2023-08-18 19:20:40 |
John Chittum |
description |
Ubuntu Jammy 22.04 rolled the HWE kernel to 6.2. This has run into the same issue as the 5.19 kernel roll, where the generic apparmor feature set being mounted into the build env does not match the 6.2 kernel. The same feature is missing
ipc
Observable by building an image, booting it, and running `snap debug preseeding`. Example output from a GCE image:
sudo snap debug seeding
seeded: true
preseeded: true
image-preseeding: 7.411s
seed-completion: 13.899s
preseed-system-key: {
"apparmor-features": [
"caps",
"dbus",
"domain",
"file",
"mount",
"namespaces",
"network",
"network_v8",
"policy",
"ptrace",
"query",
"rlimit",
"signal"
],
"apparmor-parser-features": [
"cap-audit-read",
"cap-bpf",
"include-if-exists",
"mqueue",
"qipcrtr-socket",
"unsafe",
"xdp"
],
"apparmor-parser-mtime": 1666191120,
"build-id": "4399dbaff2bd50a4ae62c9324bbc96def18bf9a8",
"cgroup-version": "2",
"nfs-home": false,
"overlay-root": "",
"seccomp-compiler-version": "0f51c115b973679d7ed64b550a8d9d461f7cd5c6 2.5.4 c3c9b282ef3c8dfcc3124b2aeaef62f56b813bfd21f8806b30a6c9dbc2e6e58d bpf-actlog",
"seccomp-features": [
"allow",
"errno",
"kill_process",
"kill_thread",
"log",
"trace",
"trap",
"user_notif"
],
"version": 10
}
seed-restart-system-key: {
"apparmor-features": [
"caps",
"dbus",
"domain",
"file",
"ipc",
"mount",
"namespaces",
"network",
"network_v8",
"policy",
"ptrace",
"query",
"rlimit",
"signal"
],
"apparmor-parser-features": [
"cap-audit-read",
"cap-bpf",
"include-if-exists",
"mqueue",
"qipcrtr-socket",
"unsafe",
"xdp"
],
"apparmor-parser-mtime": 1666191120,
"build-id": "4399dbaff2bd50a4ae62c9324bbc96def18bf9a8",
"cgroup-version": "2",
"nfs-home": false,
"overlay-root": "",
"seccomp-compiler-version": "0f51c115b973679d7ed64b550a8d9d461f7cd5c6 2.5.4 c3c9b282ef3c8dfcc3124b2aeaef62f56b813bfd21f8806b30a6c9dbc2e6e58d bpf-actlog",
"seccomp-features": [
"allow",
"errno",
"kill_process",
"kill_thread",
"log",
"trace",
"trap",
"user_notif"
],
"version": 10
} |
Ubuntu Jammy 22.04 rolled the HWE kernel to 6.2. This has run into the same issue as the 5.19 kernel roll, where the generic apparmor feature set being mounted into the build env does not match the 6.2 kernel. The same feature is missing
ipc
Observable by building an image, booting it, and running `snap debug preseeding`. Example output from a GCE image:
sudo snap debug seeding
seeded: true
preseeded: true
image-preseeding: 7.411s
seed-completion: 13.899s
preseed-system-key: {
"apparmor-features": [
"caps",
"dbus",
"domain",
"file",
"mount",
"namespaces",
"network",
"network_v8",
"policy",
"ptrace",
"query",
"rlimit",
"signal"
],
"apparmor-parser-features": [
"cap-audit-read",
"cap-bpf",
"include-if-exists",
"mqueue",
"qipcrtr-socket",
"unsafe",
"xdp"
],
"apparmor-parser-mtime": 1666191120,
"build-id": "4399dbaff2bd50a4ae62c9324bbc96def18bf9a8",
"cgroup-version": "2",
"nfs-home": false,
"overlay-root": "",
"seccomp-compiler-version": "0f51c115b973679d7ed64b550a8d9d461f7cd5c6 2.5.4 c3c9b282ef3c8dfcc3124b2aeaef62f56b813bfd21f8806b30a6c9dbc2e6e58d bpf-actlog",
"seccomp-features": [
"allow",
"errno",
"kill_process",
"kill_thread",
"log",
"trace",
"trap",
"user_notif"
],
"version": 10
}
seed-restart-system-key: {
"apparmor-features": [
"caps",
"dbus",
"domain",
"file",
"ipc",
"mount",
"namespaces",
"network",
"network_v8",
"policy",
"ptrace",
"query",
"rlimit",
"signal"
],
"apparmor-parser-features": [
"cap-audit-read",
"cap-bpf",
"include-if-exists",
"mqueue",
"qipcrtr-socket",
"unsafe",
"xdp"
],
"apparmor-parser-mtime": 1666191120,
"build-id": "4399dbaff2bd50a4ae62c9324bbc96def18bf9a8",
"cgroup-version": "2",
"nfs-home": false,
"overlay-root": "",
"seccomp-compiler-version": "0f51c115b973679d7ed64b550a8d9d461f7cd5c6 2.5.4 c3c9b282ef3c8dfcc3124b2aeaef62f56b813bfd21f8806b30a6c9dbc2e6e58d bpf-actlog",
"seccomp-features": [
"allow",
"errno",
"kill_process",
"kill_thread",
"log",
"trace",
"trap",
"user_notif"
],
"version": 10
}
[ Impact ]
* boot times for all pre-installed images are adversely affected, causing issues for cloud partners
[ Test Plan ]
* build any cloud image
* boot
* run `snap debug preseed`
* there should not be anything in : seed-restart-system-key
[ Where problems could occur ]
* if i didn't get the exact match of features, and seed-restart-system-key is still present
* thankfully, it tells you the mismatch, so we can iterate and fix
* without this the 6.2 kernel will not be properly pre-seeded and optimized for first boot deployments.
[ Other Info ] |
|