Ubuntu
apparmor package

Quasselcore apparmor profile issue in lxd container.

Bug #1814302 reported by Yancy Burns
28
This bug affects 4 people
Affects Status Importance Assigned to Milestone
AppArmor
Invalid
Undecided
Unassigned
apparmor (Ubuntu)
Invalid
Undecided
Unassigned
Bionic
Invalid
Undecided
Unassigned
Focal
Invalid
Undecided
Unassigned
Groovy
Invalid
Undecided
Unassigned
Jammy
Invalid
Undecided
Unassigned
Kinetic
Invalid
Undecided
Unassigned
quassel (Ubuntu)
Fix Released
Medium
Dave Jones
Bionic
Fix Released
Medium
Dan Streetman
Focal
Fix Released
Medium
Dan Streetman
Groovy
Fix Released
Medium
Dan Streetman
Jammy
Fix Released
Undecided
Dave Jones
Kinetic
Fix Released
Medium
Dave Jones

Bug Description

[impact]

quasselcore cannot start inside lxd container

[test case]

create lxd container, install quassel-core, check quasselcore service:

$ systemctl status quasselcore
● quasselcore.service - distributed IRC client using a central core component
     Loaded: loaded (/lib/systemd/system/quasselcore.service; enabled; vendor preset: enabled)
     Active: failed (Result: signal) since Tue 2020-06-30 18:32:40 UTC; 4s ago
       Docs: man:quasselcore(1)
    Process: 3853 ExecStart=/usr/bin/quasselcore --configdir=${DATADIR} --logfile=${LOGFILE} --loglevel=${LOGLEVEL} --port=${PORT} --listen=${LISTEN} (code=killed, signal=SEGV)
   Main PID: 3853 (code=killed, signal=SEGV)

Jun 30 18:32:40 lp1814302-f systemd[1]: quasselcore.service: Scheduled restart job, restart counter is at 7.
Jun 30 18:32:40 lp1814302-f systemd[1]: Stopped distributed IRC client using a central core component.
Jun 30 18:32:40 lp1814302-f systemd[1]: quasselcore.service: Start request repeated too quickly.
Jun 30 18:32:40 lp1814302-f systemd[1]: quasselcore.service: Failed with result 'signal'.
Jun 30 18:32:40 lp1814302-f systemd[1]: Failed to start distributed IRC client using a central core component.

Also, the binary will segfault when run directly due to apparmor denials:

$ /usr/bin/quasselcore
Segmentation fault

[760149.590802] audit: type=1400 audit(1593542073.962:1058): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-lp1814302-f_<var-snap-lxd-common-lxd>" profile="/usr/bin/quasselcore" name="/usr/bin/quasselcore" pid=2006430 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=1000110 ouid=1000000

[regression potential]

this expands the apparmor profile, so any regression would likely involve problems while starting due to apparmor.

[scope]

this is needed for b/f/g.

this is also needed for e, but that is EOL in weeks and this is not important enough to bother there.

[original description]

Fresh install of Ubuntu 18.04. lxd installed from snap. Fresh 18.04 container. Everything up todate via apt.

Install quassel-core. Service will not start.

Set "aa-complain /usr/bin/quasselcore" allows quasselcore to start.

I then added "/usr/bin/quasselcore rm," to "/etc/apparmor.d/usr.bin.quasselcore".

Set "aa-enforce /usr/bin/quasselcore". Restarted main host.

Quasselcore service now starts and I can connect to it.

See original description
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Changed in quassel (Ubuntu):
status: New → Confirmed
Revision history for this message
Robert Pendell (shinji257) wrote :

The above workaround isn't enough to totally resolve the issues with AppArmor and this application inside LXD. I also had to switch to aa-complain for PostgreSQL migration so features will have to be thoroughly tested to identify it. I'm willing to setup a secondary instance to do any testing that is necessary but I don't know anything about AppArmor to fix the profile.

