to fix by upgrading the KDB package to version 2.5.1+ or to understand the root cause and troubleshoot as to why it's broken and resolve it there. It is caused by this line in subiquity https://github.com/canonical/subiquity/blob/46f671d14d57a5da6bc3d60b1da6715b43954f0d/bin/subiquity-service#L11 It's due to PIO_FONTX ioctl removed from kernel since 5.12 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff2047fb755d4415ec3c70ac799889371151796d In 2.4.5 of kbd which provide setfont in user space, they already switched over to use KDFONTOP only. ### REPRODUCER STEPS ### # install libvirt sudo apt install qemu qemu-kvm libvirt-clients libvirt-daemon-system virtinst bridge-utils sudo systemctl enable libvirtd sudo systemctl start libvirtd # check libvirtd process is running virsh virsh list # get iso wget https://releases.ubuntu.com/22.04/ubuntu-22.04.1-live-server-amd64.iso # install vm sudo virt-install --cdrom='./ubuntu-22.04.1-live-server-amd64.iso' --name=setfont-repo --vcpus=2 --memory=2048 --disk size=20 --serial pty --graphics none --boot=uefi --debug # you can either do the full install, the error will be in the /var/log/installer.log file # or on the first page of the installer press Tab-> go to Help, -> Shell and cd /var/log/ grep setfont* syslog # to show error message cd to /snap/subiquity/3698 #execute setfont $SNAP/subiquity.psf # error root@ubuntu-server:/snap/subiquity/3698# setfont $SNAP/subiquity.psf setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device # grep grep setfont* syslog Nov 14 18:22:11 ubuntu-server console-setup.sh[1107]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device Nov 14 18:22:29 ubuntu-server subiquity.subiquity-service[1878]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device To manage notifications about this bug go to: https://bugs.launchpad.net/subiquity/+bug/1996619/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1996619] Re: Setfont error due to deprecated PIO_FONTX ioctl
@dannf, I will make those 2 changes tomorrow. Thanks for catching! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to kbd in Ubuntu. https://bugs.launchpad.net/bugs/1996619 Title: Setfont error due to deprecated PIO_FONTX ioctl Status in subiquity: Invalid Status in kbd package in Ubuntu: Fix Released Status in kbd source package in Jammy: In Progress Status in kbd source package in Kinetic: In Progress Bug description: There is an error message that get thrown in in syslog. There is a suggestion to fix by upgrading the KDB package to version 2.5.1+ or to understand the root cause and troubleshoot as to why it's broken and resolve it there. It is caused by this line in subiquity https://github.com/canonical/subiquity/blob/46f671d14d57a5da6bc3d60b1da6715b43954f0d/bin/subiquity-service#L11 It's due to PIO_FONTX ioctl removed from kernel since 5.12 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff2047fb755d4415ec3c70ac799889371151796d In 2.4.5 of kbd which provide setfont in user space, they already switched over to use KDFONTOP only. ### REPRODUCER STEPS ### # install libvirt sudo apt install qemu qemu-kvm libvirt-clients libvirt-daemon-system virtinst bridge-utils sudo systemctl enable libvirtd sudo systemctl start libvirtd # check libvirtd process is running virsh virsh list # get iso wget https://releases.ubuntu.com/22.04/ubuntu-22.04.1-live-server-amd64.iso # install vm sudo virt-install --cdrom='./ubuntu-22.04.1-live-server-amd64.iso' --name=setfont-repo --vcpus=2 --memory=2048 --disk size=20 --serial pty --graphics none --boot=uefi --debug # you can either do the full install, the error will be in the /var/log/installer.log file # or on the first page of the installer press Tab-> go to Help, -> Shell and cd /var/log/ grep setfont* syslog # to show error message cd to /snap/subiquity/3698 #execute setfont $SNAP/subiquity.psf # error root@ubuntu-server:/snap/subiquity/3698# setfont $SNAP/subiquity.psf setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device # grep grep setfont* syslog Nov 14 18:22:11 ubuntu-server console-setup.sh[1107]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device Nov 14 18:22:29 ubuntu-server subiquity.subiquity-service[1878]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device To manage notifications about this bug go to: https://bugs.launchpad.net/subiquity/+bug/1996619/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1996619] Re: Setfont error due to deprecated PIO_FONTX ioctl
** Tags added: verification-needed-jammy verification-needed-kinetic ** Tags added: sts-sponsor -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to kbd in Ubuntu. https://bugs.launchpad.net/bugs/1996619 Title: Setfont error due to deprecated PIO_FONTX ioctl Status in subiquity: Invalid Status in kbd package in Ubuntu: Fix Released Status in kbd source package in Jammy: In Progress Status in kbd source package in Kinetic: In Progress Bug description: There is an error message that get thrown in in syslog. There is a suggestion to fix by upgrading the KDB package to version 2.5.1+ or to understand the root cause and troubleshoot as to why it's broken and resolve it there. It is caused by this line in subiquity https://github.com/canonical/subiquity/blob/46f671d14d57a5da6bc3d60b1da6715b43954f0d/bin/subiquity-service#L11 It's due to PIO_FONTX ioctl removed from kernel since 5.12 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff2047fb755d4415ec3c70ac799889371151796d In 2.4.5 of kbd which provide setfont in user space, they already switched over to use KDFONTOP only. ### REPRODUCER STEPS ### # install libvirt sudo apt install qemu qemu-kvm libvirt-clients libvirt-daemon-system virtinst bridge-utils sudo systemctl enable libvirtd sudo systemctl start libvirtd # check libvirtd process is running virsh virsh list # get iso wget https://releases.ubuntu.com/22.04/ubuntu-22.04.1-live-server-amd64.iso # install vm sudo virt-install --cdrom='./ubuntu-22.04.1-live-server-amd64.iso' --name=setfont-repo --vcpus=2 --memory=2048 --disk size=20 --serial pty --graphics none --boot=uefi --debug # you can either do the full install, the error will be in the /var/log/installer.log file # or on the first page of the installer press Tab-> go to Help, -> Shell and cd /var/log/ grep setfont* syslog # to show error message cd to /snap/subiquity/3698 #execute setfont $SNAP/subiquity.psf # error root@ubuntu-server:/snap/subiquity/3698# setfont $SNAP/subiquity.psf setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device # grep grep setfont* syslog Nov 14 18:22:11 ubuntu-server console-setup.sh[1107]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device Nov 14 18:22:29 ubuntu-server subiquity.subiquity-service[1878]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device To manage notifications about this bug go to: https://bugs.launchpad.net/subiquity/+bug/1996619/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1996619] Re: Setfont error due to deprecated PIO_FONTX ioctl
kbd kinetic debdiff ** Patch added: "lp1996619kinetic.debdiff" https://bugs.launchpad.net/ubuntu/+source/kbd/+bug/1996619/+attachment/5635099/+files/lp1996619kinetic.