Ubuntu
autopkgtest package

'click install' within an adt-virt-schroot fails with "Sandbox failure: 'click install' not permitted to write-open '/dev/pts/8'"

Bug #1484661 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
autopkgtest (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

This used to work and I don't know when this starting failing. If I try to run the click-apparmor autopkgtests (tried both vivid and wily) on a vivid host, then I get:
adt-run [13:51:51]: test test_aa-clickhook: [-----------------------
Successfully built package in './com.example.click-apparmor-test_0.1_all.click'.
WARNING:root:debsig-verify not available; cannot check signatures
ERROR:root:['dpkg', '--force-not-root', '--force-bad-path', '--force-architecture', '--instdir', '/opt/click.ubuntu.com/com.example.click-apparmor-test/0.1', '--admindir', '/opt/click.ubuntu.com/com.example.click-apparmor-test/0.1/.click', '--path-exclude', '*/.click/*', '--log', '/opt/click.ubuntu.com/.click/log', '--no-triggers', '--install', '/tmp/adttmp.sme399/com.example.click-apparmor-test_0.1_all.click'] failed with exit_code 1:
Sandbox failure: 'click install' not permitted to write-open '/dev/pts/8'
dpkg: error processing archive /tmp/adttmp.sme399/com.example.click-apparmor-test_0.1_all.click (--install):
 subprocess dpkg-deb --control returned error exit status 1
Errors were encountered while processing:
 /tmp/adttmp.sme399/com.example.click-apparmor-test_0.1_all.click

Traceback (most recent call last):
  File "/usr/bin/click", line 86, in <module>
    sys.exit(main())
  File "/usr/bin/click", line 82, in main
    return mod.run(args)
  File "/usr/lib/python3/dist-packages/click/commands/install.py", line 66, in run
    quiet=not options.verbose)
  File "/usr/lib/python3/dist-packages/click/install.py", line 457, in install
    path, user=user, all_users=all_users, quiet=quiet)
  File "/usr/lib/python3/dist-packages/click/install.py", line 413, in _unpack
    **kwargs)
  File "/usr/lib/python3.4/subprocess.py", line 620, in check_output
    raise CalledProcessError(retcode, process.args, output=output)
subprocess.CalledProcessError: Command '['dpkg', '--force-not-root', '--force-bad-path', '--force-architecture', '--instdir', '/opt/click.ubuntu.com/com.example.click-apparmor-test/0.1', '--admindir', '/opt/click.ubuntu.com/com.example.click-apparmor-test/0.1/.click', '--path-exclude', '*/.click/*', '--log', '/opt/click.ubuntu.com/.click/log', '--no-triggers', '--install', '/tmp/adttmp.sme399/com.example.click-apparmor-test_0.1_all.click']' returned non-zero exit status 1
adt-run [13:51:52]: test test_aa-clickhook: -----------------------]
test_aa-clickhook FAIL non-zero exit status 1

This tests attempts to install a click within the schroot (note that debian/tests/test_aa-clickhook mocks the click framework, sets apparmor_parser to /bin/true and modifies click.py to use mock_testenv = True) using:
click install --user=`getent passwd | sort -t: -nk3 | awk -F: '{if ($3 >= 500) { print $1; exit } }'` /path/to/click

The above error messages comes from clickpreload.c in the click package which is preloaded to reject any writes (except to /dev/tty) outside of the click install directory. For some reason, dpkg is trying to write to /dev/pts/* (stderr) when run under autopkgtest.

If I run the click install command manually (after making the aforementioned changes test_aa-clickhook does) in the schroot, it works fine.

Furthermore, if I run the tests manually, they also pass:
$ schroot -c autopkgtest-wily-amd64 -u root
$ apt-get install click-apparmor
...
$ apt-get source click-apparmor
...
$ cd click-apparmor-0.3.9build1/
$ rm -rf /tmp/adt ; mkdir /tmp/adt ; ADTTMP=/tmp/adt sh ./debian/tests/test_aa-clickhook
...
PASS (all tests)
$

But, if I run the tests via adt, they do not:
$ apt-get source click-apparmor=0.3.9build1
...
$ cd click-apparmor-0.3.9build1/
$ adt-run -B --unbuilt-tree ./ --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-wily-amd64 || echo "** AUTOPKGTESTS FAILED"
...
adt-run [16:08:44]: test test_aa-clickhook: preparing
...
Sandbox failure: 'click install' not permitted to write-open '/dev/pts/28'
...
** AUTOPKGTESTS FAILED

If I modify preload/clickpreload.c in click with the attached patch, I can see this output when running within the adt-virt-schroot:

