action #7032
closedappamor doesn't allow ipmitool to be started
Description
https://openqa.suse.de/tests/24363/file/autoinst-log.txt shows a permission denied for impi.
This is audit.log
type=SYSCALL msg=audit(1427469538.657:1755): arch=c000003e syscall=59 success=no exit=-13 a0=7fab5001cff0 a1=7fab500209b0 a2=411bd70 a3=7fab55eb9540 items=0 ppid=26169 pid=26176 auid=4294967295 uid=487 gid=65534 euid=487 suid=487 fsuid=487 egid=65534 sgid=65534 fsgid=65534 tty=(none) ses=4294967295 comm="isotovideo" exe="/usr/bin/perl" key=(null)
type=AVC msg=audit(1427469538.669:1756): apparmor="DENIED" operation="exec" parent=26171 profile="/usr/share/openqa/script/worker" name="/usr/bin/ipmitool" pid=26177 comm="isotovideo" requested_mask="x" denied_mask="x" fsuid=487 ouid=0
Not sure what can of worms we open - possibly we have to split ipmi backend in a package of its own to install the profile?
Updated by coolo over 9 years ago
btw: you should be able to inject the vars.json into a local instance - as long as the ipmi backend is disfunctional, remote controlling a NBG host from taiwan should work (not sure it works well though :)
Updated by mlin7442 over 9 years ago
I've inject the vars.json and running with isotovideo locally, unfortunately I can't see ipmitool denied by apparmor
init needles from /var/lib/openqa/share/tests/sle-11-SP4-Alpha/needles
30423: cmdpipe 15, rsppipe 18
started mgmt loop with thread id 1
/var/lib/openqa/share/tests/sle-11-SP4-Alpha/needles/installation_mode-20150127.json missing match area
loaded 1028 needles
remove_tree qemuscreenshot
nice: /home/maxlin/src_orig/my_oqa/os-autoinst/videoencoder: No such file or directory
IPMI: Chassis Power Control: Down/Off
IPMI: Chassis Power is on
IPMI: Chassis Power Control: Down/Off
IPMI: Chassis Power is off
IPMI: Chassis Power Control: Up/On
IPMI: Chassis Power is off
IPMI: Chassis Power Control: Up/On
IPMI: Chassis Power is on
prot: RFB 003.008
Session info: af f9 9f bc 90 27 02 00 b0 a4 00 00 74 f8 b4 be 00 b0 47 40 f0 29 01 00
Security Result: 0
IKVM specifics: 3047439 1 1 1 1
ipmitool -H 10.162.28.200 -U admin -P qatesting -I lanplus sol activate
||| starting isosize tests/installation/isosize.pm at 2015-03-30 04:15:49
Use of uninitialized value $size in numeric gt (>) at /var/lib/openqa/share/tests/sle-11-SP4-Alpha/tests/installation/isosize.pm line 11.
Use of uninitialized value $size in concatenation (.) or string at /var/lib/openqa/share/tests/sle-11-SP4-Alpha/tests/installation/isosize.pm line 14.
check if actual iso size fits 4700372992: ok
[Mon Mar 30 12:15:49 2015] [info] Listening at "http://*:20013".
Server available at http://127.0.0.1:20013.
IKVM Session Message: 1 1 3047439 admin
Additional Bytes: 01 00 12 34 56 78 00 09 60 0a
||| finished isosize installation at 2015-03-30 04:15:52 (3 s)
||| starting qa_net tests/installation/qa_net.pm at 2015-03-30 04:15:52
Debug: /var/lib/openqa/share/tests/sle-11-SP4-Alpha/tests/installation/qa_net.pm:11 called testapi::assert_screen
<<< assert_screen(mustmatch='qa-net-selection'
, timeout=300
)
MATCH(qa-net-selection-20150108:0.00): 144 0 [m:69]
STAT 300 - similarity: 29
MATCH(qa-net-selection-20150108:0.00): 0 0 [m:1024]
STAT 299 - similarity: 10.6290880279371
no change 298
MATCH(qa-net-selection-20150108:0.00): 144 0 [m:69]
STAT 297 - similarity: 8.6913871284951
MATCH(qa-net-selection-20150108:0.00): 144 0 [m:69]
I guess "/usr/bin/ipmitool rix," should fix this issue, but since I can't reproduce it locally, so I can't confirm it...
Updated by mlin7442 over 9 years ago
- Status changed from New to In Progress
- % Done changed from 0 to 100
Updated by mlin7442 over 9 years ago
- Status changed from In Progress to Resolved