QA (public) » openQA Project (public) » openQA Tests (public)

problem is here I think:

[2019-08-13T04:45:49.342 CEST] [debug] /var/lib/openqa/cache/openqa1-opensuse/tests/opensuse/tests/console/sshd.pm:65 called opensusebasetest::select_serial_terminal
[2019-08-13T04:45:49.342 CEST] [debug] <<< testapi::select_console(testapi_console='root-virtio-terminal')
[2019-08-13T04:45:49.343 CEST] [debug] <<< consoles::virtio_terminal::open_pipe(pipe_prefix='/var/lib/openqa/pool/12/virtio_console')
[2019-08-13T04:45:49.345 CEST] [debug] Backend process died, backend errors are reported below in the following lines:
Can't open file "/proc/sys/fs/pipe-max-size": Permission denied at /usr/lib/os-autoinst/consoles/virtio_terminal.pm line 144.

[2019-08-13T04:45:49.345 CEST] [info] ::: OpenQA::Qemu::Proc::save_state: Saving QEMU state to qemu_state.json

pretty sure it's due to missing adjustements to apparmor due to gh#os-autoinst/os-autoinst#1182 from cfconrad/virtio_terminal_with_tcp

for i in power8 aarch64 imagetester openqaworker1 openqaworker4; do echo $i && ssh root@$i "aa-complain /usr/share/openqa/script/worker && systemctl restart openqa-worker.target"; done

retriggered incomplete jobs over web UI, monitoring https://openqa.opensuse.org/tests/1005501

Afterwards should adjust apparmor profile.

I see. Yes this is my fault.
I think it is enough to allow reading /proc/sys/fs/pipe-max-size.
The other thing which comes into my mind could be mkfifo https://github.com/os-autoinst/os-autoinst/blob/master/backend/qemu.pm#L851 but I do not see such message in the logs.

I would like to enable apparmor in my test instance.
Is it enough to just start it with systemctl start apparmor ?

cfconrad wrote:

The other thing which comes into my mind could be mkfifo https://github.com/os-autoinst/os-autoinst/blob/master/backend/qemu.pm#L851 but I do not see such message in the logs.

yes, me neither. I guess the changes I proposed in the PR are enough.

cfconrad wrote:

I would like to enable apparmor in my test instance.
Is it enough to just start it with systemctl start apparmor ?

yes, this should be enough when you have the openQA package installed along with the profiles that should end up in /etc/apparmor.d/usr.share.openqa.script.openqa and /etc/apparmor.d/usr.share.openqa.script.worker . Take a look into /var/log/audit/audit.log for reports from apparmor what it denies. To have a better, complete picture the services should be separated so that a machine (or a container?) runs the worker only along with the worker profile and a different machine for the web UI and other services. I consider aa-complain <path/to/profile> and aa-enforce </path/to/profile> most helpful to selectively enable/disable profiles along with reports about violations in the aforementioned log file.

thanks a lot for that detailed answer!