debcrafters-packages team mailing list archive

[Simon Poirier <2119237@xxxxxxxxxxxxxxxxxx>]

** Description changed:

  1. What is the problem
  On Questing, pollinate fails because it is unable to read from /tmp
  
  On an Azure VM this was first noticed with this AppArmor denied log:
  'Jul 19 21:42:00 alan-questing-base-qmnqdpkjhr kernel: audit: type=1400 audit(1752961320.498:173): apparmor="DENIED" operation="open" class="file" profile="curl" name="/tmp/pollinate.MUbjijIRZipY/challenge" pid=989 comm="curl" requested_mask="r" denied_mask="r" fsuid=105 ouid=105'
  
  We started seeing this log appear after the images started including AppArmor 4.1.1-0ubuntu3, changelog: https://launchpad.net/ubuntu/+source/apparmor/4.1.1-0ubuntu3
  This version of AppArmor introduced a profile for curl which allows writing but not reading from /tmp
  
  From reviewing the source I believe pollinate is reading from /tmp when it use's curls --data @filename flag to send POST data. The relevant source code is:
  if curl --connect-timeout "${WAIT}" --max-time "${WAIT}" -A "${USER_AGENT}" -o- -v --trace-time --data @${f1} ${CURL_OPTS} ${server} >"${out}" 2>"${err}"; then
  
  from
  https://git.launchpad.net/ubuntu/+source/pollinate/tree/pollinate#n234
  
+ 2. Steps to reproduce with LXD
+   # Get the questing image assets from before the apparmor update
+   wget https://cloud-images.ubuntu.com/questing/20250617/questing-server-cloudimg-amd64-lxd.tar.xz
+   wget https://cloud-images.ubuntu.com/questing/20250617/questing-server-cloudimg-amd64-root.tar.xz
  
- 2. Steps to reproduce with LXD
-   # Get the questing image assets from before the apparmor update
-   wget https://cloud-images.ubuntu.com/questing/20250617/questing-server-cloudimg-amd64-lxd.tar.xz
-   wget https://cloud-images.ubuntu.com/questing/20250617/questing-server-cloudimg-amd64-root.tar.xz
+   # Import the image in lxc, this returns a fingerprint
+   lxc image import questing-server-cloudimg-amd64-lxd.tar.xz questing-server-cloudimg-amd64-root.tar.xz --alias lp2119237
  
-   # Import the image in lxc, this returns a fingerprint
-   lxc image import questing-server-cloudimg-amd64-lxd.tar.xz questing-server-cloudimg-amd64-root.tar.xz
+   # Start a container from this image
+   lxc launch local:lp2119237 pollinate-testing
  
-   # Start a container from this image
-   lxc launch <fingerprint> pollinate-testing
+   lxc exec pollinate-testing /bin/bash
  
-   lxc exec pollinate-testing /bin/bash
+   apt list --installed pollinate
+   apt list --installed apparmor
  
-   apt list --installed pollinate
-   apt list --installed apparmor
+   # running pollinate works
+   pollinate
  
-   # running pollinate works
-   pollinate
+   # Update apparmor which will bring in the new curl profile
+   apt update
+   apt-get install --only-upgrade apparmor
  
-   # Update apparmor which will bring in the new curl profile
-   apt update
-   apt-get install --only-upgrade apparmor
+   # running with --reseed is necessary after the first time
+   # this will fail because we have updated apparmor and the curl profile now blocks pollinate from reading from /tmp
+   pollinate --reseed
  
-   # running with --reseed is necessary after the first time
-   # this will fail because we have updated apparmor and the curl profile now blocks pollinate from reading from /tmp
-   pollinate --reseed
+   <13>Jul 31 15:47:51 pollinate[2159]: system was previously seeded at [2025-07-31 15:46:39.391715413 +0000]
+   <13>Jul 31 15:47:51 pollinate[2159]: client sent challenge to [https://entropy.ubuntu.com/]
+   <13>Jul 31 15:47:51 pollinate[2159]: WARNING: Network communication failed [26] curl: Failed to open /tmp/pollinate.rGrxuFK3fHGU/challenge
+   curl: option --data: error encountered when reading a file
+   curl: try 'curl --help' or 'curl --manual' for more information
  
