action #155413
closedEnsure apparmor is enforced in openQA-in-openQA tests size:M
0%
Description
Motivation¶
In multiple occurrences openQA failed to start up or operate successfully on openqa.opensuse.org due to change of functionality without having according apparmor adaptions prepared. We should have automatic tests that ensure that apparmor profiles are enforced and fail if not covered properly.
Acceptance criteria¶
- AC1: At least one openQA-in-openQA test scenario ensures that openQA jobs can still be executed with apparmor profiles enforced
Suggestions¶
- Do we have any documentation regarding apparmor? If not then extend our documentation to cover that, should be simple
- Enable apparmor in openQA-in-openQA tests and just run tests, e.g. like "zypper -n in apparmor && systemctl enable --now apparmor"
- Ensure to cover both webUI and worker part though can be on the same host
- Do we need reboot? Probably not, we don't have any kernel parameters or anything on o3
Updated by okurz 8 months ago
- Copied from action #153427: Improve updating cached assets size:M added
Updated by livdywan 5 months ago
tinita wrote in #note-3:
I don't understand that suggestion:
Ensure to cover both webUI and worker part though can be on the same host
Can someone translate that?
I guess web UI and workers require different permissions. If they're on different hosts they need to be installed in different packages?
Updated by jbaier_cz about 2 months ago
- Status changed from Workable to In Progress
Looks like AppArmor is installed and enabled by default, so we just need to switch it to enforcing mode for openQA.
Updated by tinita about 2 months ago
- Related to action #165408: Unreviewed issue (Group 24 openQA) test-running in openQA failing with error detecting default remote branch size:S added
Updated by jbaier_cz about 2 months ago
I am on the right track here. During testing, I was able to identify more missing rules around the new git features. I created https://github.com/os-autoinst/openQA/pull/5883 to fix the missing rules and https://github.com/os-autoinst/os-autoinst-distri-openQA/pull/199 to enable testing the profile in production.
Updated by jbaier_cz about 2 months ago
- Related to action #165692: [openQA-in-openQA] test does not fail if state is done but incomplete auto_review:"no candidate needle.*openqa-dashboard.*matched" size:S added
Updated by jbaier_cz about 2 months ago
- Status changed from In Progress to Feedback
Deployed and working. And we also already tested missing rules in profile in https://openqa.opensuse.org/tests/4423883#step/test_running/8. I will monitor the situation and resolve after I confirm the other fix also works.
Updated by jbaier_cz about 2 months ago
To make the debugging easier in the future, I added https://github.com/os-autoinst/os-autoinst-distri-openQA/pull/200 to upload the audit.log when AppArmor enabled test fails.
Updated by jbaier_cz about 2 months ago
- Status changed from Feedback to Resolved
All related PR are merged, I guess we are done here.
Updated by jbaier_cz about 1 month ago
Semi-related timeouts: https://openqa.opensuse.org/tests/4447516; I guess it should be enough to just bump the default timeout: https://github.com/os-autoinst/os-autoinst-distri-openQA/pull/205
Updated by jbaier_cz about 1 month ago
- Status changed from Resolved to Feedback
Updated by jbaier_cz about 1 month ago
- Status changed from Feedback to Resolved
No other issue spotted since the last fix.