# previous apparmor version
apt-cache policy apparmor
package name: apparmor
package version: 2.13.3-7ubuntu5.1
series: Focal
kernel: Linux 5.4.0-136-generic
# before enabling -proposed
generate focal-yoga instance
juju ssh nova-compute/0
# verify no apparmor errors in logs
cat /var/log/syslog | grep Error
# verify apparmor is running
sudo systemctl status apparmor
# trigger error
sudo systemctl restart apparmor
# The apparmor service never successfully restarts
Job for apparmor.service failed because the control process exited with error code.
See "systemctl status apparmor.service" and "journalctl -xe" for details
cat /var/log/syslog
Error messages in syslog:
Jan 11 15:46:14 juju-5c2ee8-appbug-9 apparmor.systemd[52695]: AppArmor parser error for /etc/apparmor.d in /etc/apparmor.d/usr.sbin.libvirtd at line 29: Invalid capability bpf.
Jan 11 15:46:14 juju-5c2ee8-appbug-9 apparmor.systemd[52669]: Error: At least one profile failed to load
Jan 11 15:46:14 juju-5c2ee8-appbug-9 systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
### Enable proposed ###
# testing with focal-yoga
Apparmor version tested - 2.13.3-7ubuntu5.2
sudo apt-cache policy apparmor
sudo vim /etc/apt/sources.list
# add -proposed
deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal-proposed main universe
# save and exit
sudo apt-get update
sudo apt-get upgrade apparmor -y
sudo systemctl restart apparmor
systemctl status apparmor
Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
Active: active (exited) since Wed 2023-01-11 15:55:19 UTC; 20s ago
tail -n 1000 /var/log/syslog
# no errors are thrown by apparmor
Jan 11 15:54:41 juju-5c2ee8-appbug-9 systemd[1]: Reloading.
Jan 11 15:55:19 juju-5c2ee8-appbug-9 systemd[1]: Starting Load AppArmor profiles...
Jan 11 15:55:19 juju-5c2ee8-appbug-9 apparmor.systemd[66497]: Restarting AppArmor
Jan 11 15:55:19 juju-5c2ee8-appbug-9 apparmor.systemd[66497]: Reloading AppArmor profiles
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.612010] kauditd_printk_skb: 9 callbacks suppressed
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.612013] audit: type=1400 audit(1673452519.139:106): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="nvidia_modprobe" pid=66503 comm="apparmor_parser"
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.612022] audit: type=1400 audit(1673452519.139:107): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="nvidia_modprobe//kmod" pid=66503 comm="apparmor_parser"
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.612179] audit: type=1400 audit(1673452519.139:108): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=66502 comm="apparmor_parser"
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.612183] audit: type=1400 audit(1673452519.139:109): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=66502 comm="apparmor_parser"
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.612186] audit: type=1400 audit(1673452519.139:110): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=66502 comm="apparmor_parser"
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.612187] audit: type=1400 audit(1673452519.139:111): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/{,usr/}sbin/dhclient" pid=66502 comm="apparmor_parser"
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.614725] audit: type=1400 audit(1673452519.139:112): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/bin/man" pid=66504 comm="apparmor_parser"
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.614729] audit: type=1400 audit(1673452519.139:113): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="man_filter" pid=66504 comm="apparmor_parser"
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.614731] audit: type=1400 audit(1673452519.139:114): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="man_groff" pid=66504 comm="apparmor_parser"
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.618860] audit: type=1400 audit(1673452519.143:115): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/usr/sbin/tcpdump" pid=66505 comm="apparmor_parser"
Jan 11 15:55:19 juju-5c2ee8-appbug-9 apparmor.systemd[66525]: Skipping profile in /etc/apparmor.d/disable: usr.bin.nova-compute
Jan 11 15:55:19 juju-5c2ee8-appbug-9 apparmor.systemd[66526]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Jan 11 15:55:19 juju-5c2ee8-appbug-9 systemd[1]: Finished Load AppArmor profiles.
# Conclusion
Apparmor is working as intended
# Additional functional tests after upgrade
sudo apparmor_status
apparmor module is loaded.
31 profiles are loaded.
31 profiles are in enforce mode.
/snap/snapd/17950/usr/lib/snapd/snap-confine
...
snap.lxd.lxd
snap.lxd.migrate
virt-aa-helper
If there is additional testing needed, please add a comment.
### VERIFICATION DONE FOCAL ###
# previous apparmor version
apt-cache policy apparmor
package name: apparmor
package version: 2.13.3-7ubuntu5.1
series: Focal
kernel: Linux 5.4.0-136-generic
# before enabling -proposed
generate focal-yoga instance
juju ssh nova-compute/0
# verify no apparmor errors in logs
cat /var/log/syslog | grep Error
# verify apparmor is running
sudo systemctl status apparmor
# trigger error
sudo systemctl restart apparmor
# The apparmor service never successfully restarts
Job for apparmor.service failed because the control process exited with error code.