-   <13>Jul 31 15:47:51 pollinate[2159]: system was previously seeded at [2025-07-31 15:46:39.391715413 +0000]
-   <13>Jul 31 15:47:51 pollinate[2159]: client sent challenge to [https://entropy.ubuntu.com/]
-   <13>Jul 31 15:47:51 pollinate[2159]: WARNING: Network communication failed [26] curl: Failed to open /tmp/pollinate.rGrxuFK3fHGU/challenge
-   curl: option --data: error encountered when reading a file
-   curl: try 'curl --help' or 'curl --manual' for more information
- 
-   # To clean up afterwards
-   lxc delete --force pollinate-testing
+   # To clean up afterwards
+   lxc delete --force pollinate-testing

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to pollinate in Ubuntu.
https://bugs.launchpad.net/bugs/2119237

Title:
  Pollinate on Questing fails while reading from /tmp

Status in pollinate package in Ubuntu:
  New

Bug description:
  1. What is the problem
  On Questing, pollinate fails because it is unable to read from /tmp

  On an Azure VM this was first noticed with this AppArmor denied log:
  'Jul 19 21:42:00 alan-questing-base-qmnqdpkjhr kernel: audit: type=1400 audit(1752961320.498:173): apparmor="DENIED" operation="open" class="file" profile="curl" name="/tmp/pollinate.MUbjijIRZipY/challenge" pid=989 comm="curl" requested_mask="r" denied_mask="r" fsuid=105 ouid=105'

  We started seeing this log appear after the images started including AppArmor 4.1.1-0ubuntu3, changelog: https://launchpad.net/ubuntu/+source/apparmor/4.1.1-0ubuntu3
  This version of AppArmor introduced a profile for curl which allows writing but not reading from /tmp

  From reviewing the source I believe pollinate is reading from /tmp when it use's curls --data @filename flag to send POST data. The relevant source code is:
  if curl --connect-timeout "${WAIT}" --max-time "${WAIT}" -A "${USER_AGENT}" -o- -v --trace-time --data @${f1} ${CURL_OPTS} ${server} >"${out}" 2>"${err}"; then

  from
  https://git.launchpad.net/ubuntu/+source/pollinate/tree/pollinate#n234

  2. Steps to reproduce with LXD
    # Get the questing image assets from before the apparmor update
    wget https://cloud-images.ubuntu.com/questing/20250617/questing-server-cloudimg-amd64-lxd.tar.xz
    wget https://cloud-images.ubuntu.com/questing/20250617/questing-server-cloudimg-amd64-root.tar.xz

    # Import the image in lxc, this returns a fingerprint
    lxc image import questing-server-cloudimg-amd64-lxd.tar.xz questing-server-cloudimg-amd64-root.tar.xz --alias lp2119237

    # Start a container from this image
    lxc launch local:lp2119237 pollinate-testing

    lxc exec pollinate-testing /bin/bash

    apt list --installed pollinate
    apt list --installed apparmor

    # running pollinate works
    pollinate

    # Update apparmor which will bring in the new curl profile
    apt update
    apt-get install --only-upgrade apparmor

    # running with --reseed is necessary after the first time
    # this will fail because we have updated apparmor and the curl profile now blocks pollinate from reading from /tmp
    pollinate --reseed

    <13>Jul 31 15:47:51 pollinate[2159]: system was previously seeded at [2025-07-31 15:46:39.391715413 +0000]
    <13>Jul 31 15:47:51 pollinate[2159]: client sent challenge to [https://entropy.ubuntu.com/]
    <13>Jul 31 15:47:51 pollinate[2159]: WARNING: Network communication failed [26] curl: Failed to open /tmp/pollinate.rGrxuFK3fHGU/challenge
    curl: option --data: error encountered when reading a file
    curl: try 'curl --help' or 'curl --manual' for more information

    # To clean up afterwards
    lxc delete --force pollinate-testing

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pollinate/+bug/2119237/+subscriptions