coordination #111192
closed[qem] [security] test fails in usr_sbin_smbd
0%
Description
Observation¶
S:M:24194:272307 which introduced this failures contains some changes that might be related:
+- Fix samba-ad-dc status warning notification message by disabling systemd notifications in bgqd; (bsc#1195896); (bso#14947).
And from the audit log:
type=AVC msg=audit(1652765219.761:1628): apparmor="DENIED" operation="open" profile="samba-bgqd" name="/proc/4336/fd/" pid=4336 comm="samba-bgqd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
openQA test in scenario sle-15-SP3-Server-DVD-Updates-x86_64-mau-apparmor_profile@64bit fails in
usr_sbin_smbd
Test suite description¶
Testsuite maintained at https://gitlab.suse.de/qa-maintenance/qam-openqa-yml.
Reproducible¶
Fails since (at least) Build 20220516-1 (current job)
Expected result¶
Last good: 20220515-1 (or more recent)
Further details¶
Always latest result in this scenario: latest
Updated by mgrifalconi almost 2 years ago
- Subject changed from [qem] [core] test fails in usr_sbin_smbd to [qem] [qe-core] test fails in usr_sbin_smbd
- Priority changed from Normal to High
@hurhaj can you please clarify in the ticket why the result is forced to soft fail?
How was determined (and who did determine) that this failure is a test issue and not a regression? This might help who will have to actually fix the test. Thanks!
Updated by hurhaj almost 2 years ago
It was determined by the maintainer of the test, see https://suse.slack.com/archives/C02CANHLANP/p1652780831226729?thread_ts=1652779208.640379&cid=C02CANHLANP
Updated by mgrifalconi almost 2 years ago
Thanks for the context!
A note for qe-core: we might want to move this ticket to security, since the maintainer is in that squad. It is still on the core job group because security is not migrated yet.
Updated by punkioudi almost 2 years ago
- Subject changed from [qem] [qe-core] test fails in usr_sbin_smbd to [qem] [security] test fails in usr_sbin_smbd
Thanks guys for the investigation! I will forward it though to the security team, as they have the expertise on this test :)
@llzhao Could you have a look on this ticket?
Updated by rfan1 almost 2 years ago
Hello,
As discussed with Lili offline, we would suggest to file a new bug against the issue
https://openqa.suse.de/tests/8769149#step/usr_sbin_smbd/84
It passed on SLES15SP4 run http://openqa.suse.de/tests/8753087#step/usr_sbin_smbd/64
BR//Richard.
Updated by mgrifalconi almost 2 years ago
- Priority changed from High to Urgent
- Start date deleted (
2022-05-17)
Hello @rfan1 and @llzhao
If we agree that this test is in the scope of the security team, I guess it is logical that the security team will open the bug. It makes more sense since you are the owner of the test.
One more topic, I raised the priority to Urgent now, since it is constantly failing https://openqa.suse.de/tests/8820637#next_previous and needs manual action to force the result to softfail with the comment "label:force_result:softfailed:poo#111192" on every failure, every day to avoid blocking all maintenance updates.
I did it so far for a few days, and you can take over this task.
Because of that, I recommend to either decide to unschedule the test or implement a softfail while waiting for a real fix.
Thank you!
Updated by rfan1 almost 2 years ago
Sorry for the late reply since just back from a meeting.
I agree with you that this case is related to security test area. however we can't reproduce it with the latest SLES15SP4 openQA job. and I checked the latest o3 job, it passed as well https://openqa.opensuse.org/tests/2368888
So, I would suggest your team to file the bug against to dev team since it can only be seen with maintenance update. [As far as I know, QE security team will only fix the test code issues for QEM security test cases, but please correct me if I was wrong]
@llzhao, can you please provide the manual test steps here if possible?
BR//Richard.
Updated by llzhao almost 2 years ago
I am on "Squad rotation" so Richard is my replacement.
More info helps you to debug:
- Manual test cases: https://bugzilla.suse.com/tr_show_case.cgi?case_id=1728938
- Some pkg's version
It was passed on last good build Build20220515-1 (15sp3): https://openqa.suse.de/tests/8763654#step/usr_sbin_smbd/8
The samba-* version is 4.15.4
The yast2-samba-client version is 4.3.5
The yast2-samba-server version is 4.3.4
It keeps failing on latest build and start fail at Build20220516-1
https://openqa.suse.de/tests/8769149#step/usr_sbin_smbd/26
The samba-* version is 4.15.7
The yast2-samba-client version is 4.3.5
The yast2-samba-server version is 4.3.4
It is passed on sle15sp4 and TW.
