debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #04801
[Bug 2119237] Re: Pollinate on Questing fails while reading from /tmp
** Also affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Changed in: apparmor (Ubuntu)
Assignee: (unassigned) => Simon Poirier (simpoir)
** Changed in: apparmor (Ubuntu)
Status: New => In Progress
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to pollinate in Ubuntu.
https://bugs.launchpad.net/bugs/2119237
Title:
Pollinate on Questing fails while reading from /tmp
Status in apparmor package in Ubuntu:
In Progress
Status in pollinate package in Ubuntu:
Confirmed
Bug description:
1. What is the problem
On Questing, pollinate fails because it is unable to read from /tmp
On an Azure VM this was first noticed with this AppArmor denied log:
'Jul 19 21:42:00 alan-questing-base-qmnqdpkjhr kernel: audit: type=1400 audit(1752961320.498:173): apparmor="DENIED" operation="open" class="file" profile="curl" name="/tmp/pollinate.MUbjijIRZipY/challenge" pid=989 comm="curl" requested_mask="r" denied_mask="r" fsuid=105 ouid=105'
We started seeing this log appear after the images started including AppArmor 4.1.1-0ubuntu3, changelog: https://launchpad.net/ubuntu/+source/apparmor/4.1.1-0ubuntu3
This version of AppArmor introduced a profile for curl which allows writing but not reading from /tmp
From reviewing the source I believe pollinate is reading from /tmp when it use's curls --data @filename flag to send POST data. The relevant source code is:
if curl --connect-timeout "${WAIT}" --max-time "${WAIT}" -A "${USER_AGENT}" -o- -v --trace-time --data @${f1} ${CURL_OPTS} ${server} >"${out}" 2>"${err}"; then
from
https://git.launchpad.net/ubuntu/+source/pollinate/tree/pollinate#n234
2. Steps to reproduce with LXD
# Get the questing image assets from before the apparmor update
wget https://cloud-images.ubuntu.com/questing/20250617/questing-server-cloudimg-amd64-lxd.tar.xz
wget https://cloud-images.ubuntu.com/questing/20250617/questing-server-cloudimg-amd64-root.tar.xz
# Import the image in lxc, this returns a fingerprint
lxc image import questing-server-cloudimg-amd64-lxd.tar.xz questing-server-cloudimg-amd64-root.tar.xz --alias lp2119237
# Start a container from this image
lxc launch local:lp2119237 pollinate-testing
lxc exec pollinate-testing /bin/bash
apt list --installed pollinate
apt list --installed apparmor
# running pollinate works
pollinate
# Update apparmor which will bring in the new curl profile
apt update
apt-get install --only-upgrade apparmor
# running with --reseed is necessary after the first time
# this will fail because we have updated apparmor and the curl profile now blocks pollinate from reading from /tmp
pollinate --reseed
<13>Jul 31 15:47:51 pollinate[2159]: system was previously seeded at [2025-07-31 15:46:39.391715413 +0000]
<13>Jul 31 15:47:51 pollinate[2159]: client sent challenge to [https://entropy.ubuntu.com/]
<13>Jul 31 15:47:51 pollinate[2159]: WARNING: Network communication failed [26] curl: Failed to open /tmp/pollinate.rGrxuFK3fHGU/challenge
curl: option --data: error encountered when reading a file
curl: try 'curl --help' or 'curl --manual' for more information
# To clean up afterwards
lxc delete --force pollinate-testing
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2119237/+subscriptions
References