Added note: It seems that migration may be broken in Quassel-Core in general but I'm reporting that on their tracker as it seems to be a bug on their end but setting up for PostgreSQL seemed to work in complain mode. It is untested in enforce mode.

Dan Streetman (ddstreet)
Changed in apparmor (Ubuntu Bionic):
status: New → Invalid
Changed in apparmor (Ubuntu Focal):
status: New → Invalid
Changed in apparmor (Ubuntu Groovy):
status: Confirmed → Invalid
Changed in apparmor:
status: New → Invalid
Changed in quassel (Ubuntu Focal):
status: New → In Progress
Changed in quassel (Ubuntu Bionic):
importance: Undecided → Medium
Changed in quassel (Ubuntu Groovy):
assignee: nobody → Dan Streetman (ddstreet)
Changed in quassel (Ubuntu Focal):
assignee: nobody → Dan Streetman (ddstreet)
Changed in quassel (Ubuntu Bionic):
assignee: nobody → Dan Streetman (ddstreet)
Changed in quassel (Ubuntu Groovy):
importance: Undecided → Medium
Changed in quassel (Ubuntu Focal):
importance: Undecided → Medium
Changed in quassel (Ubuntu Bionic):
status: New → In Progress
Changed in quassel (Ubuntu Groovy):
status: Confirmed → In Progress
Dan Streetman (ddstreet)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 1:0.13.1-3ubuntu3

---------------
quassel (1:0.13.1-3ubuntu3) groovy; urgency=medium

  * d/p/lp1885436/0001-common-Disable-enum-type-stream-operators-for-Qt-5.1.patch,
    d/p/lp1885436/0002-common-Always-let-QVariant-fromValue-deduce-the-type.patch,
    d/p/lp1885436/0003-qa-Replace-deprecated-qVariantFromValue-by-QVariant-.patch,
    d/p/lp1885436/0004-qa-Avoid-deprecation-warnings-for-QList-QSet-convers.patch,
    d/p/lp1885436/0005-qa-Replace-deprecated-QString-sprintf-by-QString-asp.patch:
    - Fix FTBFS due to QT 5.14 changes (LP: #1885436)
  * d/usr.bin.quasselcore:
    - Update apparmor profile to allow running in lxd (LP: #1814302)

 -- Dan Streetman <email address hidden> Sun, 28 Jun 2020 10:54:49 -0400

Changed in quassel (Ubuntu Groovy):
status: In Progress → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Yancy, or anyone else affected,

Accepted quassel into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/quassel/1:0.13.1-3ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in quassel (Ubuntu Focal):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-focal
Changed in quassel (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed-bionic
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Yancy, or anyone else affected,

Accepted quassel into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/quassel/1:0.12.4-3ubuntu1.18.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Dan Streetman (ddstreet) wrote :

focal:

ubuntu@lp1814302-f:~$ systemd-detect-virt
lxc
ubuntu@lp1814302-f:~$ dpkg -l|grep quassel-core
ii quassel-core 1:0.13.1-3ubuntu2 amd64 distributed IRC client - core component
ubuntu@lp1814302-f:~$ /usr/bin/quasselcore
Segmentation fault
ubuntu@lp1814302-f:~$ systemctl status quasselcore.service
● quasselcore.service - distributed IRC client using a central core component
     Loaded: loaded (/lib/systemd/system/quasselcore.service; enabled; vendor preset: enabled)
     Active: activating (auto-restart) (Result: signal) since Wed 2020-07-08 17:24:12 UTC; 168ms ago
       Docs: man:quasselcore(1)
    Process: 4867 ExecStart=/usr/bin/quasselcore --configdir=${DATADIR} --logfile=${LOGFILE} --loglevel=${LOGLEVEL} --port=${PORT} --listen=${LISTEN} (code=killed, signal=SEGV)
   Main PID: 4867 (code=killed, signal=SEGV)

