Project

General

Profile

Actions

action #155413

closed

Ensure apparmor is enforced in openQA-in-openQA tests size:M

Added by okurz 8 months ago. Updated about 1 month ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Feature requests
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:

Description

Motivation

In multiple occurrences openQA failed to start up or operate successfully on openqa.opensuse.org due to change of functionality without having according apparmor adaptions prepared. We should have automatic tests that ensure that apparmor profiles are enforced and fail if not covered properly.

Acceptance criteria

  • AC1: At least one openQA-in-openQA test scenario ensures that openQA jobs can still be executed with apparmor profiles enforced

Suggestions

  • Do we have any documentation regarding apparmor? If not then extend our documentation to cover that, should be simple
  • Enable apparmor in openQA-in-openQA tests and just run tests, e.g. like "zypper -n in apparmor && systemctl enable --now apparmor"
  • Ensure to cover both webUI and worker part though can be on the same host
  • Do we need reboot? Probably not, we don't have any kernel parameters or anything on o3

Related issues 3 (0 open3 closed)

Related to openQA Project - action #165408: Unreviewed issue (Group 24 openQA) test-running in openQA failing with error detecting default remote branch size:SResolvedybonatakis2024-09-06

Actions
Related to openQA Project - action #165692: [openQA-in-openQA] test does not fail if state is done but incomplete auto_review:"no candidate needle.*openqa-dashboard.*matched" size:S Resolvedjbaier_cz2024-08-22

Actions
Copied from openQA Project - action #153427: Improve updating cached assets size:MResolvedmkittler2024-01-05

Actions
Actions #1

Updated by okurz 8 months ago

  • Copied from action #153427: Improve updating cached assets size:M added
Actions #2

Updated by jbaier_cz 6 months ago

  • Subject changed from Ensure apparmor is enforced in openQA-in-openQA tests to Ensure apparmor is enforced in openQA-in-openQA tests size:M
  • Description updated (diff)
  • Status changed from New to Workable
Actions #3

Updated by tinita 5 months ago

I don't understand that suggestion:

Ensure to cover both webUI and worker part though can be on the same host

Can someone translate that?

Actions #4

Updated by livdywan 5 months ago

tinita wrote in #note-3:

I don't understand that suggestion:

Ensure to cover both webUI and worker part though can be on the same host

Can someone translate that?

I guess web UI and workers require different permissions. If they're on different hosts they need to be installed in different packages?

Actions #5

Updated by okurz 2 months ago

  • Target version changed from Tools - Next to Ready
Actions #6

Updated by jbaier_cz about 2 months ago

  • Assignee set to jbaier_cz
Actions #7

Updated by jbaier_cz about 2 months ago

  • Status changed from Workable to In Progress

Looks like AppArmor is installed and enabled by default, so we just need to switch it to enforcing mode for openQA.

Actions #8

Updated by tinita about 2 months ago

  • Related to action #165408: Unreviewed issue (Group 24 openQA) test-running in openQA failing with error detecting default remote branch size:S added
Actions #9

Updated by tinita about 2 months ago

Could be related to #165408

Actions #10

Updated by jbaier_cz about 2 months ago

I am on the right track here. During testing, I was able to identify more missing rules around the new git features. I created https://github.com/os-autoinst/openQA/pull/5883 to fix the missing rules and https://github.com/os-autoinst/os-autoinst-distri-openQA/pull/199 to enable testing the profile in production.

Actions #11

Updated by jbaier_cz about 2 months ago

  • Related to action #165692: [openQA-in-openQA] test does not fail if state is done but incomplete auto_review:"no candidate needle.*openqa-dashboard.*matched" size:S added
Actions #12

Updated by jbaier_cz about 2 months ago

  • Status changed from In Progress to Feedback

Deployed and working. And we also already tested missing rules in profile in https://openqa.opensuse.org/tests/4423883#step/test_running/8. I will monitor the situation and resolve after I confirm the other fix also works.

Actions #13

Updated by jbaier_cz about 2 months ago

To make the debugging easier in the future, I added https://github.com/os-autoinst/os-autoinst-distri-openQA/pull/200 to upload the audit.log when AppArmor enabled test fails.

Actions #14

Updated by jbaier_cz about 2 months ago

  • Status changed from Feedback to Resolved

All related PR are merged, I guess we are done here.

Actions #15

Updated by jbaier_cz about 1 month ago

Semi-related timeouts: https://openqa.opensuse.org/tests/4447516; I guess it should be enough to just bump the default timeout: https://github.com/os-autoinst/os-autoinst-distri-openQA/pull/205

Actions #16

Updated by jbaier_cz about 1 month ago

  • Status changed from Resolved to Feedback
Actions #17

Updated by jbaier_cz about 1 month ago

  • Status changed from Feedback to Resolved

No other issue spotted since the last fix.

Actions

Also available in: Atom PDF