$ adt-run -B /tmp/click/*.deb --unbuilt-tree ./ --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-wily-amd64 || echo "** AUTOPKGTESTS FAILED"
...
Sandbox debug: 'click install' write-open to '/dev/pts/28'
Selecting previously unselected package com.example.click-apparmor-test.
(Reading database ... 0 files and directories currently installed.)
Preparing to unpack .../com.example.click-apparmor-test_0.1_all.click ...
Unpacking com.example.click-apparmor-test (0.1) ...
dpkg: error processing archive /tmp/adttmp.tHXET8/com.example.click-apparmor-test_0.1_all.click (--install):
 corrupted filesystem tarfile - corrupted package archive
Errors were encountered while processing:
 /tmp/adttmp.tHXET8/com.example.click-apparmor-test_0.1_all.click

However, if I adjust the test_aa-clickhook autopkgtest to copy that package aside so I can try it manually, it is not malformed at all and installs fine in the schroot (after making the aforementioned changes to click.py and apparmor_parser) and my vivid host:
$ sudo click install --user=$USER --allow-unauthenticated /tmp/com.example.click-apparmor-test_0.1_all.click
WARNING:root:Signature check failed, but installing anyway as requested
$ click list --user=$USER
com.example.click-apparmor-test 0.1

ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: autopkgtest 3.13
ProcVersionSignature: Ubuntu 4.1.0-1.1~rc2-generic 4.1.0
Uname: Linux 4.1.0-1-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.17.2-0ubuntu1.2
Architecture: amd64
CurrentDesktop: Unity
Date: Thu Aug 13 14:12:56 2015
InstallationDate: Installed on 2015-06-13 (60 days ago)
InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422)
PackageArchitecture: all
SourcePackage: autopkgtest
UpgradeStatus: No upgrade log present (probably fresh install)

See original description
Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Jamie Strandboge (jdstrand)
description: updated
Jamie Strandboge (jdstrand)
description: updated
Jamie Strandboge (jdstrand)
description: updated
Revision history for this message
Jamie Strandboge (jdstrand) wrote :
description: updated
Jamie Strandboge (jdstrand)
description: updated
Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

FYI, this bug doesn't seem to affect autopkgtest.ubuntu.com:
http://autopkgtest.ubuntu.com/data/packages/wily/amd64/c/click-apparmor/20150814_152038@.log

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

FYI, this is still an issue on xenial. By patching click with the preload-debugging.patch from comment #2 I get useful information from click/dpkg. I wonder if this would be something to include in click?

Revision history for this message
Martin Pitt (pitti) wrote :

FTR, I just tried this again on current xenial: "adt-run click-apparmor --- schroot xenial" succeeds. My xenial schroot is an off-the-shelf "mk-sbuild --type=file xenial". I do have these lines in /etc/schroot/default/fstab:

/dev /dev none rw,bind 0 0
/dev/pts /dev/pts none rw,bind 0 0

Even the "buildd" profile has /dev/pts.

Does your schroot maybe not have /dev/pts? But if I comment out the /dev/pts mounting, the test still succeeds. So I wonder what's different between your and my systems...

Changed in autopkgtest (Ubuntu):
status: New → Incomplete
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I can confirm that "adt-run click-apparmor --- schroot xenial" succeeds.

This also works:
$ apt-get source click-apparmor
$ cd click-apparmor-0.3.13/
$ adt-run --source ../*.dsc --log-file /tmp/adt.out --- adt-virt-schroot xenial-amd64 || echo "** AUTOPKGTESTS FAILED"

This is my usual workflow which, today, interestingly happens to also work on xenial:
1. rebuild the package with a no change rebuild with the source in ../source and the locally built binaries in ../binary
2. $ adt-run `for i in ../binary/*.deb ; do echo -n "-B $i " ; done` --source ../source/*.dsc --log-file /tmp/adt.out --- adt-virt-schroot xenial-amd64 || echo "** AUTOPKGTESTS FAILED"

I'm not sure why this all of a sudden started working. I did check to see that /dev/pts was mounted in my schroot (it was). I also downgraded to autopkgtest 3.18.2 which is likely what I was using when I saw the failure. It worked too. I'll close this for now and reopen if I have more info.

Changed in autopkgtest (Ubuntu):
status: Incomplete → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote : Re: [Bug 1484661] Re: 'click install' within an adt-virt-schroot fails with "Sandbox failure: 'click install' not permitted to write-open '/dev/pts/8'"

Hey Jamie,

Jamie Strandboge [2016-01-19 17:11 -0000]:
> I can confirm that "adt-run click-apparmor --- schroot xenial" succeeds.

Cool, thanks for checking again!

> 2. $ adt-run `for i in ../binary/*.deb ; do echo -n "-B $i " ; done` --source ../source/*.dsc --log-file /tmp/adt.out --- adt-virt-schroot xenial-amd64 || echo "** AUTOPKGTESTS FAILED"

Tip: -B is an option for the test (i. e. --source), not for the
binaries. So this is much easier:

  adt-run ../binary/*.deb -B ../source/*.dsc --log-file [...]

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.