See "systemctl status apparmor.service" and "journalctl -xe" for details
cat /var/log/syslog
Error messages in syslog: appbug- 9 apparmor. systemd[ 52695]: AppArmor parser error for /etc/apparmor.d in /etc/apparmor. d/usr.sbin. libvirtd at line 29: Invalid capability bpf. appbug- 9 apparmor. systemd[ 52669]: Error: At least one profile failed to load appbug- 9 systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Jan 11 15:46:14 juju-5c2ee8-
Jan 11 15:46:14 juju-5c2ee8-
Jan 11 15:46:14 juju-5c2ee8-
### Enable proposed ###
# testing with focal-yoga
Apparmor version tested - 2.13.3-7ubuntu5.2
sudo apt-cache policy apparmor sources. list nova.clouds. archive. ubuntu. com/ubuntu/ focal-proposed main universe
sudo vim /etc/apt/
# add -proposed
deb http://
# save and exit
sudo apt-get update
sudo apt-get upgrade apparmor -y
sudo systemctl restart apparmor
systemctl status apparmor
Loaded: loaded (/lib/systemd/ system/ apparmor. service; enabled; vendor preset: enabled)
Active: active (exited) since Wed 2023-01-11 15:55:19 UTC; 20s ago
tail -n 1000 /var/log/syslog
# no errors are thrown by apparmor appbug- 9 systemd[1]: Reloading. appbug- 9 systemd[1]: Starting Load AppArmor profiles... appbug- 9 apparmor. systemd[ 66497]: Restarting AppArmor appbug- 9 apparmor. systemd[ 66497]: Reloading AppArmor profiles appbug- 9 kernel: [ 2042.612010] kauditd_printk_skb: 9 callbacks suppressed appbug- 9 kernel: [ 2042.612013] audit: type=1400 audit(167345251 9.139:106) : apparmor="STATUS" operation= "profile_ replace" info="same as current profile, skipping" profile= "unconfined" name="nvidia_ modprobe" pid=66503 comm="apparmor_ parser" appbug- 9 kernel: [ 2042.612022] audit: type=1400 audit(167345251 9.139:107) : apparmor="STATUS" operation= "profile_ replace" info="same as current profile, skipping" profile= "unconfined" name="nvidia_ modprobe/ /kmod" pid=66503 comm="apparmor_ parser" appbug- 9 kernel: [ 2042.612179] audit: type=1400 audit(167345251 9.139:108) : apparmor="STATUS" operation= "profile_ replace" profile= "unconfined" name="/ usr/lib/ NetworkManager/ nm-dhcp- client. action" pid=66502 comm="apparmor_ parser" appbug- 9 kernel: [ 2042.612183] audit: type=1400 audit(167345251 9.139:109) : apparmor="STATUS" operation= "profile_ replace" profile= "unconfined" name="/ usr/lib/ NetworkManager/ nm-dhcp- helper" pid=66502 comm="apparmor_ parser" appbug- 9 kernel: [ 2042.612186] audit: type=1400 audit(167345251 9.139:110) : apparmor="STATUS" operation= "profile_ replace" profile= "unconfined" name="/ usr/lib/ connman/ scripts/ dhclient- script" pid=66502 comm="apparmor_ parser" appbug- 9 kernel: [ 2042.612187] audit: type=1400 audit(167345251 9.139:111) : apparmor="STATUS" operation= "profile_ replace" profile= "unconfined" name="/ {,usr/} sbin/dhclient" pid=66502 comm="apparmor_ parser" appbug- 9 kernel: [ 2042.614725] audit: type=1400 audit(167345251 9.139:112) : apparmor="STATUS" operation= "profile_ replace" profile= "unconfined" name="/usr/bin/man" pid=66504 comm="apparmor_ parser" appbug- 9 kernel: [ 2042.614729] audit: type=1400 audit(167345251 9.139:113) : apparmor="STATUS" operation= "profile_ replace" profile= "unconfined" name="man_filter" pid=66504 comm="apparmor_ parser" appbug- 9 kernel: [ 2042.614731] audit: type=1400 audit(167345251 9.139:114) : apparmor="STATUS" operation= "profile_ replace" profile= "unconfined" name="man_groff" pid=66504 comm="apparmor_ parser" appbug- 9 kernel: [ 2042.618860] audit: type=1400 audit(167345251 9.143:115) : apparmor="STATUS" operation= "profile_ replace" info="same as current profile, skipping" profile= "unconfined" name="/ usr/sbin/ tcpdump" pid=66505 comm="apparmor_ parser" appbug- 9 apparmor. systemd[ 66525]: Skipping profile in /etc/apparmor. d/disable: usr.bin. nova-compute appbug- 9 apparmor. systemd[ 66526]: Skipping profile in /etc/apparmor. d/disable: usr.sbin.rsyslogd appbug- 9 systemd[1]: Finished Load AppArmor profiles.
Jan 11 15:54:41 juju-5c2ee8-
Jan 11 15:55:19 juju-5c2ee8-
Jan 11 15:55:19 juju-5c2ee8-
Jan 11 15:55:19 juju-5c2ee8-
Jan 11 15:55:19 juju-5c2ee8-
Jan 11 15:55:19 juju-5c2ee8-
Jan 11 15:55:19 juju-5c2ee8-
Jan 11 15:55:19 juju-5c2ee8-
Jan 11 15:55:19 juju-5c2ee8-
Jan 11 15:55:19 juju-5c2ee8-
Jan 11 15:55:19 juju-5c2ee8-
Jan 11 15:55:19 juju-5c2ee8-
Jan 11 15:55:19 juju-5c2ee8-
Jan 11 15:55:19 juju-5c2ee8-
Jan 11 15:55:19 juju-5c2ee8-
Jan 11 15:55:19 juju-5c2ee8-
Jan 11 15:55:19 juju-5c2ee8-
Jan 11 15:55:19 juju-5c2ee8-
# Conclusion
Apparmor is working as intended
# Additional functional tests after upgrade
sudo apparmor_status
apparmor module is loaded. snapd/17950/ usr/lib/ snapd/snap- confine
31 profiles are loaded.
31 profiles are in enforce mode.
/snap/
...
snap.lxd.lxd
snap.lxd.migrate
virt-aa-helper
If there is additional testing needed, please add a comment.