action #54308

Failed to open /var/lib/openqa/.config/openqa/client.conf: Permission denied at /usr/share/openqa/script/../lib/OpenQA/ line 42

Added by okurz about 1 year ago. Updated 12 months ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:



from o3 after upgrade (could have been there in before):

Jul 16 09:00:02 ariel openqa[10498]: Failed to open /var/lib/openqa/.config/openqa/client.conf: Permission denied at /usr/share/openqa/script/../lib/OpenQA/ line 42


ariel:~> sudo ls -l /var/lib/openqa/.config/openqa/client.conf
-rw------- 1 geekotest root 125 Mar 23  2015 /var/lib/openqa/.config/openqa/client.conf

from /var/log/audit/audit.log:

type=AVC msg=audit(1563267602.725:39999): apparmor="DENIED" operation="open" profile="/usr/share/openqa/script/openqa" name="/var/lib/openqa/.config/openqa/client.conf" pid=10799 comm="openqa" requested_mask="r" denied_mask="r" fsuid=493 ouid=493

so I guess something changed causing openQA to want to read the client config now?


Maybe a regression from the recent upgrade:

$ git log1 --no-merges 222783b0..e00d3964
4a71161b Make the websocket server tests less noisy
79acbcfe (okurz/fix/spec, fix/spec) docker: Add back 'Test::Compile' as needed for os-autoinst
641b735b spec: Fix invalid '%perl' introduced with 3aadc34c
0500c7e5 Test handling worker job status changes
623d86ea Fix passing --no-cleanup worker CLI option
bcf9926f (okurz/enhance/prevent_git_gc_message, enhance/prevent_git_gc_message) fetchneedles: Use subshells efficiently for dir changes
c611e003 fetchneedles: Fix indention
0e7265d4 fetchneedles: Prevent noisy output about auto-packing git repos
461240de (Martchus/limit-jobs) Ensure query in jobs API does not become too big
561c8399 (Martchus/job-templates) Remove group name from job templates example
d949480f Adapt order of job template example
e0bf4f71 (kraih/dead_auth_tests) Remove dead auth tests from a DBus refactoring 4 years ago
02a40929 (kraih/plugin_auth) Give the authentication routes plugins will use names and test them
262df501 Improve and simplify compile check
380e5131 Add Test::Strict to Docker container
ad573935 (kraih/plugin_links) Allow plugins to add links to the menu
9d954788 Allow any suffix for TAP source files
a9bfc7da (okurz/enhance/docs_generation) .travis.yml: Make documentation generation an explicit job, only on master
68df32b1 .travis.yml: Give readable names to test jobs
ed28edff .travis.yml: Put handling of cache dir together
8250363b Extend filter for new/updated admin table rows
f6178374 Make log messages of worker tests less verbose
3887fe66 (okurz/fix/genapi) generate-documentation: Fix wrong script path introduced by 81df2fd
e4e70018 (okurz/fix/docs) docs: Fix quotes and apostrophes for asciidoctor/github style
3d7e4f25 (okurz/feature/travis_retry) .travis.yml: Workaround flaky tests with 'travis_test'
b25d06ed Test kvm module, only if it is not built-in
2dcb9772 Make containers non-x86 archs friendly and update to leap 15.1
53a11de0 (kraih/run_cmd_proto) Remove another useless prototype and an unused function from OpenQA::Utils
512455fe Remove obsolete prototypes
3aadc34c (okurz/fix/build_warning) Explicitly specify perl module 'Module::Pluggable' to fix warning
f54fa4d7 openqa-clone-job: Improve handling --from parameter
841e0772 (okurz/feature/release_readme) README: Clarify how releases are made

I could not find related changes in the according diff though.

It rather looks to me as if this is not causing any real problems as the relevant config file should be /etc/openqa/client.conf . I checked both files /etc/openqa/client.conf and /var/lib/openqa/.config/openqa/client.conf . Both are unchanged since 2015 and probably we can just delete the latter.


#1 Updated by coolo about 1 year ago

  • Target version set to Ready

So what's currently happening? Did you change the profile manually?

#2 Updated by okurz about 1 year ago

No, did not change anything yet. It does not seem to have any functional impact.

#3 Updated by mkittler about 1 year ago

It simply looks for the config file in the home directory (apparently /var/lib/openqa in this case). That this doesn't work is not a problem because then it falls back to the global config under /etc.

I guess searching in the home directory it actually a useful feature so I'd keep it. Likely we should just delete the file under /var/lib/openqa/.config/openqa/client.conf. So far I have just renamed it to client.conf.bak.

#4 Updated by okurz about 1 year ago

  • Project changed from openQA Project to openQA Infrastructure
  • Category deleted (Concrete Bugs)
  • Status changed from New to Resolved
  • Assignee set to okurz

yes, right. So I guess it was actually just a configuration issue in our infra. I deleted the complete directory /var/lib/openqa/.config/openqa , the file in /etc/openqa/client.conf is still there with the same content. I don't know if it's even required. thanks for the help.

#5 Updated by okurz about 1 year ago

  • Status changed from Resolved to In Progress

nope, not that easy :)

The file is used by from /etc/cron.d/openqa-iso-sync calling /opt/openqa-scripts/openqa-iso-sync as geekotest. I put back a copy of /etc/openqa/client.conf . We could either make /etc/openqa/client.conf readable to geekotest or schedule from a different user. I checked the setup on osd and it seems to be comparable, e.g. geekotest calling with the credentials in /var/lib/openqa/.config/openqa/client.conf as well but the difference being that apparmor is not running on osd.

#6 Updated by okurz about 1 year ago

  • Status changed from In Progress to Feedback

#7 Updated by okurz about 1 year ago

  • Status changed from Feedback to Resolved

#8 Updated by coolo 12 months ago

  • Target version changed from Ready to Done

Also available in: Atom PDF