action #155413: Ensure apparmor is enforced in openQA-in-openQA tests size:M - openQA Project (public) - openSUSE Project Management Tool

Custom queries

All 'new' issues w/o assignee, sorted by version/priority
All auto_review tickets
All auto_review+force_result tickets
openQA Infrastructure Project
openqa-review - Closed tickets last updated by openqa-review, last 30 days
QA roadmap long-term
QA SLE functional
QA SLE Functional - closed in last 14 days
QA SLE Functional - High, need to be refined
QA SLE Functional - over cycle time median
QA SLE u
QA SLE y
QA tools (tag not necessary in openQA and subprojects)
QA tools tag (tag not necessary in openQA and subprojects; excluding tickets in "Ready" version as they are already on the backlog)
QAC - Backlog
QE tools team - backlog (dev)
QE tools team - backlog (ready issues)
QE tools team - backlog SLA high
QE tools team - backlog SLA immediate
QE tools team - backlog SLA no immediate/urgent in feedback/blocked
QE tools team - backlog SLA normal
QE tools team - backlog SLA urgent
QE tools team - backlog SLO high
QE tools team - backlog SLO normal
QE tools team - backlog SLO urgent
QE tools team - backlog, high-level view (epics and higher)
QE tools team - backlog, non-reactive work, needs parent
QE tools team - backlog, top-level view (all sagas)
QE tools team - closed within last 14 days
QE tools team - closed within last 60 days
QE tools team - closed yesterday
QE Tools Team - Collaborative Session
QE tools team - due date forecast
QE Tools team - due soon
QE tools team - exceeding due-date
QE tools team - infrastructure backlog
QE tools team - next - sorted by update time
QE tools team - next issues
QE tools team - non-estimated (unblocked) issues (dev)
QE tools team - non-estimated (unblocked) issues (infra)
QE tools team - ready issues - Workable
QE tools team - ready, not assigned/blocked/low
QE tools team - SLO high forecast
QE tools team - update forecast
QE tools team - updated by priority
QE tools team - what members of the team are working on - Feedback (not-low)
QE Tools Team Backlog By Assignee
Tools Team Retrospective
Tools Team Retrospective (not estimated or assigned)

Actions

Copy link

action #155413

closed

Ensure apparmor is enforced in openQA-in-openQA tests size:M

Added by okurz 10 months ago. Updated 3 months ago.

Status:

Resolved

Priority:

Normal

Assignee:

jbaier_cz

Category:

Feature requests

Target version:

Ready

Start date:

Due date:

% Done:

Estimated time:

Tags:

reactive work

Description

Motivation¶

In multiple occurrences openQA failed to start up or operate successfully on openqa.opensuse.org due to change of functionality without having according apparmor adaptions prepared. We should have automatic tests that ensure that apparmor profiles are enforced and fail if not covered properly.

Acceptance criteria¶

AC1: At least one openQA-in-openQA test scenario ensures that openQA jobs can still be executed with apparmor profiles enforced

Suggestions¶

Do we have any documentation regarding apparmor? If not then extend our documentation to cover that, should be simple
Enable apparmor in openQA-in-openQA tests and just run tests, e.g. like "zypper -n in apparmor && systemctl enable --now apparmor"
Ensure to cover both webUI and worker part though can be on the same host
Do we need reboot? Probably not, we don't have any kernel parameters or anything on o3

Related issues 3 (0 open — 3 closed)

Related to openQA Project (public) - action #165408: Unreviewed issue (Group 24 openQA) test-running in openQA failing with error detecting default remote branch size:S

Resolved

ybonatakis

2024-09-06

Actions

Related to openQA Project (public) - action #165692: [openQA-in-openQA] test does not fail if state is done but incomplete auto_review:"no candidate needle.*openqa-dashboard.*matched" size:S

Resolved

jbaier_cz

2024-08-22

Actions

Copied from openQA Project (public) - action #153427: Improve updating cached assets size:M

Resolved

mkittler

2024-01-05

Actions

Issue # Delay: days Cancel

History
Notes
Property changes

Actions

Copy link

Updated by okurz 10 months ago

Copied from action #153427: Improve updating cached assets size:M added

Actions

Copy link

Updated by jbaier_cz 8 months ago

Subject changed from Ensure apparmor is enforced in openQA-in-openQA tests to Ensure apparmor is enforced in openQA-in-openQA tests size:M
Description updated (diff)
Status changed from New to Workable

Actions

Copy link

Updated by tinita 7 months ago

I don't understand that suggestion:

Ensure to cover both webUI and worker part though can be on the same host

Can someone translate that?

Actions

Copy link

Updated by livdywan 7 months ago

tinita wrote in #note-3:

I don't understand that suggestion:

Ensure to cover both webUI and worker part though can be on the same host

Can someone translate that?

I guess web UI and workers require different permissions. If they're on different hosts they need to be installed in different packages?

Actions

Copy link

Updated by okurz 4 months ago

Target version changed from Tools - Next to Ready

Actions

Copy link

Updated by jbaier_cz 4 months ago

Assignee set to jbaier_cz

Actions

Copy link

Updated by jbaier_cz 4 months ago

Status changed from Workable to In Progress

Looks like AppArmor is installed and enabled by default, so we just need to switch it to enforcing mode for openQA.

Actions

Copy link

Updated by tinita 4 months ago

Related to action #165408: Unreviewed issue (Group 24 openQA) test-running in openQA failing with error detecting default remote branch size:S added

Actions

Copy link

Updated by tinita 4 months ago

Could be related to #165408

Actions

Copy link

#10

Updated by jbaier_cz 4 months ago

I am on the right track here. During testing, I was able to identify more missing rules around the new git features. I created https://github.com/os-autoinst/openQA/pull/5883 to fix the missing rules and https://github.com/os-autoinst/os-autoinst-distri-openQA/pull/199 to enable testing the profile in production.

Actions

Copy link

#11

Updated by jbaier_cz 4 months ago

Related to action #165692: [openQA-in-openQA] test does not fail if state is done but incomplete auto_review:"no candidate needle.*openqa-dashboard.*matched" size:S added

Actions

Copy link

#12

Updated by jbaier_cz 4 months ago

Status changed from In Progress to Feedback

Deployed and working. And we also already tested missing rules in profile in https://openqa.opensuse.org/tests/4423883#step/test_running/8. I will monitor the situation and resolve after I confirm the other fix also works.

Actions

Copy link

#13

Updated by jbaier_cz 4 months ago

To make the debugging easier in the future, I added https://github.com/os-autoinst/os-autoinst-distri-openQA/pull/200 to upload the audit.log when AppArmor enabled test fails.

Actions

Copy link

#14