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to kbd in Ubuntu. https://bugs.launchpad.net/bugs/1996619 Title: Setfont error due to deprecated PIO_FONTX ioctl Status in subiquity: Invalid Status in kbd package in Ubuntu: Fix Released Status in kbd source package in Jammy: In Progress Status in kbd source package in Kinetic: In Progress Bug description: There is an error message that get thrown in in syslog. There is a suggestion to fix by upgrading the KDB package to version 2.5.1+ or to understand the root cause and troubleshoot as to why it's broken and resolve it there. It is caused by this line in subiquity https://github.com/canonical/subiquity/blob/46f671d14d57a5da6bc3d60b1da6715b43954f0d/bin/subiquity-service#L11 It's due to PIO_FONTX ioctl removed from kernel since 5.12 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff2047fb755d4415ec3c70ac799889371151796d In 2.4.5 of kbd which provide setfont in user space, they already switched over to use KDFONTOP only. ### REPRODUCER STEPS ### # install libvirt sudo apt install qemu qemu-kvm libvirt-clients libvirt-daemon-system virtinst bridge-utils sudo systemctl enable libvirtd sudo systemctl start libvirtd # check libvirtd process is running virsh virsh list # get iso wget https://releases.ubuntu.com/22.04/ubuntu-22.04.1-live-server-amd64.iso # install vm sudo virt-install --cdrom='./ubuntu-22.04.1-live-server-amd64.iso' --name=setfont-repo --vcpus=2 --memory=2048 --disk size=20 --serial pty --graphics none --boot=uefi --debug # you can either do the full install, the error will be in the /var/log/installer.log file # or on the first page of the installer press Tab-> go to Help, -> Shell and cd /var/log/ grep setfont* syslog # to show error message cd to /snap/subiquity/3698 #execute setfont $SNAP/subiquity.psf # error root@ubuntu-server:/snap/subiquity/3698# setfont $SNAP/subiquity.psf setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device # grep grep setfont* syslog Nov 14 18:22:11 ubuntu-server console-setup.sh[1107]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device Nov 14 18:22:29 ubuntu-server subiquity.subiquity-service[1878]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device To manage notifications about this bug go to: https://bugs.launchpad.net/subiquity/+bug/1996619/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1996619] Re: Setfont error due to deprecated PIO_FONTX ioctl
kbd jammy debdiff ** Patch added: "lp1996619jammy.debdiff" https://bugs.launchpad.net/ubuntu/+source/kbd/+bug/1996619/+attachment/5635100/+files/lp1996619jammy.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to kbd in Ubuntu. https://bugs.launchpad.net/bugs/1996619 Title: Setfont error due to deprecated PIO_FONTX ioctl Status in subiquity: Invalid Status in kbd package in Ubuntu: Fix Released Status in kbd source package in Jammy: In Progress Status in kbd source package in Kinetic: In Progress Bug description: There is an error message that get thrown in in syslog. There is a suggestion to fix by upgrading the KDB package to version 2.5.1+ or to understand the root cause and troubleshoot as to why it's broken and resolve it there. It is caused by this line in subiquity https://github.com/canonical/subiquity/blob/46f671d14d57a5da6bc3d60b1da6715b43954f0d/bin/subiquity-service#L11 It's due to PIO_FONTX ioctl removed from kernel since 5.12 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff2047fb755d4415ec3c70ac799889371151796d In 2.4.5 of kbd which provide setfont in user space, they already switched over to use KDFONTOP only. ### REPRODUCER STEPS ### # install libvirt sudo apt install qemu qemu-kvm libvirt-clients libvirt-daemon-system virtinst bridge-utils sudo systemctl enable libvirtd sudo systemctl start libvirtd # check libvirtd process is running virsh virsh list # get iso wget https://releases.ubuntu.com/22.04/ubuntu-22.04.1-live-server-amd64.iso # install vm sudo virt-install --cdrom='./ubuntu-22.04.1-live-server-amd64.iso' --name=setfont-repo --vcpus=2 --memory=2048 --disk size=20 --serial pty --graphics none --boot=uefi --debug # you can either do the full install, the error will be in the /var/log/installer.log file # or on the first page of the installer press Tab-> go to Help, -> Shell and cd /var/log/ grep setfont* syslog # to show error message cd to /snap/subiquity/3698 #execute setfont $SNAP/subiquity.psf # error root@ubuntu-server:/snap/subiquity/3698# setfont $SNAP/subiquity.psf setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device # grep grep setfont* syslog Nov 14 18:22:11 ubuntu-server console-setup.sh[1107]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device Nov 14 18:22:29 ubuntu-server subiquity.subiquity-service[1878]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device To manage notifications about this bug go to: https://bugs.launchpad.net/subiquity/+bug/1996619/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1996619] Re: Setfont error due to deprecated PIO_FONTX ioctl
** Also affects: kbd (Ubuntu Kinetic) Importance: Undecided Status: New ** Changed in: kbd (Ubuntu Kinetic) Status: New => In Progress ** Changed in: kbd (Ubuntu Kinetic) Assignee: (unassigned) => Heather Lemon (hypothetical-lemon) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to kbd in Ubuntu. https://bugs.launchpad.net/bugs/1996619 Title: Setfont error due to deprecated PIO_FONTX ioctl Status in subiquity: Invalid Status in kbd package in Ubuntu: Fix Released Status in kbd source package in Jammy: In Progress Status in kbd source package in Kinetic: In Progress Bug description: There is an error message that get thrown in in syslog. There is a suggestion to fix by upgrading the KDB package to version 2.5.1+ or to understand the root cause and troubleshoot as to why it's broken and resolve it there. It is caused by this line in subiquity https://github.com/canonical/subiquity/blob/46f671d14d57a5da6bc3d60b1da6715b43954f0d/bin/subiquity-service#L11 It's due to PIO_FONTX ioctl removed from kernel since 5.12 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff2047fb755d4415ec3c70ac799889371151796d In 2.4.5 of kbd which provide setfont in user space, they already switched over to use KDFONTOP only. ### REPRODUCER STEPS ### # install libvirt sudo apt install qemu qemu-kvm libvirt-clients libvirt-daemon-system virtinst bridge-utils sudo systemctl enable libvirtd sudo systemctl start libvirtd # check libvirtd process is running virsh virsh list # get iso wget https://releases.ubuntu.com/22.04/ubuntu-22.04.1-live-server-amd64.iso # install vm sudo virt-install --cdrom='./ubuntu-22.04.1-live-server-amd64.iso' --name=setfont-repo --vcpus=2 --memory=2048 --disk size=20 --serial pty --graphics none --boot=uefi --debug # you can either do the full install, the error will be in the /var/log/installer.log file # or on the first page of the installer press Tab-> go to Help, -> Shell and cd /var/log/ grep setfont* syslog # to show error message cd to /snap/subiquity/3698 #execute setfont $SNAP/subiquity.psf # error root@ubuntu-server:/snap/subiquity/3698# setfont $SNAP/subiquity.psf setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device # grep grep setfont* syslog Nov 14 18:22:11 ubuntu-server console-setup.sh[1107]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device Nov 14 18:22:29 ubuntu-server subiquity.subiquity-service[1878]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device To manage notifications about this bug go to: https://bugs.launchpad.net/subiquity/+bug/1996619/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1988270] Re: AppArmor fails to start with Yoga UCA libvirt profile on Focal
** Changed in: cloud-archive/zed Assignee: Heather Lemon (hypothetical-lemon) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1988270 Title: AppArmor fails to start with Yoga UCA libvirt profile on Focal Status in Ubuntu Cloud Archive: Confirmed Status in Ubuntu Cloud Archive yoga series: Confirmed Status in Ubuntu Cloud Archive zed series: Confirmed Status in apparmor package in Ubuntu: Invalid Status in apparmor source package in Focal: Confirmed Status in apparmor source package in Jammy: Confirmed Bug description: [ Impact ] AppArmor fails to start with yoga-focal uca libvirt profile [ Test Plan ] generate yoga-focal openstack instance juju ssh nova-compute/0 sudo systemctl restart apparmor journalctl -xe # Error message ct 04 15:55:32 juju-6d4862-apparmorbug-9 apparmor.systemd[94081]: AppArmor parser error for /etc/apparmor.d/usr.sbin.libvirtd in /etc/apparmor.d/usr.sbin.li> Oct 04 15:55:32 juju-6d4862-apparmorbug-9 apparmor.systemd[94082]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Oct 04 15:55:32 juju-6d4862-apparmorbug-9 audit[94084]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="u> Oct 04 15:55:32 juju-6d4862-apparmorbug-9 apparmor.systemd[94005]: Error: At least one profile failed to load [ Other Notes ] On a fully patched Ubuntu Focal with Yoga UCA enabled, after installation of libvirt-daemon-system, restarting apparmor would fail with error: Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Restarting AppArmor Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Reloading AppArmor profiles Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6341]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6348]: AppArmor parser error for /etc/apparmor.d in /etc/apparmor.d/usr.sbin.libvirtd at line 29: Invalid capability bpf. Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6413]: AppArmor parser error for /etc/apparmor.d/usr.sbin.libvirtd in /etc/apparmor.d/usr.sbin.libvirtd at line 29: Invalid capability bpf. Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6418]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Error: At least one profile failed to load Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: apparmor.service: Failed with result 'exit-code'. Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: Failed to start Load AppArmor profiles. In addition to bpf, perfmon capability, which is also enabled in /etc/apparmor.d/usr.sbin.libvirtd profile, would lead to the same error. System information: root@ubuntu2004:~# uname -a Linux ubuntu2004.localdomain 5.4.0-125-generic #141-Ubuntu SMP Wed Aug 10 13:42:03 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux root@ubuntu2004:~# dpkg -l libvirt\* Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--= ii libvirt-clients8.0.0-1ubuntu7.1~cloud0 amd64 Programs for the libvirt library ii libvirt-daemon 8.0.0-1ubuntu7.1~cloud0 amd64 Virtualization daemon ii libvirt-daemon-config-network 8.0.0-1ubuntu7.1~cloud0 all Libvirt daemon configuration files (default network) ii libvirt-daemon-config-nwfilter 8.0.0-1ubuntu7.1~cloud0 all Libvirt daemon configuration files (default network filters) un libvirt-daemon-driver-lxc (no description available) ii libvirt-daemon-driver-qemu 8.0.0-1ubuntu7.1~cloud0 amd64 Virtualization daemon QEMU connection driver un libvirt-daemon-driver-storage-gluster (no description available) un libvirt-daemon-driver-storage-iscsi-direct (no description available) un libvirt-daemon-driver-storage-rbd (no description available) un libvirt-daemon-driver-storage-zfs (no description available) un libvirt-daemon-driver-vbox (no
[Touch-packages] [Bug 1996619] Re: Setfont error due to deprecated PIO_FONTX ioctl
Okay, Thanks Dan B. & Dann F. I started the Jammy SRU this morning. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to kbd in Ubuntu. https://bugs.launchpad.net/bugs/1996619 Title: Setfont error due to deprecated PIO_FONTX ioctl Status in subiquity: Invalid Status in kbd package in Ubuntu: Fix Released Status in kbd source package in Jammy: In Progress Bug description: There is an error message that get thrown in in syslog. There is a suggestion to fix by upgrading the KDB package to version 2.5.1+ or to understand the root cause and troubleshoot as to why it's broken and resolve it there. It is caused by this line in subiquity https://github.com/canonical/subiquity/blob/46f671d14d57a5da6bc3d60b1da6715b43954f0d/bin/subiquity-service#L11 It's due to PIO_FONTX ioctl removed from kernel since 5.12 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff2047fb755d4415ec3c70ac799889371151796d In 2.4.5 of kbd which provide setfont in user space, they already switched over to use KDFONTOP only. ### REPRODUCER STEPS ### # install libvirt sudo apt install qemu qemu-kvm libvirt-clients libvirt-daemon-system virtinst bridge-utils sudo systemctl enable libvirtd sudo systemctl start libvirtd # check libvirtd process is running virsh virsh list # get iso wget https://releases.ubuntu.com/22.04/ubuntu-22.04.1-live-server-amd64.iso # install vm sudo virt-install --cdrom='./ubuntu-22.04.1-live-server-amd64.iso' --name=setfont-repo --vcpus=2 --memory=2048 --disk size=20 --serial pty --graphics none --boot=uefi --debug # you can either do the full install, the error will be in the /var/log/installer.log file # or on the first page of the installer press Tab-> go to Help, -> Shell and cd /var/log/ grep setfont* syslog # to show error message cd to /snap/subiquity/3698 #execute setfont $SNAP/subiquity.psf # error root@ubuntu-server:/snap/subiquity/3698# setfont $SNAP/subiquity.psf setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device # grep grep setfont* syslog Nov 14 18:22:11 ubuntu-server console-setup.sh[1107]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device Nov 14 18:22:29 ubuntu-server subiquity.subiquity-service[1878]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device To manage notifications about this bug go to: https://bugs.launchpad.net/subiquity/+bug/1996619/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1996619] Re: Setfont error due to deprecated PIO_FONTX ioctl
