action #155413
closedEnsure apparmor is enforced in openQA-in-openQA tests size:M
0%
Description
Motivation¶
In multiple occurrences openQA failed to start up or operate successfully on openqa.opensuse.org due to change of functionality without having according apparmor adaptions prepared. We should have automatic tests that ensure that apparmor profiles are enforced and fail if not covered properly.
Acceptance criteria¶
- AC1: At least one openQA-in-openQA test scenario ensures that openQA jobs can still be executed with apparmor profiles enforced
Suggestions¶
- Do we have any documentation regarding apparmor? If not then extend our documentation to cover that, should be simple
- Enable apparmor in openQA-in-openQA tests and just run tests, e.g. like "zypper -n in apparmor && systemctl enable --now apparmor"
- Ensure to cover both webUI and worker part though can be on the same host
- Do we need reboot? Probably not, we don't have any kernel parameters or anything on o3
Updated by okurz 10 months ago
- Copied from action #153427: Improve updating cached assets size:M added
Updated by livdywan 7 months ago
tinita wrote in #note-3:
I don't understand that suggestion:
Ensure to cover both webUI and worker part though can be on the same host
Can someone translate that?
I guess web UI and workers require different permissions. If they're on different hosts they need to be installed in different packages?
Updated by tinita 4 months ago
- Related to action #165408: Unreviewed issue (Group 24 openQA) test-running in openQA failing with error detecting default remote branch size:S added
Updated by jbaier_cz 4 months ago
I am on the right track here. During testing, I was able to identify more missing rules around the new git features. I created https://github.com/os-autoinst/openQA/pull/5883 to fix the missing rules and https://github.com/os-autoinst/os-autoinst-distri-openQA/pull/199 to enable testing the profile in production.
Updated by jbaier_cz 4 months ago
- Related to action #165692: [openQA-in-openQA] test does not fail if state is done but incomplete auto_review:"no candidate needle.*openqa-dashboard.*matched" size:S added
Updated by jbaier_cz 4 months ago
- Status changed from In Progress to Feedback
Deployed and working. And we also already tested missing rules in profile in https://openqa.opensuse.org/tests/4423883#step/test_running/8. I will monitor the situation and resolve after I confirm the other fix also works.
Updated by jbaier_cz 4 months ago
To make the debugging easier in the future, I added https://github.com/os-autoinst/os-autoinst-distri-openQA/pull/200 to upload the audit.log when AppArmor enabled test fails.
Updated by jbaier_cz 4 months ago
Semi-related timeouts: https://openqa.opensuse.org/tests/4447516; I guess it should be enough to just bump the default timeout: https://github.com/os-autoinst/os-autoinst-distri-openQA/pull/205