[Bug 2052789] Re: AppArmor profiles missing in kernel 5.15.0-1051+ release

Thu Mar 28 20:29:13 UTC 2024

The statement in the bug was correct -- we had not anticipated or
thought an apparmor change would get backported to an LTS branch that
would necessitate the backport of the functionality in
`snap_validate_seed`. but now we have a break, where the HWE of focal
(5.15) and LTS of jammy (5.15) got changed to include things.

What is really required is the functionality added to match on
${kern_major_min}, so it's a few commits / bugs deep.

goes back to the origin commit in ubuntu/jammy :
bd1690bd16c70f9631ee2798514b51ed2dc973d5

which was never backported because there weren't going to be new kernel
versions of 20.04 (5.15 was already out) and we didn't believe there'd
be an addition to apparmor that'd break it:

https://bugs.launchpad.net/ubuntu/+source/livecd-rootfs/+bug/2015596

and follow up:

https://bugs.launchpad.net/ubuntu/+source/livecd-rootfs/+bug/2024639

So, i'd say, no, it's not about fixing LP #2038957 specifically, it's
about how a kernel change caused us to require the functionality to
special case on kernel version. Actually, the original bug doesn't say
anything about focal:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2045384

so this may be a _side effect_. Let me ping that ticket quickly to see
if it was intentional to release this to 20.04 5.15 (it's abnormal to
put something in LTS Kernel and then _not_ in HWE of $PREVIOUS_SUITE,
but it's not listed on the bug)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to livecd-rootfs in Ubuntu.
https://bugs.launchpad.net/bugs/2052789

Title:
  AppArmor profiles missing in kernel 5.15.0-1051+ release

Status in livecd-rootfs package in Ubuntu:
  Fix Committed
Status in livecd-rootfs source package in Focal:
  Incomplete
Status in livecd-rootfs source package in Jammy:
  Fix Committed

Bug description:
  After the kernel roll to linux-gcp-5.15 to version
  5.15.0-1051.59_20.04.1 the public cloud team pre publication test were
  failing on our snap_preseed_optimized test which checks to ensure that
  snaps are preseeded correctly

  This test checks the output of `snap debug seeding` to assert `seed-
  completion` is present and not empty.

  ``
  ❯ snap debug seeding
  seeded:            true
  preseeded:         true
  image-preseeding:  39.367s
  seed-completion:   1.335s
  ```

  If `/var/lib/snapd/seed/seed.yaml` exists it also asserts that
  `preseeded` is present and not empty.

  With the recent kernel update this test is failing which indicates a kernel feature mismatch between
  the running kernel and the feature set hard-coded in livecd-rootfs for this image.
  Boot will be slowed by ~200ms until this is resolved in livecd-rootfs.

  This solution is to add a 5.15 apparmor configuration to the focal
  branch of livecd-rootfs

  The issue is also present with the recent 5.15 kernels in Jammy.

  Related bugs LP: #2031943 and LP: #2045384

  [ Impact ]

  Boot will be slowed by ~200ms until this is resolved in livecd-rootfs

  [ Test Plan ]

   * for focal build any cloud image with preseeded snaps with HWE 5.15 kernel
   * for jammy build any cloud image with preseeded snaps with up to date 5.15 kernel
   * boot
   * run `snap debug seeding`
   * assert the test described above passes

  [ Where problems could occur ]

   * Similar patches already exist for later releases 6.2, 6.5 kernel
  etc. and have been used on other private customer kernels and all
  kernels released after 22.04, so there is already a good track record
  for this patchset and it shouldn't create any issues.

  [ Other Info ]

   * This is a time-sensitive issue for a paying customer

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/livecd-rootfs/+bug/2052789/+subscriptions