** Changed in: kbd (Ubuntu Jammy) Assignee: (unassigned) => Heather Lemon (hypothetical-lemon) ** Changed in: kbd (Ubuntu Jammy) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to kbd in Ubuntu. https://bugs.launchpad.net/bugs/1996619 Title: Setfont error due to deprecated PIO_FONTX ioctl Status in subiquity: Invalid Status in kbd package in Ubuntu: Fix Released Status in kbd source package in Jammy: In Progress Bug description: There is an error message that get thrown in in syslog. There is a suggestion to fix by upgrading the KDB package to version 2.5.1+ or to understand the root cause and troubleshoot as to why it's broken and resolve it there. It is caused by this line in subiquity https://github.com/canonical/subiquity/blob/46f671d14d57a5da6bc3d60b1da6715b43954f0d/bin/subiquity-service#L11 It's due to PIO_FONTX ioctl removed from kernel since 5.12 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff2047fb755d4415ec3c70ac799889371151796d In 2.4.5 of kbd which provide setfont in user space, they already switched over to use KDFONTOP only. ### REPRODUCER STEPS ### # install libvirt sudo apt install qemu qemu-kvm libvirt-clients libvirt-daemon-system virtinst bridge-utils sudo systemctl enable libvirtd sudo systemctl start libvirtd # check libvirtd process is running virsh virsh list # get iso wget https://releases.ubuntu.com/22.04/ubuntu-22.04.1-live-server-amd64.iso # install vm sudo virt-install --cdrom='./ubuntu-22.04.1-live-server-amd64.iso' --name=setfont-repo --vcpus=2 --memory=2048 --disk size=20 --serial pty --graphics none --boot=uefi --debug # you can either do the full install, the error will be in the /var/log/installer.log file # or on the first page of the installer press Tab-> go to Help, -> Shell and cd /var/log/ grep setfont* syslog # to show error message cd to /snap/subiquity/3698 #execute setfont $SNAP/subiquity.psf # error root@ubuntu-server:/snap/subiquity/3698# setfont $SNAP/subiquity.psf setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device # grep grep setfont* syslog Nov 14 18:22:11 ubuntu-server console-setup.sh[1107]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device Nov 14 18:22:29 ubuntu-server subiquity.subiquity-service[1878]: setfont: ERROR kdfontop.c:266 put_font_piofontx: ioctl(PIO_FONTX): 512,8x16: failed: Inappropriate ioctl for device To manage notifications about this bug go to: https://bugs.launchpad.net/subiquity/+bug/1996619/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1988270] Re: AppArmor fails to start with Yoga UCA libvirt profile on Focal
@jjohansen, I've tested both versions and the fix works. Is this is the correct place to track the bug? Or is there another SRU open? Do I need to delete my patch or should I just leave it there? Thank You, Heather Lemon -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1988270 Title: AppArmor fails to start with Yoga UCA libvirt profile on Focal Status in Ubuntu Cloud Archive: Confirmed Status in Ubuntu Cloud Archive yoga series: New Status in Ubuntu Cloud Archive zed series: Confirmed Status in apparmor package in Ubuntu: Invalid Status in apparmor source package in Focal: New Status in apparmor source package in Jammy: New Bug description: [ Impact ] AppArmor fails to start with yoga-focal uca libvirt profile [ Test Plan ] generate yoga-focal openstack instance juju ssh nova-compute/0 sudo systemctl restart apparmor journalctl -xe # Error message ct 04 15:55:32 juju-6d4862-apparmorbug-9 apparmor.systemd[94081]: AppArmor parser error for /etc/apparmor.d/usr.sbin.libvirtd in /etc/apparmor.d/usr.sbin.li> Oct 04 15:55:32 juju-6d4862-apparmorbug-9 apparmor.systemd[94082]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Oct 04 15:55:32 juju-6d4862-apparmorbug-9 audit[94084]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="u> Oct 04 15:55:32 juju-6d4862-apparmorbug-9 apparmor.systemd[94005]: Error: At least one profile failed to load [ Other Notes ] On a fully patched Ubuntu Focal with Yoga UCA enabled, after installation of libvirt-daemon-system, restarting apparmor would fail with error: Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Restarting AppArmor Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Reloading AppArmor profiles Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6341]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6348]: AppArmor parser error for /etc/apparmor.d in /etc/apparmor.d/usr.sbin.libvirtd at line 29: Invalid capability bpf. Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6413]: AppArmor parser error for /etc/apparmor.d/usr.sbin.libvirtd in /etc/apparmor.d/usr.sbin.libvirtd at line 29: Invalid capability bpf. Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6418]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Error: At least one profile failed to load Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: apparmor.service: Failed with result 'exit-code'. Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: Failed to start Load AppArmor profiles. In addition to bpf, perfmon capability, which is also enabled in /etc/apparmor.d/usr.sbin.libvirtd profile, would lead to the same error. System information: root@ubuntu2004:~# uname -a Linux ubuntu2004.localdomain 5.4.0-125-generic #141-Ubuntu SMP Wed Aug 10 13:42:03 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux root@ubuntu2004:~# dpkg -l libvirt\* Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--= ii libvirt-clients8.0.0-1ubuntu7.1~cloud0 amd64 Programs for the libvirt library ii libvirt-daemon 8.0.0-1ubuntu7.1~cloud0 amd64 Virtualization daemon ii libvirt-daemon-config-network 8.0.0-1ubuntu7.1~cloud0 all Libvirt daemon configuration files (default network) ii libvirt-daemon-config-nwfilter 8.0.0-1ubuntu7.1~cloud0 all Libvirt daemon configuration files (default network filters) un libvirt-daemon-driver-lxc (no description available) ii libvirt-daemon-driver-qemu 8.0.0-1ubuntu7.1~cloud0 amd64 Virtualization daemon QEMU connection driver un libvirt-daemon-driver-storage-gluster (no description available) un libvirt-daemon-driver-storage-iscsi-direct (no description available) un libvirt-daemon-driver-storage-rbd (no description available) un libvirt-daemon-driver-storage-zfs
[Touch-packages] [Bug 1988270] Re: AppArmor fails to start with Yoga UCA libvirt profile on Focal
