| 2023-09-27 15:34:33 |
John Chittum |
bug |
|
|
added bug |
| 2023-09-27 15:34:40 |
John Chittum |
livecd-rootfs (Ubuntu): assignee |
|
John Chittum (jchittum) |
|
| 2023-09-27 16:34:40 |
Andrew Cloke |
bug |
|
|
added subscriber Andrew Cloke |
| 2023-09-27 16:59:47 |
John Chittum |
description |
starting with kernel package(s) 6.5.0.1006, currently in mantic-proposed, `io_uring` is added as a apparmor feature. This change results in preseeded snaps being unoptimized, as the mounted apparmor features in the chroot do not match the 6.5.0.1006 kernels. On a system running with the kernel
cat /sys/kernel/security/apparmor/features/io_uring/mask
sqpoll override_creds
1. ensure that this is correct with kernel and security teams
2. ensure that this is the default going forward
if 1 and 2, then set the default in `livecd-rootfs` for mounted apparmor features to include io_uring |
starting with kernel package(s) 6.5.0.1006, currently in mantic-proposed, `io_uring` is added as a apparmor feature. This change results in preseeded snaps being unoptimized, as the mounted apparmor features in the chroot do not match the 6.5.0.1006 kernels. On a system running with the kernel
cat /sys/kernel/security/apparmor/features/io_uring/mask
sqpoll override_creds
1. ensure that this is correct with kernel and security teams
2. ~~ensure that this is the default going forward~~ : Create a 6.5 feature directory as it was pointed out by xnox that Mantic has more than 6.5 kernels at this time.
if 1 and 2, then set the default in `livecd-rootfs` for mounted apparmor features to include io_uring |
|
| 2023-09-27 18:17:59 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~jchittum/livecd-rootfs/+git/livecd-rootfs/+merge/452299 |
|
| 2023-10-05 23:35:24 |
Launchpad Janitor |
livecd-rootfs (Ubuntu): status |
New |
Fix Released |
|
| 2023-10-19 12:05:29 |
John Chittum |
description |
starting with kernel package(s) 6.5.0.1006, currently in mantic-proposed, `io_uring` is added as a apparmor feature. This change results in preseeded snaps being unoptimized, as the mounted apparmor features in the chroot do not match the 6.5.0.1006 kernels. On a system running with the kernel
cat /sys/kernel/security/apparmor/features/io_uring/mask
sqpoll override_creds
1. ensure that this is correct with kernel and security teams
2. ~~ensure that this is the default going forward~~ : Create a 6.5 feature directory as it was pointed out by xnox that Mantic has more than 6.5 kernels at this time.
if 1 and 2, then set the default in `livecd-rootfs` for mounted apparmor features to include io_uring |
starting with kernel package(s) 6.5.0.1006, currently in mantic-proposed, `io_uring` is added as a apparmor feature. This change results in preseeded snaps being unoptimized, as the mounted apparmor features in the chroot do not match the 6.5.0.1006 kernels. On a system running with the kernel
cat /sys/kernel/security/apparmor/features/io_uring/mask
sqpoll override_creds
1. ensure that this is correct with kernel and security teams
2. ~~ensure that this is the default going forward~~ : Create a 6.5 feature directory as it was pointed out by xnox that Mantic has more than 6.5 kernels at this time.
if 1 and 2, then set the default in `livecd-rootfs` for mounted apparmor features to include io_uring
SRU [Jammy]
====
[ Impact ]
* Users of the 6.5 kernel will have un-optimized first boot experiences due to snaps not preseeding with the correct apparmor setup. This directly affects clouds, leading to boot speed degradation of anywhere from 10-30s (depending on snaps installed)
[ Test Plan ]
* Create images with livecd-rootfs:ubuntu/jammy with the SRU'd change (the 6.5 directory in live-build/apparmor)
* image must use an "edge" kernel or another forward pointing kernel as the HWE and cloud kernels have not rolled yet.
* boot image(s)
* check `snap debug seeding`. This should show successful seeding
* if a long json output is observed, check the restart-key to see what features are missing. compare to 6.5 in ubuntu/master. check with security, apparmor, and kernel teams
[ Where problems could occur ]
* If there is a difference in rules of 6.5 in mantic and 6.5 being released to Jammy
*
[ Other Info ]
* testing may be difficult, as we're trying to catch this before it lands. the codepath selecting kernel version is stable, so adding the configuration area should be safe, even if testing is not easily possible. |
|
| 2023-10-19 12:26:35 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~jchittum/livecd-rootfs/+git/livecd-rootfs/+merge/454025 |
|
| 2023-12-04 09:43:51 |
Ubuntu Archive Robot |
bug |
|
|
added subscriber Steve Langasek |
| 2023-12-07 18:48:54 |
Andreas Hasenack |
livecd-rootfs (Ubuntu Jammy): status |
New |
Fix Committed |
|
| 2023-12-07 18:48:55 |
Andreas Hasenack |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2023-12-07 18:48:57 |
Andreas Hasenack |
bug |
|
|
added subscriber SRU Verification |
| 2023-12-07 18:49:01 |
Andreas Hasenack |
tags |
|
verification-needed verification-needed-jammy |
|
| 2023-12-07 18:52:27 |
Andreas Hasenack |
bug |
|
|
added subscriber Andreas Hasenack |
| 2024-01-12 15:43:06 |
Ubuntu Archive Robot |
bug |
|
|
added subscriber Utkarsh Gupta |
| 2024-01-17 11:15:14 |
Philip Roche |
tags |
verification-needed verification-needed-jammy |
verification-done-jammy verification-needed |
|
| 2024-01-17 11:44:47 |
Launchpad Janitor |
livecd-rootfs (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
| 2024-01-17 11:45:09 |
Ćukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
