debcrafters-packages team mailing list archive

[Aleksa Svitlica <2119237@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

1. What is the problem
On Questing, pollinate fails because it is unable to read from /tmp

On an Azure VM this was first noticed with this AppArmor denied log:
'Jul 19 21:42:00 alan-questing-base-qmnqdpkjhr kernel: audit: type=1400 audit(1752961320.498:173): apparmor="DENIED" operation="open" class="file" profile="curl" name="/tmp/pollinate.MUbjijIRZipY/challenge" pid=989 comm="curl" requested_mask="r" denied_mask="r" fsuid=105 ouid=105'

We started seeing this log appear after the images started including AppArmor 4.1.1-0ubuntu3, changelog: https://launchpad.net/ubuntu/+source/apparmor/4.1.1-0ubuntu3
This version of AppArmor introduced a profile for curl which allows writing but not reading from /tmp

>From reviewing the source I believe pollinate is reading from /tmp when it use's curls --data @filename flag to send POST data. The relevant source code is:
if curl --connect-timeout "${WAIT}" --max-time "${WAIT}" -A "${USER_AGENT}" -o- -v --trace-time --data @${f1} ${CURL_OPTS} ${server} >"${out}" 2>"${err}"; then

from
https://git.launchpad.net/ubuntu/+source/pollinate/tree/pollinate#n234


2. Steps to reproduce with LXD
  # Get the questing image assets from before the apparmor update
  wget https://cloud-images.ubuntu.com/questing/20250617/questing-server-cloudimg-amd64-lxd.tar.xz
  wget https://cloud-images.ubuntu.com/questing/20250617/questing-server-cloudimg-amd64-root.tar.xz

  # Import the image in lxc, this returns a fingerprint
  lxc image import questing-server-cloudimg-amd64-lxd.tar.xz questing-server-cloudimg-amd64-root.tar.xz

  # Start a container from this image
  lxc launch <fingerprint> pollinate-testing

  lxc exec pollinate-testing /bin/bash

  apt list --installed pollinate
  apt list --installed apparmor

  # running pollinate works
  pollinate

  # Update apparmor which will bring in the new curl profile
  apt update
  apt-get install --only-upgrade apparmor

  # running with --reseed is necessary after the first time
  # this will fail because we have updated apparmor and the curl profile now blocks pollinate from reading from /tmp
  pollinate --reseed

  <13>Jul 31 15:47:51 pollinate[2159]: system was previously seeded at [2025-07-31 15:46:39.391715413 +0000]
  <13>Jul 31 15:47:51 pollinate[2159]: client sent challenge to [https://entropy.ubuntu.com/]
  <13>Jul 31 15:47:51 pollinate[2159]: WARNING: Network communication failed [26] curl: Failed to open /tmp/pollinate.rGrxuFK3fHGU/challenge
  curl: option --data: error encountered when reading a file
  curl: try 'curl --help' or 'curl --manual' for more information

  # To clean up afterwards
  lxc delete --force pollinate-testing

** Affects: pollinate (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to pollinate in Ubuntu.
https://bugs.launchpad.net/bugs/2119237

Title:
  Pollinate on Questing fails while reading from /tmp

Status in pollinate package in Ubuntu:
  New

Bug description:
  1. What is the problem
  On Questing, pollinate fails because it is unable to read from /tmp

  On an Azure VM this was first noticed with this AppArmor denied log:
  'Jul 19 21:42:00 alan-questing-base-qmnqdpkjhr kernel: audit: type=1400 audit(1752961320.498:173): apparmor="DENIED" operation="open" class="file" profile="curl" name="/tmp/pollinate.MUbjijIRZipY/challenge" pid=989 comm="curl" requested_mask="r" denied_mask="r" fsuid=105 ouid=105'

  We started seeing this log appear after the images started including AppArmor 4.1.1-0ubuntu3, changelog: https://launchpad.net/ubuntu/+source/apparmor/4.1.1-0ubuntu3
  This version of AppArmor introduced a profile for curl which allows writing but not reading from /tmp

  From reviewing the source I believe pollinate is reading from /tmp when it use's curls --data @filename flag to send POST data. The relevant source code is:
  if curl --connect-timeout "${WAIT}" --max-time "${WAIT}" -A "${USER_AGENT}" -o- -v --trace-time --data @${f1} ${CURL_OPTS} ${server} >"${out}" 2>"${err}"; then

  from
  https://git.launchpad.net/ubuntu/+source/pollinate/tree/pollinate#n234

  
  2. Steps to reproduce with LXD
    # Get the questing image assets from before the apparmor update
    wget https://cloud-images.ubuntu.com/questing/20250617/questing-server-cloudimg-amd64-lxd.tar.xz
    wget https://cloud-images.ubuntu.com/questing/20250617/questing-server-cloudimg-amd64-root.tar.xz

    # Import the image in lxc, this returns a fingerprint
    lxc image import questing-server-cloudimg-amd64-lxd.tar.xz questing-server-cloudimg-amd64-root.tar.xz

    # Start a container from this image
    lxc launch <fingerprint> pollinate-testing

    lxc exec pollinate-testing /bin/bash

    apt list --installed pollinate
    apt list --installed apparmor

    # running pollinate works
    pollinate

    # Update apparmor which will bring in the new curl profile
    apt update
    apt-get install --only-upgrade apparmor

    # running with --reseed is necessary after the first time
    # this will fail because we have updated apparmor and the curl profile now blocks pollinate from reading from /tmp
    pollinate --reseed

    <13>Jul 31 15:47:51 pollinate[2159]: system was previously seeded at [2025-07-31 15:46:39.391715413 +0000]
    <13>Jul 31 15:47:51 pollinate[2159]: client sent challenge to [https://entropy.ubuntu.com/]
    <13>Jul 31 15:47:51 pollinate[2159]: WARNING: Network communication failed [26] curl: Failed to open /tmp/pollinate.rGrxuFK3fHGU/challenge
    curl: option --data: error encountered when reading a file
    curl: try 'curl --help' or 'curl --manual' for more information

    # To clean up afterwards
    lxc delete --force pollinate-testing

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pollinate/+bug/2119237/+subscriptions