So it seems a product bug.
Updated by llzhao almost 2 years ago
I fond Felix Niederwanger from Maintenance QE 1 (Vit Pelcak) already opened a bug to the fail.
https://bugzilla.suse.com/attachment.cgi?id=859175&action=edit
https://bugzilla.suse.com/show_bug.cgi?id=1199860
Also Paolo made a workaround (already merged) for test code: https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/14976/files
Updated by llzhao almost 2 years ago
- Tracker changed from action to coordination
- Status changed from New to Feedback
Close this PR.
I filed another poo to track remaining tasks: https://progress.opensuse.org/issues/111659
Updated by llzhao almost 2 years ago
@mgrifalconi we found Felix Niederwanger already filed a bug 3 days ago to track this fail.
https://bugzilla.suse.com/show_bug.cgi?id=1199860 before I and Richard revolved again.
Usually when we found a product issue we will search the bugzilla firstly to check if anybody already filed a one to avoid any duplication.
Also according to https://confluence.suse.com/pages/viewpage.action?spaceKey=openqa&title=QEM+openQA+review+guide
We suppose openQA reviewer should file the bug as we had suggested it seems to be a product bug.
Updated by okurz almost 2 years ago
llzhao wrote:
Also according to https://confluence.suse.com/pages/viewpage.action?spaceKey=openqa&title=QEM+openQA+review+guide
We suppose openQA reviewer should file the bug as we had suggested it seems to be a product bug.
Just to make sure that this is understood. As documented on https://confluence.suse.com/display/openqa/QEM+openQA+review+guide the idea is that each squad does the openQA review. Quoting the guide
When a test case fails, basic triage and steps as shown in Fig. 1 are done. Test dev squad is expected to make the decision what to do ASAP but is free to pick the best approach
meaning that the security squad conducts the review and ensures that no false-positive or non-critical test failures prevent further automatic acceptance of maintenance tests.
Updated by llzhao almost 2 years ago
okurz wrote:
llzhao wrote:
Also according to https://confluence.suse.com/pages/viewpage.action?spaceKey=openqa&title=QEM+openQA+review+guide
We suppose openQA reviewer should file the bug as we had suggested it seems to be a product bug.Just to make sure that this is understood. As documented on https://confluence.suse.com/display/openqa/QEM+openQA+review+guide the idea is that each squad does the openQA review. Quoting the guide
When a test case fails, basic triage and steps as shown in Fig. 1 are done. Test dev squad is expected to make the decision what to do ASAP but is free to pick the best approach
meaning that the security squad conducts the review and ensures that no false-positive or non-critical test failures prevent further automatic acceptance of maintenance tests.
Hi Oliver,
According to https://confluence.suse.com/pages/viewpage.action?spaceKey=qasle&title=openQA+QE+Maintenance+Review "Security QE" squad did not check the "Approvals" list as limited resources before and current.
See comments for more info,
User icon: llzhao
lili zhao
Feedback from QE Security:
The "Proposal 1. Squads will directly take care about stability of openQA test cases from QE Maintenance." can't be applied to security squad based on our current limited resource.
QE Security squad can help to support these actions atm:
1. Can support fixing poos while test cases (FIPS/apparmor/apparmor_profile/scap/selinux/lynis/389ds/swtpm/Secureboot) run fail in QE Maintenance job group and "QE Security" team is asked for helps from "QE Update Validation" team.
2. Can support code review while security related test cases are integrated into openQA Maintenance job group by "QE Update Validation" team.
3. Can offer technical supports while "QE Update Validation" team wants to enable Security test cases in QE Maintenance job group.
More feedback, after rechecked/reevaluated this page:
4. Security QE would like not approve this proposal atm
Currently we are working on the high priority CC testing (Common Criteria Certification related) and after Sept we will work on both CC and sle15sp4. Besides there is no QEM FTE joined Security QE team after the LSG merge. We are overloaded already. So we can not guarantee the promise in this proposal. Btw, we will apply a new FTE during FY2022 when the new FTE is available we would like to reevaluate this proposal. Currently we would like to continue supporting to fix/debug poo/failure but can not guarantee a high priority (same as before).
Vit Pelcak
So security squad will not review the openQA update job groups or similar things.
When we noticed the ping messages in "# eng-testing" we had taken actions as high priority and suggested it seems a product bug.