@jjohansen Are you planning to add this fix to the kernel (focal) as well? Thank You, Heather Lemon -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1988270 Title: AppArmor fails to start with Yoga UCA libvirt profile on Focal Status in Ubuntu Cloud Archive: Confirmed Status in Ubuntu Cloud Archive yoga series: New Status in Ubuntu Cloud Archive zed series: Confirmed Status in apparmor package in Ubuntu: Invalid Status in apparmor source package in Focal: New Status in apparmor source package in Jammy: New Bug description: [ Impact ] AppArmor fails to start with yoga-focal uca libvirt profile [ Test Plan ] generate yoga-focal openstack instance juju ssh nova-compute/0 sudo systemctl restart apparmor journalctl -xe # Error message ct 04 15:55:32 juju-6d4862-apparmorbug-9 apparmor.systemd[94081]: AppArmor parser error for /etc/apparmor.d/usr.sbin.libvirtd in /etc/apparmor.d/usr.sbin.li> Oct 04 15:55:32 juju-6d4862-apparmorbug-9 apparmor.systemd[94082]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Oct 04 15:55:32 juju-6d4862-apparmorbug-9 audit[94084]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="u> Oct 04 15:55:32 juju-6d4862-apparmorbug-9 apparmor.systemd[94005]: Error: At least one profile failed to load [ Other Notes ] On a fully patched Ubuntu Focal with Yoga UCA enabled, after installation of libvirt-daemon-system, restarting apparmor would fail with error: Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Restarting AppArmor Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Reloading AppArmor profiles Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6341]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6348]: AppArmor parser error for /etc/apparmor.d in /etc/apparmor.d/usr.sbin.libvirtd at line 29: Invalid capability bpf. Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6413]: AppArmor parser error for /etc/apparmor.d/usr.sbin.libvirtd in /etc/apparmor.d/usr.sbin.libvirtd at line 29: Invalid capability bpf. Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6418]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Error: At least one profile failed to load Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: apparmor.service: Failed with result 'exit-code'. Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: Failed to start Load AppArmor profiles. In addition to bpf, perfmon capability, which is also enabled in /etc/apparmor.d/usr.sbin.libvirtd profile, would lead to the same error. System information: root@ubuntu2004:~# uname -a Linux ubuntu2004.localdomain 5.4.0-125-generic #141-Ubuntu SMP Wed Aug 10 13:42:03 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux root@ubuntu2004:~# dpkg -l libvirt\* Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--= ii libvirt-clients8.0.0-1ubuntu7.1~cloud0 amd64 Programs for the libvirt library ii libvirt-daemon 8.0.0-1ubuntu7.1~cloud0 amd64 Virtualization daemon ii libvirt-daemon-config-network 8.0.0-1ubuntu7.1~cloud0 all Libvirt daemon configuration files (default network) ii libvirt-daemon-config-nwfilter 8.0.0-1ubuntu7.1~cloud0 all Libvirt daemon configuration files (default network filters) un libvirt-daemon-driver-lxc (no description available) ii libvirt-daemon-driver-qemu 8.0.0-1ubuntu7.1~cloud0 amd64 Virtualization daemon QEMU connection driver un libvirt-daemon-driver-storage-gluster (no description available) un libvirt-daemon-driver-storage-iscsi-direct (no description available) un libvirt-daemon-driver-storage-rbd (no description available) un libvirt-daemon-driver-storage-zfs (no description available) un libvirt-daemon-driver-vbox (no description a
[Touch-packages] [Bug 1988270] Re: AppArmor fails to start with Yoga UCA libvirt profile on Focal
remove the extra quilt .pc additions from the top of the patch ** Patch added: "updated patch file to remove quilt .pc lines" https://bugs.launchpad.net/cloud-archive/+bug/1988270/+attachment/5625273/+files/lp1988270-focalyoga-libvirt-removecapability-revision1.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1988270 Title: AppArmor fails to start with Yoga UCA libvirt profile on Focal Status in Ubuntu Cloud Archive: Confirmed Status in Ubuntu Cloud Archive yoga series: New Status in Ubuntu Cloud Archive zed series: Confirmed Status in apparmor package in Ubuntu: Invalid Status in apparmor source package in Focal: New Status in apparmor source package in Jammy: New Bug description: [ Impact ] AppArmor fails to start with yoga-focal uca libvirt profile [ Test Plan ] generate yoga-focal openstack instance juju ssh nova-compute/0 sudo systemctl restart apparmor journalctl -xe # Error message ct 04 15:55:32 juju-6d4862-apparmorbug-9 apparmor.systemd[94081]: AppArmor parser error for /etc/apparmor.d/usr.sbin.libvirtd in /etc/apparmor.d/usr.sbin.li> Oct 04 15:55:32 juju-6d4862-apparmorbug-9 apparmor.systemd[94082]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Oct 04 15:55:32 juju-6d4862-apparmorbug-9 audit[94084]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="u> Oct 04 15:55:32 juju-6d4862-apparmorbug-9 apparmor.systemd[94005]: Error: At least one profile failed to load [ Other Notes ] On a fully patched Ubuntu Focal with Yoga UCA enabled, after installation of libvirt-daemon-system, restarting apparmor would fail with error: Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Restarting AppArmor Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Reloading AppArmor profiles Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6341]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6348]: AppArmor parser error for /etc/apparmor.d in /etc/apparmor.d/usr.sbin.libvirtd at line 29: Invalid capability bpf. Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6413]: AppArmor parser error for /etc/apparmor.d/usr.sbin.libvirtd in /etc/apparmor.d/usr.sbin.libvirtd at line 29: Invalid capability bpf. Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6418]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Error: At least one profile failed to load Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: apparmor.service: Failed with result 'exit-code'. Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: Failed to start Load AppArmor profiles. In addition to bpf, perfmon capability, which is also enabled in /etc/apparmor.d/usr.sbin.libvirtd profile, would lead to the same error. System information: root@ubuntu2004:~# uname -a Linux ubuntu2004.localdomain 5.4.0-125-generic #141-Ubuntu SMP Wed Aug 10 13:42:03 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux root@ubuntu2004:~# dpkg -l libvirt\* Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--= ii libvirt-clients8.0.0-1ubuntu7.1~cloud0 amd64 Programs for the libvirt library ii libvirt-daemon 8.0.0-1ubuntu7.1~cloud0 amd64 Virtualization daemon ii libvirt-daemon-config-network 8.0.0-1ubuntu7.1~cloud0 all Libvirt daemon configuration files (default network) ii libvirt-daemon-config-nwfilter 8.0.0-1ubuntu7.1~cloud0 all Libvirt daemon configuration files (default network filters) un libvirt-daemon-driver-lxc (no description available) ii libvirt-daemon-driver-qemu 8.0.0-1ubuntu7.1~cloud0 amd64 Virtualization daemon QEMU connection driver un libvirt-daemon-driver-storage-gluster (no description available) un libvirt-daemon-driver-storage-iscsi-direct (no description available) un libvirt-daemon-driver-storage-rbd (no description available) un libvirt-daemon-driver-storage-zfs
