isc-dhcp-server apparmor profile should have include ".d"

Bug #1049177 reported by Scott Moser
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
isc-dhcp (Ubuntu)
Fix Released
Medium
Scott Moser
Precise
Fix Released
Medium
Stéphane Graber
Quantal
Fix Released
Medium
Scott Moser
maas (Ubuntu)
Fix Released
Critical
Scott Moser
Precise
Fix Released
Undecided
Unassigned
Quantal
Fix Released
Critical
Scott Moser

Bug Description

/etc/apparmor.d/usr.sbin.dhcpd currently has:
  # Eucalyptus
  /{,var/}run/eucalyptus/net/ r,
  /{,var/}run/eucalyptus/net/** r,
  /{,var/}run/eucalyptus/net/*.pid lrw,
  /{,var/}run/eucalyptus/net/*.leases* lrw,
  /{,var/}run/eucalyptus/net/*.trace lrw,

and
    #include <local/usr.sbin.dhcpd>

[rationale]
The MAAS project is looking to use isc-dhcp-server almost exactly like eucalyptus did, and as a result would need some changes to this profile. In speaking with jdstrand [1], he suggested that "#include <isc-dhcpd.d>" was the preferred way to enable this.

[test case]
Just make sure the apparmor profile gets updated and doesn't fail to load. Proper testing will have to be done once the mass change lands.

[regression potential]
Was tested on quantal and it's already widely used apparmor syntax, so the worst I can think of is that the line just won't work and won't include the profile once it lands in maas.

--
[1] http://irclogs.ubuntu.com/2012/09/11/%23ubuntu-server.html#t14:36

ProblemType: Bug
DistroRelease: Ubuntu 12.10
Package: isc-dhcp-server 4.2.4-1ubuntu7
ProcVersionSignature: User Name 3.5.0-13.14-generic 3.5.3
Uname: Linux 3.5.0-13-generic x86_64
ApportVersion: 2.5.1-0ubuntu7
Architecture: amd64
Date: Tue Sep 11 15:01:45 2012
DhServerLeases:

Ec2AMI: ami-00000148
Ec2AMIManifest: FIXME
Ec2AvailabilityZone: nova
Ec2InstanceType: m1.small
Ec2Kernel: unavailable
Ec2Ramdisk: unavailable
KernLog:

ProcEnviron:
 TERM=screen
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: isc-dhcp
UpgradeStatus: No upgrade log present (probably fresh install)
mtime.conffile..etc.dhcp.dhcpd.conf: 2012-09-07T14:46:55.587373

Related branches

Revision history for this message
Scott Moser (smoser) wrote :
Changed in isc-dhcp (Ubuntu):
assignee: nobody → Scott Moser (smoser)
importance: Undecided → Medium
status: New → In Progress
Revision history for this message
Scott Moser (smoser) wrote :

Copying from Eucalyptus, and given my changes in the linked branch here, maas packaging will write a file in /etc/apparmor.d/dhcp.d/maas with content like:
# Maas
/{,var/}run/maas/net/ r,
/{,var/}run/maas/net/** r,
/{,var/}run/maas/net/*.pid lrw,
/{,var/}run/maas/net/*.leases* lrw,
/{,var/}run/maas/net/*.trace lrw,

(or whatever seems reasonable for maas).

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package isc-dhcp - 4.2.4-1ubuntu8

---------------
isc-dhcp (4.2.4-1ubuntu8) quantal; urgency=low

  [ Scott Moser ]
  * debian/apparmor-profile.dhcpd: use include directory to enable
    other packages to re-use isc-dhcp-server. (LP: #1049177)

  [ Stéphane Graber ]
  * Re-introduce the wait_for_rw code in dhclient-script which got lost
    in the last merge, this code is there for the few rare systems that
    aren't using resolvconf and don't have /etc mounted read/write by the
    time dhclient-script is called.
  * Update onetry_retry_after_initial_success to disable the onetry variable
    early enough to actually prevent dhclient from exiting. (LP: #974284)
 -- Stephane Graber <email address hidden> Wed, 12 Sep 2012 17:30:26 -0400

Changed in isc-dhcp (Ubuntu):
status: In Progress → Fix Released
tags: added: rls-q-incoming
Scott Moser (smoser)
Changed in maas (Ubuntu):
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Scott Moser (smoser)
Changed in isc-dhcp (Ubuntu Precise):
status: New → Triaged
importance: Undecided → High
importance: High → Medium
Revision history for this message
Stéphane Graber (stgraber) wrote :

Committed the same fix to my local isc-dhcp SRU branch, this will be pushed to proposed later this week.

