got the copy apparmor issue:
Dec 19 19:15:23 autopkgtest-lxd-kakmxr kernel: audit: type=1400
audit(1766171723.978:5081): apparmor="AUDIT" operation="userns_create"
class="namespace" info="Userns create - transitioning profile"
profile="unconfined" pid=260278 comm="exe" requested="userns_create"
target="unprivileged_userns" execpath="/usr/libexec/buildah/copy"
Dec 19 19:15:23 autopkgtest-lxd-kakmxr kernel: audit: type=1400
audit(1766171723.981:5082): apparmor="DENIED" operation="capable" class="cap"
profile="unprivileged_userns" pid=260278 comm="exe" capability=21
capname="sys_admin"
Dec 19 19:15:29 autopkgtest-lxd-kakmxr kernel: audit: type=1400
audit(1766171729.005:5083): apparmor="AUDIT" operation="userns_create"
class="namespace" info="Userns create - transitioning profile"
profile="unconfined" pid=260291 comm="exe" requested="userns_create"
target="unprivileged_userns" execpath="/usr/libexec/buildah/copy"
Dec 19 19:15:29 autopkgtest-lxd-kakmxr kernel: audit: type=1400
audit(1766171729.007:5084): apparmor="DENIED" operation="capable" class="cap"
profile="unprivileged_userns" pid=260291 comm="exe" capability=21
capname="sys_admin"
Setup:
* start a resolute VM
* add in proposed
* full upgrade VM
* install from golang-github-containers-buildah from proposed (and its deps)
* have the source handy (download the source from proposed into the VM or
locally)
* setup a directory to play with
* setup environment variables
* from debian/tests/bats
export BUILDAH_BINARY=/usr/bin/buildah
export INET_BINARY=/usr/libexec/buildah/inet
export IMGTYPE_BINARY=/usr/libexec/buildah/imgtype
export COPY_BINARY=/usr/libexec/buildah/copy
export TUTORIAL_BINARY=/usr/libexec/buildah/tutorial
export PASSWD_BINARY=/usr/libexec/buildah/passwd
export DUMPSPEC_BINARY=/usr/libexec/buildah/dumpspec
* PLAYGROUND_TMP_DIR=<whatever you want. it's where you'll make a
registry>
* a minimal reproducer, copy/pasted from tests/helpers.bash
#!/usr/bin/bash
function normalize_image_name() {
for img in "$@"; do
if [[ "${img##*/}" == "$img" ]] ; then
echo -n docker.io/library/"$img"
elif [[ docker.io/"${img##*/}" == "$img" ]] ; then
echo -n docker.io/library/"${img##*/}"
else
echo -n "$img"
fi
done
}
function _prefetch() {
echo "prefetching"
if [ -z "${_BUILDAH_IMAGE_CACHEDIR}" ]; then
echo "gotta have that cachedir!"
export _BUILDAH_IMAGE_CACHEDIR=${PLAYGROUND_TMP_DIR}/buildah-image-cache
mkdir -p ${_BUILDAH_IMAGE_CACHEDIR}
echo "we got it. prolly"
# It's 700 by default; that prevents 'unshare' from reading cached
images
# i deleted this because i made the director and it has the correct
permissions
fi
local storage=
for img in "$@"; do
echo "checking on $img"
if [[ "$img" =~ '[vfs@' ]] ; then
storage="$img"
continue
fi
img=$(normalize_image_name "$img")
echo "we normalized ${img}"
echo "# [checking for: $img]" >&2
fname=$(tr -c a-zA-Z0-9.- - <<< "$img")
( flock --timeout 300 9 || die "Could not flock"; _prefetch_locksafe
$img $fname ) 9> $_BUILDAH_IMAGE_CACHEDIR/$fname.lock
echo "successfully ran _prefetch_locksafe"
done
}
function _prefetch_locksafe() {
local img="$1"
local fname="$2"
echo "now we do the locksafe fetch"
if [ -d $_BUILDAH_IMAGE_CACHEDIR/$fname ]; then
echo "# [restoring from cache: $_BUILDAH_IMAGE_CACHEDIR / $img]" >&2
copy dir:$_BUILDAH_IMAGE_CACHEDIR/$fname
containers-storage:"$storage""$img"
else
rm -fr ${_BUILDAH_IMAGE_CACHEDIR:?THIS CAN NEVER HAPPEN}/$fname
echo "# [copy docker://$img dir:$_BUILDAH_IMAGE_CACHEDIR/$fname]" >&2
for attempt in $(seq 3) ; do
if copy $COPY_REGISTRY_OPTS docker://"$img"
dir:$_BUILDAH_IMAGE_CACHEDIR/$fname ; then
break
else
# Failed. Clean up, so we don't leave incomplete remnants
rm -fr ${_BUILDAH_IMAGE_CACHEDIR:?THIS CAN NEVER HAPPEN
EITHER}/$fname
fi
sleep 5
done
echo "# [copy dir:$_BUILDAH_IMAGE_CACHEDIR/$fname
containers-storage:$storage$img]" >&2
copy dir:$_BUILDAH_IMAGE_CACHEDIR/$fname
containers-storage:"$storage""$img"
fi
}
function copy() {
${COPY_BINARY} --max-parallel-downloads=1 ${ROOTDIR_OPTS}
${BUILDAH_REGISTRY_OPTS} "$@"
}
_prefetch $@
* make it executable
* invoke :
$ ./pre_fetch ubuntu
prefetching
gotta have that cachedir!
we got it. prolly
checking on ubuntu
we normalized docker.io/library/ubuntu
# [checking for: docker.io/library/ubuntu]
now we do the locksafe fetch
# [copy docker://docker.io/library/ubuntu
dir:/tmp/autopkgtest.9OjKyA/playground/tmpdir//buildah-image-cache/docker.io-library-ubuntu-]
Error during unshare(...): Operation not permitted
Error during unshare(...): Operation not permitted
now on to examining what's being called by /usr/libexec/buildah/copy to
see why it, specifically, does something with `unshare` that doesn't
match running similar things locally
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2136831
Title:
1.42.1+ds1-2 autopkgtest failures in resolute due to various apparmor
issues
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-github-containers-buildah/+bug/2136831/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
