Ubuntu
rsyslog package

armhf dep8 failure due to restrictions changing apparmor profile status

Bug #2008393 reported by Andreas Hasenack on 2023-02-23

This bug affects 2 people

	Status	Importance	Assigned to
Auto Package Testing	New	Undecided	Unassigned
nss-pam-ldapd (Ubuntu)	Fix Released	Undecided	Jonas Jelten
Questing	Fix Released	Undecided	Jonas Jelten
openldap (Ubuntu)	New	Undecided	Unassigned
Questing	New	Undecided	Unassigned
python-ldap (Ubuntu)	Fix Released	Undecided	Jonas Jelten
Questing	Fix Released	Undecided	Jonas Jelten
rsyslog (Ubuntu)	Fix Released	Undecided	Andreas Hasenack
Questing	Invalid	Undecided	Unassigned

Bug Description

[ Impact ]

* Fix autopkgtests on armhf that fail due to Canonical infrastructure disallowing apparmor access

[ Test Plan ]

* without the patch, autopkgtests fail on armhf due to lacking access to the apparmor api because of permission restrictions in the testing container
* with the applied patch, armhf tests can succeed

[ Where problems could occur ]

* this just changes the test, no change is expected in the resulting binary packages.

[ Other info ]

this is a fix needed to re-activate openldap's apparmor profile in bug #2119884 and is related to LP: #2130351. since these are just test changes they could be left in proposed if the SRU team prefers.

[ Analysis ]

The armhf DEP8 testers in Ubuntu infrastructure have some restrictions and cannot change an apparmor profile. This is causing the tests to fail, because they try to make sure rsyslog is being tested in enforced mode:

Enforcing the /etc/apparmor.d/usr.sbin.rsyslogd apparmor profile
Setting /etc/apparmor.d/usr.sbin.rsyslogd to enforce mode.

ERROR: /sbin/apparmor_parser: Unable to replace "rsyslogd". Permission denied; attempted to load a profile while confined?

The package migrated to lunar even with this error because it never had DEP8 tests before, and the armhf baseline was born in this error state.

These are the LXD settings used for armhf containers: https://git.launchpad.net/autopkgtest-cloud/tree/charms/focal/autopkgtest-cloud-worker/autopkgtest-cloud/tools/armhf-lxd.userdata#n76

I created an armhf container on a pi4 host (arm64) with these settings, but couldn't reproduce the issue there. There is something else going on in the autopkgtest infra regarding arhmf.

FTR, I created the container like this:

lxc launch ubuntu-daily:lunar pi4:l-armhf \
-c raw.lxc="apparmor.profile=unconfined" \
-c raw.lxc="seccomp.profile=" \
-c security.nesting=true

EDIT: hm, the above actually doesn't work. Only the last raw.lxc value is used. See https://blog.simos.info/how-to-add-multi-line-raw-lxc-configuration-to-lxd/

But still, apparmor works just fine. There is some other setup going on in the autopkgtest infrastructure.

See original description

Tags:

Related branches

~jj/ubuntu/+source/python-ldap:lp2130351-autopkgtest-apparmor-questing

Merged into ubuntu/+source/python-ldap:ubuntu/questing-devel at revision 8821350cb10239a3ae0ec83ca852ceff935dae9d

Andreas Hasenack: Approve on 2026-01-28

Canonical Server Reporter: Pending requested 2026-01-20

~jj/ubuntu/+source/nss-pam-ldapd:lp2130351-autopkgtest-apparmor-questing

Merged into ubuntu/+source/nss-pam-ldapd:ubuntu/questing-devel at revision abf2cc663cede08779a1e1ffb6d19a39eb67c820

Andreas Hasenack: Approve on 2026-01-28

Canonical Server Reporter: Pending requested 2026-01-20

~jj/ubuntu/+source/python-ldap:lp2130351-autopkgtest-apparmor

Merged into ubuntu/+source/python-ldap:ubuntu/devel at revision 95bbc07e0f21947c1342c204435d787e88c2c712

git-ubuntu bot: Approve on 2025-12-05

Andreas Hasenack: Approve on 2025-12-05

Canonical Server Reporter: Pending requested 2025-11-20

~jj/ubuntu/+source/nss-pam-ldapd:lp2130351-autopkgtest-apparmor

Merged into ubuntu/+source/nss-pam-ldapd:ubuntu/devel at revision 6d29f7b80ca5ecd37f01ee09b1e4a8911fc71287