Jul 08 17:24:13 lp1814302-f systemd[1]: quasselcore.service: Scheduled restart job, restart counter is at 5.
Jul 08 17:24:13 lp1814302-f systemd[1]: Stopped distributed IRC client using a central core component.
Jul 08 17:24:13 lp1814302-f systemd[1]: quasselcore.service: Start request repeated too quickly.
Jul 08 17:24:13 lp1814302-f systemd[1]: quasselcore.service: Failed with result 'signal'.
Jul 08 17:24:13 lp1814302-f systemd[1]: Failed to start distributed IRC client using a central core component.

ubuntu@lp1814302-f:~$ systemd-detect-virt
lxc
ubuntu@lp1814302-f:~$ dpkg -l |grep quassel
ii quassel-core 1:0.13.1-3ubuntu2.1 amd64 distributed IRC client - core component
ubuntu@lp1814302-f:~$ /usr/bin/quasselcore
2020-07-08 17:26:00 [Error] Unable to create Quassel config directory:
...etc...
ubuntu@lp1814302-f:~$ systemctl status quasselcore.service
● quasselcore.service - distributed IRC client using a central core component
     Loaded: loaded (/lib/systemd/system/quasselcore.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2020-07-08 17:25:22 UTC; 43s ago
       Docs: man:quasselcore(1)
   Main PID: 5832 (quasselcore)
      Tasks: 1 (limit: 115273)
     Memory: 1.6M
     CGroup: /system.slice/quasselcore.service
             └─5832 /usr/bin/quasselcore --configdir=/var/lib/quassel --logfile=/var/log/quassel/core.log --loglevel=Info --port=4242 --listen=::,0.0.0.0

Jul 08 17:25:22 lp1814302-f systemd[1]: Started distributed IRC client using a central core component.

tags: added: verification-done-focal
removed: verification-needed-focal
Revision history for this message
Dan Streetman (ddstreet) wrote :

bionic:

ubuntu@lp1814302-b:~$ systemd-detect-virt
lxc
ubuntu@lp1814302-b:~$ dpkg -l|grep quassel
ii quassel-core 1:0.12.4-3ubuntu1.18.04.1 amd64 distributed IRC client - core component
ubuntu@lp1814302-b:~$ /usr/bin/quasselcore
Segmentation fault
ubuntu@lp1814302-b:~$ systemctl status quasselcore.service
● quasselcore.service - distributed IRC client using a central core component
   Loaded: loaded (/lib/systemd/system/quasselcore.service; enabled; vendor preset: enabled)
   Active: failed (Result: signal) since Wed 2020-07-08 17:27:46 UTC; 1min 53s ago
     Docs: man:quasselcore(1)
  Process: 2381 ExecStart=/usr/bin/quasselcore --configdir=${DATADIR} --logfile=${LOGFILE} --loglevel=${LOGLEVEL} --port=${PORT} --listen=${LISTEN} (code=killed, signal=SEGV)
 Main PID: 2381 (code=killed, signal=SEGV)

Jul 08 17:27:46 lp1814302-b systemd[1]: quasselcore.service: Service hold-off time over, scheduling restart.
Jul 08 17:27:46 lp1814302-b systemd[1]: quasselcore.service: Scheduled restart job, restart counter is at 6.
Jul 08 17:27:46 lp1814302-b systemd[1]: Stopped distributed IRC client using a central core component.
Jul 08 17:27:46 lp1814302-b systemd[1]: quasselcore.service: Start request repeated too quickly.
Jul 08 17:27:46 lp1814302-b systemd[1]: quasselcore.service: Failed with result 'signal'.
Jul 08 17:27:46 lp1814302-b systemd[1]: Failed to start distributed IRC client using a central core component.