Changed in isc-dhcp (Ubuntu Precise):
status: Triaged → In Progress
assignee: nobody → Stéphane Graber (stgraber)
James Page (james-page)
tags: removed: rls-q-incoming
Changed in maas (Ubuntu Quantal):
status: In Progress → Fix Committed
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (5.1 KiB)

This bug was fixed in the package maas - 0.1+bzr1223+dfsg-0ubuntu1

---------------
maas (0.1+bzr1223+dfsg-0ubuntu1) quantal; urgency=low

  * New upstream release. (LP: #1062518)

  [ Julian Edwards ]
  * Split packaging of 'maas' into maas-{region,cluster}-controller
    - debian/control: Update accordingly.
    - debian/*.install: Move files accordingly
    - debian/*.{postinst,postrm,preinst}: Move files accordingly.
  * Ensure isc-dhcp-server is disabled when installing maas-dhcp.
  * Ensure maas-dns creates the maas user before trying to chown files.
  * Make maas-cluster-controller autoconfigure itself when upgrading from the
    old maas package. (LP: #1059416)
  * Add missing prerm file for maas-cluster-controller so that .pyc files
    are cleaned up. (LP: #1059973)

  [ Raphaël Badin ]
  * Install maas_local_celeryconfig.py in /etc/maas and symlink to
    /usr/share/maas.
  * debian/maas.postinst: Create rabbitmq celery user/vhost.
  * debian/maas.postinst: Update BROKER_URL in maas_local_celeryconfig.py.
  * Use maas_local_celeryconfig_cluster.py as the local celery
    configuration file for the cluster worker.
  * debian/maas-region-controller.maas-region-celery.upstart: Add region
    worker upstart script.
  * Rename cluster worker upstart script into
    maas-cluster-controller.maas-clluster-celery.upstart.
  * maas-cluster-controller.maas-celery.upstart: use "celeryconfig_cluster"
    as the Celery config module.
  * debian/maas-common.install: Install celeryconfig_common.py.
  * debian/maas-cluster-controller.install: Install celeryconfig_cluster.py.
  * debian/maas-region-controller.install: Install celeryconfig.py.
  * Split celery config into cluster and region configs.
  * Add region celeryd upstart config.
  * Define CELERY_CONFIG_MODULE in
    maas-cluster-controller.maas-cluster-celery.upstart

  [ Jeroen Vermeulen ]
  * Make maas_local_celery_config.py non-world readable.
  * Make maas_local_celeryconfig_cluster.py non-world readable.
  * Set root:maas ownership of local cluster config only *after*
    the maas user/group have been created

  [ Andres Rodriguez ]
  * debian/maas.postinst:
    - Always restart apache2.
    - Handle upgrades for new upstream release.
    - Handle upgrades for celery rabbitmq worker.
  * Add binary package to install client tool.
    - debian/extras/maas-cli: Add binary.
    - debian/maas-cli.install: Add. Install maascli and apiclient.
    - debian/control: Add binary package.
  * debian/control:
    - Depends on freeipmi-tools instead of ipmitool.
    - Conflicts/Replaces on maas for python-maas-client.
    - Depends on python-netifaces, python-lxml.
  * Add python-maas-client binary package:
    - debian/python-maas-client.install: Add. Install 'apiclient' python module.
    - debian/control: Add package. python-django-maas and maas-cli now
      Depend on it.
  * debian/rules: Install maas-dhcp-server upstart job.
  * debian/maas.postrm: Remove celery worker rabbitmq user and host.
  * debian/extras/99-maas-sudoers: Add for maas-dhcp-server upstart job
    instead of isc-dhcp-server (LP: #1055951)
  * debian/maas-region-controller.postinst: Cleanup upgrade rules.
  * debian/maas-cl...

Read more...

Changed in maas (Ubuntu Quantal):
status: Fix Committed → Fix Released
Revision history for this message
Clint Byrum (clint-fewbar) wrote : Please test proposed package

Hello Scott, or anyone else affected,

Accepted isc-dhcp into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/isc-dhcp/4.1.ESV-R4-0ubuntu5.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in isc-dhcp (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Andres Rodriguez (andreserl) wrote :

Hi Clint,

I have verified this as working in Precise. Marking verification done!

Thanks

tags: added: verification-done
removed: verification-needed
ali veli (kharpet)
Changed in isc-dhcp (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Andres Rodriguez (andreserl) wrote :

Hi Ali,

I'm changing the status of this bug back to Fix Committed as the fix has not yet been released to precise. The fix still sits in precise-proposed, which is not part of precise-updates.

Thank you!

Changed in isc-dhcp (Ubuntu Precise):
status: Fix Released → New
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package isc-dhcp - 4.1.ESV-R4-0ubuntu5.6

---------------
isc-dhcp (4.1.ESV-R4-0ubuntu5.6) precise-proposed; urgency=low

  [ Scott Moser ]
  * debian/apparmor-profile.dhcpd: use include directory to enable
    other packages to re-use isc-dhcp-server. (LP: #1049177)

  [ Stéphane Graber ]
  * Update onetry_retry_after_initial_success to disable the onetry variable
    early enough to actually prevent dhclient from exiting. (LP: #974284)
  * Update droppriv patch to also call initgroups() (LP: #727837)
 -- Stephane Graber <email address hidden> Tue, 18 Sep 2012 10:34:10 -0400

Changed in isc-dhcp (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Changed in maas (Ubuntu Precise):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers