QA » openQA Project » openQA Infrastructure

rpmconfigcheck showed one file /etc/postfix/master.cf.rpmnew which I diffed with /etc/postfix/master.cf , took over some updates and then deleted the rpmnew file. I think rest looks really good. Great work!

cdywan wrote:

Apparently I missed something else, too:

Oct 01 14:25:44 ariel openqa-gru[30835]: Can't exec "/bin/sh": Permission denied at /usr/share/openqa/script/../lib/OpenQA/Task/Job/FinalizeResults.pm line 63.

Keeping in mind that osd uses UTC, this should fit into the time window of when I was wrapping up the upgrade as per my comment above. And there were apparmor changes, which I presumably didn't do correctly.

I also filed #99741 because this didn't trigger any alerts and was discovered by @tinita.

I reset /etc/apparmor.d/local/usr.share.openqa.script.openqa to a comments-only file, which it should after os-autoinst/openQA/pull/3847 and which I guess is what I mistook for something we needed to keep.

I still can't tell if the files in /etc/apparmor.d/{,local/}usr.share.openqa.script.openqa are correct. And I wasn't able to figure out how to access the most recent copy of /etc/apparmor.d/usr.share.openqa.script.openqa, if one exists, since the Backup section doesn't really explain that and it's pretty much Greek to me if you excuse the pun.

For now I'm monitoring logs to see if the errors persist (via sudo journalctl -f -u openqa-gru). And I added /bin/sh mrix, to /etc/apparmor.d/usr.share.openqa.script.openqa.
Also tried sudo systemctl restart openqa-gru, to no apparent effect. Btw for reference o3 is on apparmor-profiles 2.13.6-1.31, as opposed to osd/2.13.4-lp152.2.3.1.

It would seem comparing to osd was pointless since according to sudo aa-status it's currently switched off there 🤦️

Trying to see now if sudo aa-complain /usr/share/openqa/script/openqa{,-cli} yields some more information here.

/opt/os-autoinst-scripts/openqa-label-known-issues: line 83: hxselect: command not found
grep: write error: Broken pipe

Not sure if these are related, but while I'm at it I'm installing html-xml-utils.

Btw I also created a proof of concept for dependencies.yaml in the scripts repo, although this will need a bit of polishing before it can be used: https://github.com/os-autoinst/scripts/pull/116

PR for apparmor profile fix: https://github.com/os-autoinst/openQA/pull/4271

In Leap 15.2, /bin/sh points to /bin/bash, while in 15.3,
it points to /usr/bin/sh -> /usr/bin/bash

tinita wrote:

PR for apparmor profile fix: https://github.com/os-autoinst/openQA/pull/4271

In Leap 15.2, /bin/sh points to /bin/bash, while in 15.3,
it points to /usr/bin/sh -> /usr/bin/bash

I'm wondering how you confirmed that this worked, since I seem to have seen successfully executed hooks without any errors in the entire journal 🤔️
So I guess to resolve it for good I need to find out where the presumed missing error messages end up, and document it.

Sorry, I forgot to add:
I did the mentioned fix locally (add /usr/bin/bash), and then did
aa-enforce /usr/share/openqa/script/openqa
to end the complain mode.
Then I saw successful hooks by looking into the minion_jobs table and I didn't see errors in the openqa-gru journal anymore.

Note that if apparmor is in complain mode, one is not supposed to see the error messages, but there will be messages in /var/log/audit/audit.log.

Today I saw new errors though:
/opt/os-autoinst-scripts/openqa-label-known-issues: line 83: /usr/bin/hxselect: Permission denied
PR for that: https://github.com/os-autoinst/openQA/pull/4273

PR https://github.com/os-autoinst/openQA/pull/4273 merged, and I added the line manually on o3 to not wait until the next deployment.

Post mortem:

• [x] I filed #99741 to address the silent failures
• [x] There's also #57239 which could have helped spot the problem earlier
• [ ] Is there a feature request/bug on AppArmor wrt unclear error message?
• [ ] I'll try and propose documentation for how AppArmor is handled with openQA

cdywan wrote:

• [ ] Is there a feature request/bug on AppArmor wrt unclear error message?

https://gitlab.com/apparmor/apparmor/-/issues/201

• [ ] I'll try and propose documentation for how AppArmor is handled with openQA

https://github.com/os-autoinst/openQA/pull/4278