Comment 15 for bug 728088

I've been debugging this on Amos' system (thanks!).

The problem isn't AppArmor as such. In fact, the real problem is that the network interface needed for iSCSI isn't being protected from later modification as it should be, so, whenever the network-interface job happens to fire for that interface in the real system, it effectively takes down the root filesystem. This tends to happen somewhere around the time that AppArmor starts, but that's just a coincidence.

This is happening because we run configure_networking in a subshell to avoid '. /tmp/net-*.conf' from killing the entirety of /scripts/local-top/iscsi if no network devices are available yet, and then expect the value of DEVICE from that subshell to be available later so that we can write it to /dev/.initramfs/open-iscsi.interface (which /etc/init/iscsi-network-interface.conf uses). Moving the code that uses DEVICE into that same subshell fixes the problem. It also makes sense to wait for udev to settle before doing any of this; I don't think that's vital, but it should reduce noisy error messages and it's what I've tested.

I'm going to do a bit more testing of this, and then upload to oneiric and natty-proposed.