Andreas Hasenack: Approve on 2025-12-08

Canonical Server Reporter: Pending requested 2025-11-20

~ahasenack/ubuntu/+source/rsyslog:lunar-rsyslog-apparmor-armhf

Merged into ubuntu/+source/rsyslog:ubuntu/devel at revision 0f3515d46d6c3d01902eac4e8719dfd0bad80083

Bryce Harrington (community): Approve on 2023-03-01

git-ubuntu bot: Approve on 2023-02-24

Canonical Server Reporter: Pending requested 2023-02-24

Andreas Hasenack (ahasenack) on 2023-02-23

description:

updated

Andreas Hasenack (ahasenack) on 2023-02-28

description:

updated

Andreas Hasenack (ahasenack) on 2023-02-28

description:

updated

Andreas Hasenack (ahasenack) on 2023-02-28

description:

updated

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-03-03:

This bug was fixed in the package rsyslog - 8.2302.0-1ubuntu2

---------------
rsyslog (8.2302.0-1ubuntu2) lunar; urgency=medium

  * d/t/simple-*, d/t/control: ignore aa-enforce error, which can happen
    on armhf in the Ubuntu DEP8 infrastructure, and allow-stderr for
    these tests (LP: #2008393)

-- Andreas Hasenack <email address hidden> Thu, 23 Feb 2023 18:56:07 -0300

Changed in rsyslog (Ubuntu):
status:	In Progress → Fix Released

Revision history for this message

Jonas Jelten (jj) wrote on 2025-11-27 (last edit on 2025-11-28):

https://github.com/canonical/lxd/issues/14770 could be the cause for our infrastructure.
a workaround may be requesting a real vm for the test with autopkgtest restriction=isolation-machine (which just skips the test on the Ubuntu infrastructure, currently).

Paride Legovini (paride) on 2025-11-28

no longer affects:

autopkgtest-cloud

Revision history for this message

Launchpad Janitor (janitor) wrote on 2025-12-09:

This bug was fixed in the package python-ldap - 3.4.4-2ubuntu2

---------------
python-ldap (3.4.4-2ubuntu2) resolute; urgency=medium

* d/t/apparmor.sh: fix testing apparmor profile write access (LP: #2130351)

python-ldap (3.4.4-2ubuntu1) resolute; urgency=medium

  * d/t/{startserver,upstream}: fix slapd apparmor access to test directory
    (LP: #2130351)
    - d/t/apparmor.sh: ignore apparmor control failures on Ubuntu+armhf
      (LP: #2008393)

-- Jonas Jelten <email address hidden> Mon, 08 Dec 2025 15:45:13 +0100

Changed in python-ldap (Ubuntu):
status:	New → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2025-12-14:

This bug was fixed in the package nss-pam-ldapd - 0.9.13-2ubuntu2

---------------
nss-pam-ldapd (0.9.13-2ubuntu2) resolute; urgency=medium

  * d/t/testsuite: fix slapd apparmor access to test directory (LP: #2130351)
    - d/t/apparmor.sh: ignore apparmor control failures on Ubuntu+armhf
      (LP: #2008393)

-- Jonas Jelten <email address hidden> Wed, 12 Nov 2025 16:42:10 +0100

Changed in nss-pam-ldapd (Ubuntu):
status:	New → Fix Released

Jonas Jelten (jj) on 2026-01-20

Changed in rsyslog (Ubuntu Questing):
status:	New → Invalid

Jonas Jelten (jj) on 2026-01-26

Changed in python-ldap (Ubuntu Questing):
status:	New → In Progress
Changed in nss-pam-ldapd (Ubuntu Questing):
status:	New → In Progress
Changed in nss-pam-ldapd (Ubuntu):
assignee:	nobody → Jonas Jelten (jj)
Changed in nss-pam-ldapd (Ubuntu Questing):
assignee:	nobody → Jonas Jelten (jj)
Changed in python-ldap (Ubuntu):
assignee:	nobody → Jonas Jelten (jj)
Changed in python-ldap (Ubuntu Questing):
assignee:	nobody → Jonas Jelten (jj)

Jonas Jelten (jj) on 2026-01-28

description:

updated

Jonas Jelten (jj) on 2026-01-28

description:

updated

Revision history for this message

Timo Aaltonen (tjaalton) wrote on 2026-01-29: Please test proposed package

Hello Andreas, or anyone else affected,

Accepted python-ldap into questing-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/python-ldap/3.4.4-1ubuntu0.25.10.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-questing to verification-done-questing. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-questing. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in python-ldap (Ubuntu Questing):
status:	In Progress → Fix Committed
tags:	added: verification-needed verification-needed-questing

Revision history for this message

Timo Aaltonen (tjaalton) wrote on 2026-01-29:

Hello Andreas, or anyone else affected,

Accepted nss-pam-ldapd into questing-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nss-pam-ldapd/0.9.13-1ubuntu0.1 in a few hours, and then in the -proposed repository.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in nss-pam-ldapd (Ubuntu Questing):
status:	In Progress → Fix Committed

Revision history for this message

Ubuntu SRU Bot (ubuntu-sru-bot) wrote on 2026-01-29: Autopkgtest regression report (nss-pam-ldapd/0.9.13-1ubuntu0.1)

All autopkgtests for the newly accepted nss-pam-ldapd (0.9.13-1ubuntu0.1) for questing have finished running.
The following regressions have been reported in tests triggered by the package:

nss-pam-ldapd/0.9.13-1ubuntu0.1 (amd64, arm64, ppc64el, s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/questing/update_excuses.html#nss-pam-ldapd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message

Ubuntu SRU Bot (ubuntu-sru-bot) wrote on 2026-01-29: Autopkgtest regression report (python-ldap/3.4.4-1ubuntu0.25.10.2)

All autopkgtests for the newly accepted python-ldap (3.4.4-1ubuntu0.25.10.2) for questing have finished running.
The following regressions have been reported in tests triggered by the package:

barbican/2:21.0.0-0ubuntu1 (armhf)
django-auth-ldap/5.1.0-1 (armhf)
keystone/unknown (armhf)
python-ldap/3.4.4-1ubuntu0.25.10.2 (amd64, arm64, ppc64el, s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/questing/update_excuses.html#python-ldap

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message

Jonas Jelten (jj) wrote on 2026-02-03:

nss-pam-ldapd questing autopkgtest now passes:
openldap/2.6.10+dfsg-1ubuntu2.1 nss-pam-ldapd/0.9.13-1ubuntu0.1
https://autopkgtest.ubuntu.com/run/594395ef-705c-4acd-bca2-1a06c79dcfb5

python-ldap questing autopkgtest now passes:
openldap/2.6.10+dfsg-1ubuntu2.1 python-ldap/3.4.4-1ubuntu0.25.10.2
https://autopkgtest.ubuntu.com/run/a51c89a5-993b-461a-ad30-efab59545362

verified.

tags:

added: verification-done verification-done-questing
removed: verification-needed verification-needed-questing

Revision history for this message

Launchpad Janitor (janitor) wrote 20 hours ago:

#10

This bug was fixed in the package nss-pam-ldapd - 0.9.13-1ubuntu0.1

---------------
nss-pam-ldapd (0.9.13-1ubuntu0.1) questing; urgency=medium

  * d/t/testsuite: fix slapd apparmor access to test directory (LP: #2130351)
    - d/t/apparmor.sh: ignore apparmor control failures on Ubuntu+armhf
      (LP: #2008393)
  * d/p/fix-c23-bool-keyword: fix build (LP: #2139290)

-- Jonas Jelten <email address hidden> Tue, 20 Jan 2026 11:42:10 +0100

Changed in nss-pam-ldapd (Ubuntu Questing):
status:	Fix Committed → Fix Released

Revision history for this message

Julian Andres Klode (juliank) wrote 20 hours ago: Update Released

#11

The verification of the Stable Release Update for nss-pam-ldapd has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message

Launchpad Janitor (janitor) wrote 20 hours ago:

#12

This bug was fixed in the package python-ldap - 3.4.4-1ubuntu0.25.10.2

---------------
python-ldap (3.4.4-1ubuntu0.25.10.2) questing; urgency=medium

  * d/t/{startserver,upstream}: fix slapd apparmor access to test directory
    (LP: #2130351)
    - d/t/apparmor.sh: ignore apparmor control failures on Ubuntu+armhf
      (LP: #2008393)

-- Jonas Jelten <email address hidden> Tue, 20 Jan 2026 11:53:15 +0100

Changed in python-ldap (Ubuntu Questing):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

lxd #14770
[open] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntursyslog package

armhf dep8 failure due to restrictions changing apparmor profile status

Bug Description

Related branches

Other bug subscribers

Remote bug watches

Ubuntu
rsyslog package