[Bug 1188295] New: [Build 20210712] openQA test fails in apache2_changehat
http://bugzilla.opensuse.org/show_bug.cgi?id=1188295 Bug ID: 1188295 Summary: [Build 20210712] openQA test fails in apache2_changehat Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other URL: https://openqa.opensuse.org/tests/1839343/modules/apac he2_changehat/steps/103 OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor Assignee: suse-beta@cboltz.de Reporter: dimstar@opensuse.org QA Contact: qa-bugs@suse.de Found By: openQA Blocker: Yes ## Observation openQA test in scenario opensuse-Tumbleweed-DVD-x86_64-apparmor_profile@64bit fails in [apache2_changehat](https://openqa.opensuse.org/tests/1839343/modules/apache2_changehat/steps/10...) from the journal [ 776.033882] systemd[1]: Stopping The Apache Webserver... [ 776.096743] start_apache2[5265]: AH00557: httpd-prefork: apr_sockaddr_info_get() failed for susetest [ 776.098291] start_apache2[5265]: AH00558: httpd-prefork: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message [ 776.100923] start_apache2[5265]: (13)Permission denied: AH00057: sending signal to server [ 776.133194] systemd[1]: apache2.service: Control process exited, code=exited, status=1/FAILURE [ 776.217651] systemd[1]: apache2.service: Failed with result 'exit-code'. [ 776.225270] systemd[1]: Stopped The Apache Webserver. [ 776.227450] systemd[1]: Starting The Apache Webserver... [ 776.283955] start_apache2[5279]: AH00557: httpd-prefork: apr_sockaddr_info_get() failed for susetest [ 776.285582] start_apache2[5279]: AH00558: httpd-prefork: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message aQ56V-0- [ 776.297611] systemd[1]: Started The Apache Webserver. [ 776.314223] systemd[1]: apache2.service: Main process exited, code=exited, status=1/FAILURE [ 776.315654] systemd[1]: apache2.service: Failed with result 'exit-code' The test has also an attached audit log, which seems to point at apparmor blocking us ## Test suite description Maintainer: llzhao@suse.de. Test AppArmor profiles with an existing disk image. ## Reproducible Fails since (at least) Build [20210412](https://openqa.opensuse.org/tests/1697443) ## Expected result Last good: [20210410](https://openqa.opensuse.org/tests/1696381) (or more recent) ## Further details Always latest result in this scenario: [latest](https://openqa.opensuse.org/tests/latest?arch=x86_64&distri=opensuse&flavor=DVD&machine=64bit&test=apparmor_profile&version=Tumbleweed) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1188295 http://bugzilla.opensuse.org/show_bug.cgi?id=1188295#c1 --- Comment #1 from Christian Boltz <suse-beta@cboltz.de> --- Just checked the latest audit.log, and it contains several DENIED lines for apache that need profile additions. several operation="file_receive" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/httpd-prefork" -> please add the attach_disconnected flag to the profile operation="open" profile="/usr/sbin/httpd-prefork" name="/etc/ssl/openssl.cnf" pid=5279 comm="httpd-prefork" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root" -> #include <abstractions/openssl> operation="signal" profile="/usr/sbin/httpd-prefork" pid=5265 comm="httpd-prefork" requested_mask="send" denied_mask="send" signal=winch peer="unconfined" That's strange - the "winch" signal is (according to man 7 signal) "Window resize signal". I can't imagine why Apache would send such a signal, and unless you have an idea what's causing this, would recommend not to allow this. And the winner is... operation="mknod" profile="/usr/sbin/httpd-prefork" name="/run/httpd.pid.PVbmMe" pid=5279 comm="httpd-prefork" requested_mask="c" denied_mask="c" fsuid=0 ouid=0FSUID="root" OUID="root" which means Apache now uses a mktemp-generated pid filename and can't create it. -> /run/httpd.pid.?????? rw, Correct me if I'm wrong, but - this test uses the data/apparmor/usr.sbin.httpd-prefork profile in the os-autoinst-distri-opensuse repo, right? Therefore I'd argue that this bug is in the openQA test, not in the AppArmor package ;-) (I might fix it nevertheless ;-) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1188295 http://bugzilla.opensuse.org/show_bug.cgi?id=1188295#c2 --- Comment #2 from Dominique Leuenberger <dimstar@opensuse.org> --- Doh, you're actually right: assert_script_run("wget --quiet " . data_url("apparmor/$profile_name_new") . " -O $prof_dir/$profile_name"); This takes a profile that does not come from the distro -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1188295 http://bugzilla.opensuse.org/show_bug.cgi?id=1188295#c3 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS --- Comment #3 from Christian Boltz <suse-beta@cboltz.de> --- Updated profile submitted as https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/12903 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1188295 http://bugzilla.opensuse.org/show_bug.cgi?id=1188295#c4 --- Comment #4 from Christian Boltz <suse-beta@cboltz.de> --- For completeness: it looks like the WINCH signal is indeed used by Apache for graceful shutdown, see https://httpd.apache.org/docs/2.4/en/stopping.html#gracefulstop However, peer="unconfined" looks strange. I'd expect that Apache sends that signal only to its child processes, which run under the same profile or in a hat. If you ever see a denial for WINCH with peer="/usr/sbin/httpd-prefork" (or one of its hats), feel free to report it (or add a signal rule for it to the profile) - but I'd recommend not to add a rule for peer="unconfined". -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1188295 http://bugzilla.opensuse.org/show_bug.cgi?id=1188295#c5 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #5 from Christian Boltz <suse-beta@cboltz.de> --- Funnily, the updated profile broke the openQA test code (which had some self-made code to parse the AppArmor profile). After fixing this (and updating a needle), the test is green again :-) and the PR was merged. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com