[Touch-packages] [Bug 1988270] Re: AppArmor fails to start with Yoga UCA libvirt profile on Focal
** Description changed: + + [ Impact ] + + AppArmor fails to start with yoga-focal uca libvirt profile + + + [ Test Plan ] + + generate yoga-focal openstack instance + juju ssh nova-compute/0 + sudo systemctl restart apparmor + journalctl -xe + + # Error message + ct 04 15:55:32 juju-6d4862-apparmorbug-9 apparmor.systemd[94081]: AppArmor parser error for /etc/apparmor.d/usr.sbin.libvirtd in /etc/apparmor.d/usr.sbin.li> + Oct 04 15:55:32 juju-6d4862-apparmorbug-9 apparmor.systemd[94082]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd + Oct 04 15:55:32 juju-6d4862-apparmorbug-9 audit[94084]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="u> + Oct 04 15:55:32 juju-6d4862-apparmorbug-9 apparmor.systemd[94005]: Error: At least one profile failed to load + + + [ Other Notes ] + On a fully patched Ubuntu Focal with Yoga UCA enabled, after installation of libvirt-daemon-system, restarting apparmor would fail with error: Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Restarting AppArmor Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Reloading AppArmor profiles Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6341]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6348]: AppArmor parser error for /etc/apparmor.d in /etc/apparmor.d/usr.sbin.libvirtd at line 29: Invalid capability bpf. Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6413]: AppArmor parser error for /etc/apparmor.d/usr.sbin.libvirtd in /etc/apparmor.d/usr.sbin.libvirtd at line 29: Invalid capability bpf. Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6418]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Error: At least one profile failed to load Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: apparmor.service: Failed with result 'exit-code'. Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: Failed to start Load AppArmor profiles. In addition to bpf, perfmon capability, which is also enabled in /etc/apparmor.d/usr.sbin.libvirtd profile, would lead to the same error. System information: root@ubuntu2004:~# uname -a Linux ubuntu2004.localdomain 5.4.0-125-generic #141-Ubuntu SMP Wed Aug 10 13:42:03 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux root@ubuntu2004:~# dpkg -l libvirt\* Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--= ii libvirt-clients8.0.0-1ubuntu7.1~cloud0 amd64 Programs for the libvirt library ii libvirt-daemon 8.0.0-1ubuntu7.1~cloud0 amd64 Virtualization daemon ii libvirt-daemon-config-network 8.0.0-1ubuntu7.1~cloud0 all Libvirt daemon configuration files (default network) ii libvirt-daemon-config-nwfilter 8.0.0-1ubuntu7.1~cloud0 all Libvirt daemon configuration files (default network filters) un libvirt-daemon-driver-lxc (no description available) ii libvirt-daemon-driver-qemu 8.0.0-1ubuntu7.1~cloud0 amd64 Virtualization daemon QEMU connection driver un libvirt-daemon-driver-storage-gluster (no description available) un libvirt-daemon-driver-storage-iscsi-direct (no description available) un libvirt-daemon-driver-storage-rbd (no description available) un libvirt-daemon-driver-storage-zfs (no description available) un libvirt-daemon-driver-vbox (no description available) un libvirt-daemon-driver-xen (no description available) ii libvirt-daemon-system 8.0.0-1ubuntu7.1~cloud0 amd64 Libvirt daemon configuration files ii libvirt-daemon-system-systemd 8.0.0-1ubuntu7.1~cloud0 all Libvirt daemon configuration files (systemd) un libvirt-daemon-system-sysv (no description available) un libvirt-login-shell (no description available) un libvirt-sanlock (no description available) ii
[Touch-packages] [Bug 1988270] Re: AppArmor fails to start with Yoga UCA libvirt profile on Focal
When building the debuild there are a few files that got touched like this one, diff -Nru libvirt-8.0.0/debian/.pc/.quilt_patches libvirt-8.0.0/debian/.pc/.quilt_patches --- libvirt-8.0.0/debian/.pc/.quilt_patches 1970-01-01 00:00:00.0 + +++ libvirt-8.0.0/debian/.pc/.quilt_patches 2022-10-17 15:01:12.0 + diff -Nru libvirt-8.0.0/debian/.pc/.quilt_series libvirt-8.0.0/debian/.pc/.quilt_series I don't believe these should be added, but wanted a second opinion. Thank You, Heather Lemon ** Patch added: "adds focal-yoga patch" https://bugs.launchpad.net/cloud-archive/+bug/1988270/+attachment/5624588/+files/lp1988270-focalyoga-removecapability.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1988270 Title: AppArmor fails to start with Yoga UCA libvirt profile on Focal Status in Ubuntu Cloud Archive: Confirmed Status in apparmor package in Ubuntu: Invalid Status in apparmor source package in Focal: New Bug description: On a fully patched Ubuntu Focal with Yoga UCA enabled, after installation of libvirt-daemon-system, restarting apparmor would fail with error: Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Restarting AppArmor Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Reloading AppArmor profiles Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6341]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6348]: AppArmor parser error for /etc/apparmor.d in /etc/apparmor.d/usr.sbin.libvirtd at line 29: Invalid capability bpf. Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6413]: AppArmor parser error for /etc/apparmor.d/usr.sbin.libvirtd in /etc/apparmor.d/usr.sbin.libvirtd at line 29: Invalid capability bpf. Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6418]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Error: At least one profile failed to load Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: apparmor.service: Failed with result 'exit-code'. Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: Failed to start Load AppArmor profiles. In addition to bpf, perfmon capability, which is also enabled in /etc/apparmor.d/usr.sbin.libvirtd profile, would lead to the same error. System information: root@ubuntu2004:~# uname -a Linux ubuntu2004.localdomain 5.4.0-125-generic #141-Ubuntu SMP Wed Aug 10 13:42:03 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux root@ubuntu2004:~# dpkg -l libvirt\* Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--= ii libvirt-clients8.0.0-1ubuntu7.1~cloud0 amd64 Programs for the libvirt library ii libvirt-daemon 8.0.0-1ubuntu7.1~cloud0 amd64 Virtualization daemon ii libvirt-daemon-config-network 8.0.0-1ubuntu7.1~cloud0 all Libvirt daemon configuration files (default network) ii libvirt-daemon-config-nwfilter 8.0.0-1ubuntu7.1~cloud0 all Libvirt daemon configuration files (default network filters) un libvirt-daemon-driver-lxc (no description available) ii libvirt-daemon-driver-qemu 8.0.0-1ubuntu7.1~cloud0 amd64 Virtualization daemon QEMU connection driver un libvirt-daemon-driver-storage-gluster (no description available) un libvirt-daemon-driver-storage-iscsi-direct (no description available) un libvirt-daemon-driver-storage-rbd (no description available) un libvirt-daemon-driver-storage-zfs (no description available) un libvirt-daemon-driver-vbox (no description available) un libvirt-daemon-driver-xen (no description available) ii libvirt-daemon-system 8.0.0-1ubuntu7.1~cloud0 amd64 Libvirt daemon configuration files ii libvirt-daemon-system-systemd 8.0.0-1ubuntu7.1~cloud0 all Libvirt daemon configuration files (systemd) un libvirt-daemon-s