ubuntu@lp1814302-b:~$ systemd-detect-virt
lxc
ubuntu@lp1814302-b:~$ dpkg -l|grep quassel
ii quassel-core 1:0.12.4-3ubuntu1.18.04.2 amd64 distributed IRC client - core component
ubuntu@lp1814302-b:~$ /usr/bin/quasselcore
Unable to create Quassel config directory: /home/ubuntu/.config/quassel-irc.org
...etc...
ubuntu@lp1814302-b:~$ systemctl status quasselcore.service
● quasselcore.service - distributed IRC client using a central core component
   Loaded: loaded (/lib/systemd/system/quasselcore.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2020-07-08 17:31:50 UTC; 18s ago
     Docs: man:quasselcore(1)
 Main PID: 2881 (quasselcore)
    Tasks: 1 (limit: 115273)
   CGroup: /system.slice/quasselcore.service
           └─2881 /usr/bin/quasselcore --configdir=/var/lib/quassel --logfile=/var/log/quassel/core.log --loglevel=Info --port=4242 --listen=::,0.0.0.0

Jul 08 17:31:50 lp1814302-b systemd[1]: Started distributed IRC client using a central core component.

tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for quassel has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 1:0.13.1-3ubuntu2.1

---------------
quassel (1:0.13.1-3ubuntu2.1) focal; urgency=medium

  * d/usr.bin.quasselcore:
    - Update apparmor profile to allow running in lxd (LP: #1814302)

 -- Dan Streetman <email address hidden> Sun, 28 Jun 2020 11:01:19 -0400

Changed in quassel (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 1:0.12.4-3ubuntu1.18.04.2

---------------
quassel (1:0.12.4-3ubuntu1.18.04.2) bionic; urgency=medium

  * d/usr.bin.quasselcore:
    - Update apparmor profile to allow running in lxd (LP: #1814302)

 -- Dan Streetman <email address hidden> Sun, 28 Jun 2020 11:01:19 -0400

Changed in quassel (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Dave Jones (waveform) wrote :

Looks like this is back in jammy (and beyond); the sync from Debian dropped the patch to d/usr.bin.quasselcore for lxd.

Changed in apparmor (Ubuntu Jammy):
status: New → Invalid
Changed in quassel (Ubuntu Kinetic):
status: Fix Released → Confirmed
assignee: Dan Streetman (ddstreet) → Dave Jones (waveform)
Changed in quassel (Ubuntu Jammy):
assignee: nobody → Dave Jones (waveform)
status: New → Confirmed
Revision history for this message
Dave Jones (waveform) wrote :
Revision history for this message
Dave Jones (waveform) wrote :
Revision history for this message
Thomas Ward (teward) wrote :

I've sponsored/uploaded both the Jammy and Kinetic debdiffs. Kinetic is accepted, jammy-proposed has to go through SRU.

Removing Sponsors as there is nothing more to sponsor here.

Revision history for this message
Simon Déziel (sdeziel) wrote :

I've proposed the change to Debian: https://salsa.debian.org/sdeziel-guest/quassel/-/merge_requests/1

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 1:0.14.0-1ubuntu1

---------------
quassel (1:0.14.0-1ubuntu1) kinetic; urgency=medium

  * d/usr.bin.quasselcore:
    - Update apparmor profile to allow running in lxd (LP: #1814302)

 -- Dave Jones <email address hidden> Sun, 12 Jun 2022 20:52:19 +0100

Changed in quassel (Ubuntu Kinetic):
status: Confirmed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Yancy, or anyone else affected,

Accepted quassel into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/quassel/1:0.14.0-1ubuntu0.22.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in quassel (Ubuntu Jammy):
status: Confirmed → Fix Committed
tags: added: verification-needed verification-needed-jammy
removed: verification-done
Revision history for this message
Dave Jones (waveform) wrote :

Verified in LXD jammy containers on arm64 and amd64.

tags: added: verification-done-jammy
removed: verification-needed-jammy
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 1:0.14.0-1ubuntu0.22.04.1

---------------
quassel (1:0.14.0-1ubuntu0.22.04.1) jammy; urgency=medium

  * d/usr.bin.quasselcore:
    - Update apparmor profile to allow running in lxd (LP: #1814302)

 -- Dave Jones <email address hidden> Sun, 12 Jun 2022 20:52:19 +0100

Changed in quassel (Ubuntu Jammy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.