action #7032: appamor doesn't allow ipmitool to be started - openQA Project - openSUSE Project Management Tool

Custom queries

All 'new' issues w/o assignee, sorted by version/priority
All auto_review tickets
All auto_review+force_result tickets
openQA Infrastructure Project
openqa-review - Closed tickets last updated by openqa-review, last 30 days
QA roadmap long-term
QA SLE functional
QA SLE Functional - closed in last 14 days
QA SLE Functional - High, need to be refined
QA SLE Functional - over cycle time median
QA SLE u
QA SLE y
QA tools (tag not necessary in openQA and subprojects)
QA tools tag (tag not necessary in openQA and subprojects; excluding tickets in "Ready" version as they are already on the backlog)
QAC - Backlog
QE tools team - backlog (dev)
QE tools team - backlog (ready issues)
QE tools team - backlog SLA high
QE tools team - backlog SLA immediate
QE tools team - backlog SLA no immediate/urgent in feedback/blocked
QE tools team - backlog SLA normal
QE tools team - backlog SLA urgent
QE tools team - backlog SLO high
QE tools team - backlog SLO normal
QE tools team - backlog SLO urgent
QE tools team - backlog, high-level view (epics and higher)
QE tools team - backlog, non-reactive work, needs parent
QE tools team - backlog, top-level view (all sagas)
QE tools team - closed within last 14 days
QE tools team - closed within last 60 days
QE tools team - closed yesterday
QE Tools Team - Collaborative Session
QE tools team - due date forecast
QE Tools team - due soon
QE tools team - exceeding due-date
QE tools team - infrastructure backlog
QE tools team - next - sorted by update time
QE tools team - next issues
QE tools team - non-estimated (unblocked) issues (dev)
QE tools team - non-estimated (unblocked) issues (infra)
QE tools team - ready issues - Workable
QE tools team - ready, not assigned/blocked/low
QE tools team - SLO high forecast
QE tools team - update forecast
QE tools team - updated by priority
QE tools team - what members of the team are working on - Feedback (not-low)
QE Tools Team Backlog By Assignee
Tools Team Retrospective
Tools Team Retrospective (not estimated or assigned)

Actions

Copy link

action #7032

closed

appamor doesn't allow ipmitool to be started

Added by coolo over 9 years ago. Updated over 9 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

mlin7442

Category:

Regressions/Crashes

Target version:

Sprint 16

Start date:

2015-03-27

Due date:

% Done:

100%

Estimated time:

Description

https://openqa.suse.de/tests/24363/file/autoinst-log.txt shows a permission denied for impi.

This is audit.log

type=SYSCALL msg=audit(1427469538.657:1755): arch=c000003e syscall=59 success=no exit=-13 a0=7fab5001cff0 a1=7fab500209b0 a2=411bd70 a3=7fab55eb9540 items=0 ppid=26169 pid=26176 auid=4294967295 uid=487 gid=65534 euid=487 suid=487 fsuid=487 egid=65534 sgid=65534 fsgid=65534 tty=(none) ses=4294967295 comm="isotovideo" exe="/usr/bin/perl" key=(null)
type=AVC msg=audit(1427469538.669:1756): apparmor="DENIED" operation="exec" parent=26171 profile="/usr/share/openqa/script/worker" name="/usr/bin/ipmitool" pid=26177 comm="isotovideo" requested_mask="x" denied_mask="x" fsuid=487 ouid=0

Not sure what can of worms we open - possibly we have to split ipmi backend in a package of its own to install the profile?

History
Notes
Property changes

Actions

Copy link

Updated by coolo over 9 years ago

btw: you should be able to inject the vars.json into a local instance - as long as the ipmi backend is disfunctional, remote controlling a NBG host from taiwan should work (not sure it works well though :)

Actions

Copy link

Updated by mlin7442 over 9 years ago

I've inject the vars.json and running with isotovideo locally, unfortunately I can't see ipmitool denied by apparmor

init needles from /var/lib/openqa/share/tests/sle-11-SP4-Alpha/needles
30423: cmdpipe 15, rsppipe 18
started mgmt loop with thread id 1
/var/lib/openqa/share/tests/sle-11-SP4-Alpha/needles/installation_mode-20150127.json missing match area
loaded 1028 needles
remove_tree qemuscreenshot
nice: /home/maxlin/src_orig/my_oqa/os-autoinst/videoencoder: No such file or directory
IPMI: Chassis Power Control: Down/Off
IPMI: Chassis Power is on
IPMI: Chassis Power Control: Down/Off
IPMI: Chassis Power is off
IPMI: Chassis Power Control: Up/On
IPMI: Chassis Power is off
IPMI: Chassis Power Control: Up/On
IPMI: Chassis Power is on
prot: RFB 003.008

Session info: af f9 9f bc 90 27 02 00 b0 a4 00 00 74 f8 b4 be 00 b0 47 40 f0 29 01 00
Security Result: 0
IKVM specifics: 3047439 1 1 1 1
ipmitool -H 10.162.28.200 -U admin -P qatesting -I lanplus sol activate
||| starting isosize tests/installation/isosize.pm at 2015-03-30 04:15:49
Use of uninitialized value $size in numeric gt (>) at /var/lib/openqa/share/tests/sle-11-SP4-Alpha/tests/installation/isosize.pm line 11.
Use of uninitialized value $size in concatenation (.) or string at /var/lib/openqa/share/tests/sle-11-SP4-Alpha/tests/installation/isosize.pm line 14.
check if actual iso size fits 4700372992: ok
[Mon Mar 30 12:15:49 2015] [info] Listening at "http://*:20013".
Server available at http://127.0.0.1:20013.
IKVM Session Message: 1 1 3047439 admin
Additional Bytes: 01 00 12 34 56 78 00 09 60 0a
||| finished isosize installation at 2015-03-30 04:15:52 (3 s)

||| starting qa_net tests/installation/qa_net.pm at 2015-03-30 04:15:52
Debug: /var/lib/openqa/share/tests/sle-11-SP4-Alpha/tests/installation/qa_net.pm:11 called testapi::assert_screen
<<< assert_screen(mustmatch='qa-net-selection'
, timeout=300
)
MATCH(qa-net-selection-20150108:0.00): 144 0 [m:69]
STAT 300 - similarity: 29
MATCH(qa-net-selection-20150108:0.00): 0 0 [m:1024]
STAT 299 - similarity: 10.6290880279371
no change 298
MATCH(qa-net-selection-20150108:0.00): 144 0 [m:69]
STAT 297 - similarity: 8.6913871284951
MATCH(qa-net-selection-20150108:0.00): 144 0 [m:69]

I guess "/usr/bin/ipmitool rix," should fix this issue, but since I can't reproduce it locally, so I can't confirm it...

Actions

Copy link