[Touch-packages] [Bug 1988270] Re: AppArmor fails to start with Yoga UCA libvirt profile on Focal
** Changed in: cloud-archive Assignee: (unassigned) => Heather Lemon (hypothetical-lemon) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1988270 Title: AppArmor fails to start with Yoga UCA libvirt profile on Focal Status in Ubuntu Cloud Archive: Confirmed Status in apparmor package in Ubuntu: Invalid Status in apparmor source package in Focal: New Bug description: On a fully patched Ubuntu Focal with Yoga UCA enabled, after installation of libvirt-daemon-system, restarting apparmor would fail with error: Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Restarting AppArmor Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Reloading AppArmor profiles Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6341]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6348]: AppArmor parser error for /etc/apparmor.d in /etc/apparmor.d/usr.sbin.libvirtd at line 29: Invalid capability bpf. Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6413]: AppArmor parser error for /etc/apparmor.d/usr.sbin.libvirtd in /etc/apparmor.d/usr.sbin.libvirtd at line 29: Invalid capability bpf. Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6418]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Aug 31 07:40:52 ubuntu2004.localdomain apparmor.systemd[6335]: Error: At least one profile failed to load Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: apparmor.service: Failed with result 'exit-code'. Aug 31 07:40:52 ubuntu2004.localdomain systemd[1]: Failed to start Load AppArmor profiles. In addition to bpf, perfmon capability, which is also enabled in /etc/apparmor.d/usr.sbin.libvirtd profile, would lead to the same error. System information: root@ubuntu2004:~# uname -a Linux ubuntu2004.localdomain 5.4.0-125-generic #141-Ubuntu SMP Wed Aug 10 13:42:03 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux root@ubuntu2004:~# dpkg -l libvirt\* Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--= ii libvirt-clients8.0.0-1ubuntu7.1~cloud0 amd64 Programs for the libvirt library ii libvirt-daemon 8.0.0-1ubuntu7.1~cloud0 amd64 Virtualization daemon ii libvirt-daemon-config-network 8.0.0-1ubuntu7.1~cloud0 all Libvirt daemon configuration files (default network) ii libvirt-daemon-config-nwfilter 8.0.0-1ubuntu7.1~cloud0 all Libvirt daemon configuration files (default network filters) un libvirt-daemon-driver-lxc (no description available) ii libvirt-daemon-driver-qemu 8.0.0-1ubuntu7.1~cloud0 amd64 Virtualization daemon QEMU connection driver un libvirt-daemon-driver-storage-gluster (no description available) un libvirt-daemon-driver-storage-iscsi-direct (no description available) un libvirt-daemon-driver-storage-rbd (no description available) un libvirt-daemon-driver-storage-zfs (no description available) un libvirt-daemon-driver-vbox (no description available) un libvirt-daemon-driver-xen (no description available) ii libvirt-daemon-system 8.0.0-1ubuntu7.1~cloud0 amd64 Libvirt daemon configuration files ii libvirt-daemon-system-systemd 8.0.0-1ubuntu7.1~cloud0 all Libvirt daemon configuration files (systemd) un libvirt-daemon-system-sysv (no description available) un libvirt-login-shell (no description available) un libvirt-sanlock (no description available) ii libvirt0:amd64 8.0.0-1ubuntu7.1~cloud0 amd64 library for interfacing with different virtualization systems root@ubuntu2004:~# dpkg -l apparmor\* Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,
[Touch-packages] [Bug 1934147] Re: systemd leaks abandoned session scopes
** Changed in: systemd (Ubuntu Bionic)
Assignee: Heather Lemon (hypothetical-lemon) => Dan Streetman (ddstreet)
** Changed in: systemd (Ubuntu Focal)
Assignee: Heather Lemon (hypothetical-lemon) => Dan Streetman (ddstreet)
** Changed in: systemd (Ubuntu Hirsute)
Assignee: Heather Lemon (hypothetical-lemon) => Dan Streetman (ddstreet)
** Changed in: systemd (Ubuntu Impish)
Assignee: Heather Lemon (hypothetical-lemon) => Dan Streetman (ddstreet)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1934147
Title:
systemd leaks abandoned session scopes
Status in snapd:
New
Status in systemd:
New
Status in systemd package in Ubuntu:
In Progress
Status in systemd source package in Bionic:
Confirmed
Status in systemd source package in Focal:
In Progress
Status in systemd source package in Groovy:
Won't Fix
Status in systemd source package in Hirsute:
In Progress
Status in systemd source package in Impish:
In Progress
Bug description:
[impact]
systemd may leak sessions, leaving empty cgroups around as well as
abandoned session scopes.
[test case]
on a system where the user has a ssh key that allows noninteractive
login to localhost, and also has noninteractive sudo, run:
$ for i in {1..100}; do sudo -b -i -u ubuntu ssh localhost -- sleep 1;
done; for i in {1..20}; do echo 'Reloading...'; sudo systemctl daemon-
reload; done
check the sessions to see there have been leaked sessions:
$ loginctl list-sessions
SESSION UID USER SEAT TTY
1 1000 ubuntu ttyS0
350 1000 ubuntu
351 1000 ubuntu
360 1000 ubuntu
...
to verify the sessions were leaked, clear them out with:
$ echo '' | sudo tee
/sys/fs/cgroup/unified/user.slice/user-1000.slice/session-*.scope/cgroup.events
that should result in all the leaked sessions being cleaned up.
[regression potential]
issues during systemd pid1 reexec/reload, or issues while cleaning up
sessions, including leaking sessions/cgroups
[scope]
this is needed for all releases
upstream bug linked above, and upstream PR:
https://github.com/systemd/systemd/pull/20199
[original description]
On a system that is monitored via telegraf I found many abandoned
systemd session which I believe are created by a potential race where
systemd is reloading unit files and at the same time a user is
connecting to the system via ssh or is executing the su command.
