[Bug 1208920] New: [Build 20230302][ltp] insmod01_sh
http://bugzilla.opensuse.org/show_bug.cgi?id=1208920 Bug ID: 1208920 Summary: [Build 20230302][ltp] insmod01_sh Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other URL: https://openqa.opensuse.org/tests/3154648/modules/insm od01_sh/steps/6 OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-bugs@opensuse.org Reporter: dimstar@opensuse.org QA Contact: qa-bugs@suse.de Found By: openQA Blocker: Yes ## Observation insmod01 1 TINFO: Found module at 'ltp_insmod01.ko' insmod01 1 TINFO: timeout per run is 0h 5m 0s insmod: ERROR: could not insert module ltp_insmod01.ko: Operation not permitted insmod01 1 TFAIL: insmod failed insmod01 2 TINFO: AppArmor enabled, this may affect test results insmod01 2 TINFO: it can be disabled with TST_DISABLE_APPARMOR=1 (requires super/root) insmod01 2 TINFO: loaded AppArmor profiles: none Summary: passed 0 failed 1 broken 0 skipped 0 warnings 0 openQA test in scenario opensuse-Tumbleweed-JeOS-for-kvm-and-xen-x86_64-jeos-ltp-commands@uefi_virtio-2G fails in [insmod01_sh](https://openqa.opensuse.org/tests/3154648/modules/insmod01_sh/steps/6) ## Test suite description backup: LTP_COMMAND_EXCLUDE=tar01_sh|logrotate_sh|unzip01_sh|df01_.*_sh|sysctl01_sh|mkfs01.*_sh|which01_sh|insmod01_sh ## Reproducible Fails since (at least) Build [20230302](https://openqa.opensuse.org/tests/3154346) ## Expected result Last good: [20230301](https://openqa.opensuse.org/tests/3152037) (or more recent) ## Further details Always latest result in this scenario: [latest](https://openqa.opensuse.org/tests/latest?arch=x86_64&distri=opensuse&flavor=JeOS-for-kvm-and-xen&machine=uefi_virtio-2G&test=jeos-ltp-commands&version=Tumbleweed) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1208920 Dominique Leuenberger <dimstar@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pcervinka@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1208920 Dominique Leuenberger <dimstar@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |petr.vorel@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1208920 http://bugzilla.opensuse.org/show_bug.cgi?id=1208920#c1 --- Comment #1 from Dominique Leuenberger <dimstar@opensuse.org> --- This happens newly since the upgrade to kernel 6.2.1 with the lockdown patchset -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1208920 http://bugzilla.opensuse.org/show_bug.cgi?id=1208920#c2 --- Comment #2 from Petr Vorel <petr.vorel@suse.com> --- Thanks! We need to add tst_lockdown_enabled() support from C API to shell API. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1208920 Petr Vorel <petr.vorel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|kernel-bugs@opensuse.org |petr.vorel@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1208920 http://bugzilla.opensuse.org/show_bug.cgi?id=1208920#c3 --- Comment #3 from Petr Vorel <petr.vorel@suse.com> --- I'm not able to reproduce the problem on affected system running locally. Any hint what could cause permission problem? Nothing obvious in dmesg. insmod: ERROR: could not insert module ltp_insmod01.ko: Operation not permitted -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1208920 http://bugzilla.opensuse.org/show_bug.cgi?id=1208920#c4 --- Comment #4 from Petr Vorel <petr.vorel@suse.com> --- OK, the solution is in #2. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1208920 http://bugzilla.opensuse.org/show_bug.cgi?id=1208920#c5 Petr Vorel <petr.vorel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS --- Comment #5 from Petr Vorel <petr.vorel@suse.com> --- Patch sent to ML: https://lore.kernel.org/ltp/20230308093219.27090-1-pvorel@suse.cz/ https://patchwork.ozlabs.org/project/ltp/list/?series=345235&state=* Verification run: * TCONF on JeOS https://openqa.opensuse.org/tests/3162558#step/insmod01_sh/8 * Normally run on Tumbleweed DVD https://openqa.opensuse.org/tests/3162559#step/insmod01_sh/8 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1208920 http://bugzilla.opensuse.org/show_bug.cgi?id=1208920#c7 Petr Vorel <petr.vorel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(pcervinka@suse.co | |m) --- Comment #7 from Petr Vorel <petr.vorel@suse.com> --- (In reply to Fabian Vogt from comment #6)
Arguably the reason why this test fails with lockdown is downstream: The kernel module is not signed with a trusted key. If the module was built with a trusted key or the key installed into the system, the test would work.
OK, good catch. @pcervinka any idea if we can sign with a trusted key during openQA testing? Although we have packages in OBS/IBS, in the end we build kernel modules from git: https://github.com/os-autoinst/os-autoinst-distri-opensuse/blob/a12470ab7351... Or do we have to skip the test for JeOS? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1208920 http://bugzilla.opensuse.org/show_bug.cgi?id=1208920#c8 Petr Cervinka <pcervinka@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(pcervinka@suse.co | |m) | --- Comment #8 from Petr Cervinka <pcervinka@suse.com> --- (In reply to Petr Vorel from comment #7)
@pcervinka any idea if we can sign with a trusted key during openQA testing? Although we have packages in OBS/IBS, in the end we build kernel modules from git:
https://github.com/os-autoinst/os-autoinst-distri-opensuse/blob/ a12470ab73518f8b486a60dc65d34d494940d27e/tests/kernel/install_ltp.pm#L216
Or do we have to skip the test for JeOS? I would skip it for now, do don't block whole JeOS validation. We just need to update our flow to new feature.
(In reply to Fabian Vogt from comment #6)
Arguably the reason why this test fails with lockdown is downstream: The kernel module is not signed with a trusted key. If the module was built with a trusted key or the key installed into the system, the test would work.
As it looks like new feature and we are not primarily kernel developers. Could you please give us hints for documentation about signing modules in build service? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1208920 http://bugzilla.opensuse.org/show_bug.cgi?id=1208920#c9 --- Comment #9 from Petr Vorel <petr.vorel@suse.com> --- (In reply to Petr Cervinka from comment #8)
(In reply to Petr Vorel from comment #7)
Or do we have to skip the test for JeOS? I would skip it for now, do don't block whole JeOS validation. We just need to update our flow to new feature.
I've already put it into known issues. Changing it to skip is trivial, I'll do it unless we get some solution for our OBS package. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1208920 http://bugzilla.opensuse.org/show_bug.cgi?id=1208920#c10 --- Comment #10 from Petr Cervinka <pcervinka@suse.com> --- I will try to extend ltp pkg with https://github.com/openSUSE/pesign-obs-integration -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1208920 http://bugzilla.opensuse.org/show_bug.cgi?id=1208920#c11 Petr Cervinka <pcervinka@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |INVALID --- Comment #11 from Petr Cervinka <pcervinka@suse.com> --- Issues is not a product bug. New security feature has logical conflict in build process of LTP package, which is built in separate devel project. Fail is included in ltp known issues, we will not block testing. We will continue in https://progress.opensuse.org/issues/125678 -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com