← Back to team overview

debcrafters-packages team mailing list archive

  1. debcrafters-packages team
  2. Mailing list archive
  3. Message #04801

[Bug 2119237] Re: Pollinate on Questing fails while reading from /tmp

  Thread PreviousDate PreviousThread Next 
** Also affects: apparmor (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: apparmor (Ubuntu)
     Assignee: (unassigned) => Simon Poirier (simpoir)

** Changed in: apparmor (Ubuntu)
       Status: New => In Progress

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to pollinate in Ubuntu.
https://bugs.launchpad.net/bugs/2119237

Title:
  Pollinate on Questing fails while reading from /tmp

Status in apparmor package in Ubuntu:
  In Progress
Status in pollinate package in Ubuntu:
  Confirmed

Bug description:
  1. What is the problem
  On Questing, pollinate fails because it is unable to read from /tmp

  On an Azure VM this was first noticed with this AppArmor denied log:
  'Jul 19 21:42:00 alan-questing-base-qmnqdpkjhr kernel: audit: type=1400 audit(1752961320.498:173): apparmor="DENIED" operation="open" class="file" profile="curl" name="/tmp/pollinate.MUbjijIRZipY/challenge" pid=989 comm="curl" requested_mask="r" denied_mask="r" fsuid=105 ouid=105'

  We started seeing this log appear after the images started including AppArmor 4.1.1-0ubuntu3, changelog: https://launchpad.net/ubuntu/+source/apparmor/4.1.1-0ubuntu3
  This version of AppArmor introduced a profile for curl which allows writing but not reading from /tmp

  From reviewing the source I believe pollinate is reading from /tmp when it use's curls --data @filename flag to send POST data. The relevant source code is:
  if curl --connect-timeout "${WAIT}" --max-time "${WAIT}" -A "${USER_AGENT}" -o- -v --trace-time --data @${f1} ${CURL_OPTS} ${server} >"${out}" 2>"${err}"; then

  from
  https://git.launchpad.net/ubuntu/+source/pollinate/tree/pollinate#n234

  2. Steps to reproduce with LXD
    # Get the questing image assets from before the apparmor update
    wget https://cloud-images.ubuntu.com/questing/20250617/questing-server-cloudimg-amd64-lxd.tar.xz
    wget https://cloud-images.ubuntu.com/questing/20250617/questing-server-cloudimg-amd64-root.tar.xz

    # Import the image in lxc, this returns a fingerprint
    lxc image import questing-server-cloudimg-amd64-lxd.tar.xz questing-server-cloudimg-amd64-root.tar.xz --alias lp2119237

    # Start a container from this image
    lxc launch local:lp2119237 pollinate-testing

    lxc exec pollinate-testing /bin/bash

    apt list --installed pollinate
    apt list --installed apparmor

    # running pollinate works
    pollinate

    # Update apparmor which will bring in the new curl profile
    apt update
    apt-get install --only-upgrade apparmor

    # running with --reseed is necessary after the first time
    # this will fail because we have updated apparmor and the curl profile now blocks pollinate from reading from /tmp
    pollinate --reseed

    <13>Jul 31 15:47:51 pollinate[2159]: system was previously seeded at [2025-07-31 15:46:39.391715413 +0000]
    <13>Jul 31 15:47:51 pollinate[2159]: client sent challenge to [https://entropy.ubuntu.com/]
    <13>Jul 31 15:47:51 pollinate[2159]: WARNING: Network communication failed [26] curl: Failed to open /tmp/pollinate.rGrxuFK3fHGU/challenge
    curl: option --data: error encountered when reading a file
    curl: try 'curl --help' or 'curl --manual' for more information

    # To clean up afterwards
    lxc delete --force pollinate-testing

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2119237/+subscriptions

References

  Thread PreviousDate PreviousThread Next