The simple reproducer
$ for i in {1..100}; do sleep 0.2; ssh localhost sudo systemctl
daemon-reload & ssh localhost sleep 1 & done
Wait > 1 second
$ jobs -p | xargs --verbose --no-run-if-empty kill -KILL
To clean out STOPPED jobs and
$ systemctl status --all 2> /dev/null | grep --before-context 3
abandoned
will produce something similar to
│ ├─ 175 su - ubuntu
│ ├─ 178 -su
│ ├─62375 systemctl status --all
│ └─62376 grep --color=auto --before-context 3 abandoned
--
● session-273.scope - Session 273 of user ubuntu
Loaded: loaded (/run/systemd/transient/session-273.scope; transient)
Transient: yes
Active: active (abandoned) since Wed 2021-06-30 13:32:03 UTC; 4min 7s ago
--
● session-274.scope - Session 274 of user ubuntu
Loaded: loaded (/run/systemd/transient/session-274.scope; transient)
Transient: yes
Active: active (abandoned) since Wed 2021-06-30 13:32:03 UTC; 4min 7s ago
--
● session-30.scope - Session 30 of user ubuntu
Loaded: loaded (/run/systemd/transient/session-30.scope; transient)
Transient: yes
Active: active (abandoned) since Wed 2021-06-30 10:05:56 UTC; 3h 30min ago
--
● session-302.scope - Session 302 of user ubuntu
Loaded: loaded (/run/systemd/transient/session-302.scope; transient)
Transient: yes
Active: active (abandoned) since Wed 2021-06-30 13:32:04 UTC; 4min 6s ago
--
│ ├─ 175 su - ubuntu
│ ├─ 178 -su
│ ├─62375 systemctl status --all
│ └─62376 grep --color=auto --before-context 3 abandoned
The system in question is running Bionic, systemd-237-3ubuntu10.48
To manage notifications about this bug go to:
https://bugs.launchpad.net/snapd/+bug/1934147/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1938259] Re: Add ACCEL_LOCATION=base property for Dell clamshell models
** Merge proposal unlinked: https://code.launchpad.net/~hypothetical-lemon/ubuntu/+source/systemd/+git/systemd/+merge/407551 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1938259 Title: Add ACCEL_LOCATION=base property for Dell clamshell models Status in OEM Priority Project: New Status in systemd package in Ubuntu: In Progress Status in systemd source package in Focal: In Progress Status in systemd source package in Hirsute: In Progress Status in systemd source package in Impish: In Progress Bug description: We are planning to do SRU to systemd in focal, to avoid unwanted screen rotations on some Dell laptop models. [Impact] * This fixes unwanted rotations on certain Dell clamshell laptop models with accelerometer. [Test Plan] * On Dell laptops with model SKU 0A3E or 0E0E, install this package and kernel 5.13, or kernel with this patch backported: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e26f023e01ef26b4138bc1099af309bdc4523d23 * Rotate the laptop and the display should not be rotated. [Where problems could occur] * This is to add parameters for certain models in hwdb, and does not affect any other part of systemd. * This fix would only take effect with kernel 5.13 or the above patch backported. [scope] this is needed for all releases this is being fixed upstream by https://github.com/systemd/systemd/pull/20314 [Other info] * The patch mentioned above is going to have a separated SRU for linux-oem-5.10 and linux-hwe-5.11 (LP: #1938143) To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1938259/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1934147] Re: systemd leaks abandoned session scopes
** Merge proposal linked:
https://code.launchpad.net/~hypothetical-lemon/ubuntu/+source/systemd/+git/systemd/+merge/407551
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1934147
Title:
systemd leaks abandoned session scopes
Status in snapd:
New
Status in systemd:
New
Status in systemd package in Ubuntu:
In Progress
Status in systemd source package in Bionic:
Confirmed
Status in systemd source package in Focal:
In Progress
Status in systemd source package in Groovy:
Won't Fix
Status in systemd source package in Hirsute:
In Progress
Status in systemd source package in Impish:
In Progress
Bug description:
[impact]
systemd may leak sessions, leaving empty cgroups around as well as
abandoned session scopes.
[test case]
on a system where the user has a ssh key that allows noninteractive
login to localhost, and also has noninteractive sudo, run:
$ for i in {1..100}; do sudo -b -i -u ubuntu ssh localhost -- sleep 1;
done; for i in {1..20}; do echo 'Reloading...'; sudo systemctl daemon-
reload; done
check the sessions to see there have been leaked sessions:
$ loginctl list-sessions
SESSION UID USER SEAT TTY
1 1000 ubuntu ttyS0
350 1000 ubuntu
351 1000 ubuntu
360 1000 ubuntu
...
to verify the sessions were leaked, clear them out with:
$ echo '' | sudo tee
/sys/fs/cgroup/unified/user.slice/user-1000.slice/session-*.scope/cgroup.events
that should result in all the leaked sessions being cleaned up.
[regression potential]
issues during systemd pid1 reexec/reload, or issues while cleaning up
sessions, including leaking sessions/cgroups
[scope]
this is needed for all releases
upstream bug linked above, and upstream PR:
https://github.com/systemd/systemd/pull/20199
[original description]
On a system that is monitored via telegraf I found many abandoned
systemd session which I believe are created by a potential race where
systemd is reloading unit files and at the same time a user is
connecting to the system via ssh or is executing the su command.
The simple reproducer
$ for i in {1..100}; do sleep 0.2; ssh localhost sudo systemctl
daemon-reload & ssh localhost sleep 1 & done
Wait > 1 second
$ jobs -p | xargs --verbose --no-run-if-empty kill -KILL
To clean out STOPPED jobs and
$ systemctl status --all 2> /dev/null | grep --before-context 3
abandoned
will produce something similar to
│ ├─ 175 su - ubuntu
│ ├─ 178 -su
│ ├─62375 systemctl status --all
│ └─62376 grep --color=auto --before-context 3 abandoned
--
● session-273.scope - Session 273 of user ubuntu
Loaded: loaded (/run/systemd/transient/session-273.scope; transient)
Transient: yes
Active: active (abandoned) since Wed 2021-06-30 13:32:03 UTC; 4min 7s ago
--
● session-274.scope - Session 274 of user ubuntu
Loaded: loaded (/run/systemd/transient/session-274.scope; transient)
Transient: yes
Active: active (abandoned) since Wed 2021-06-30 13:32:03 UTC; 4min 7s ago
--
● session-30.scope - Session 30 of user ubuntu
Loaded: loaded (/run/systemd/transient/session-30.scope; transient)
Transient: yes
Active: active (abandoned) since Wed 2021-06-30 10:05:56 UTC; 3h 30min ago
--
● session-302.scope - Session 302 of user ubuntu
Loaded: loaded (/run/systemd/transient/session-302.scope; transient)
Transient: yes
Active: active (abandoned) since Wed 2021-06-30 13:32:04 UTC; 4min 6s ago
--
│ ├─ 175 su - ubuntu
│ ├─ 178 -su
│ ├─62375 systemctl status --all
│ └─62376 grep --color=auto --before-context 3 abandoned
The system in question is running Bionic, systemd-237-3ubuntu10.48
To manage notifications about this bug go to:
https://bugs.launchpad.net/snapd/+bug/1934147/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1938259] Re: Add ACCEL_LOCATION=base property for Dell clamshell models
** Merge proposal unlinked: https://code.launchpad.net/~hypothetical-lemon/ubuntu/+source/systemd/+git/systemd/+merge/407548 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1938259 Title: Add ACCEL_LOCATION=base property for Dell clamshell models Status in OEM Priority Project: New Status in systemd package in Ubuntu: In Progress Status in systemd source package in Focal: In Progress Status in systemd source package in Hirsute: In Progress Status in systemd source package in Impish: In Progress Bug description: We are planning to do SRU to systemd in focal, to avoid unwanted screen rotations on some Dell laptop models. [Impact] * This fixes unwanted rotations on certain Dell clamshell laptop models with accelerometer. [Test Plan] * On Dell laptops with model SKU 0A3E or 0E0E, install this package and kernel 5.13, or kernel with this patch backported: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e26f023e01ef26b4138bc1099af309bdc4523d23 * Rotate the laptop and the display should not be rotated. [Where problems could occur] * This is to add parameters for certain models in hwdb, and does not affect any other part of systemd. * This fix would only take effect with kernel 5.13 or the above patch backported. [scope] this is needed for all releases this is being fixed upstream by https://github.com/systemd/systemd/pull/20314 [Other info] * The patch mentioned above is going to have a separated SRU for linux-oem-5.10 and linux-hwe-5.11 (LP: #1938143) To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1938259/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
