[Bug 1495853] [NEW] puppet service enable broken on ubuntu vivid for services shipping sysvinit and systemd support
Public bug reported: Running Puppet on Ubuntu 15.04 Vivid: $ lsb_release -d Description:Ubuntu 15.04 $ apt-cache policy puppet-common puppet-common: Installed: 3.7.2-1ubuntu2 Using the bird package as an example: $ dpkg -L bird | vgrep service unit files /lib/systemd/system/bird.service /lib/systemd/system/bird6.service /etc/init.d/bird6 /etc/init.d/bird /etc/init/bird.conf /etc/init/bird6.conf Puppet appears to choose the debian provider for the bird service, over the systemd provider: $ sudo puppet resource --debug --param provider --param enable service bird Debug: Runtime environment: puppet_version=3.7.2, ruby_version=2.1.2, run_mode=user, default_encoding=UTF-8 ... Debug: /Service[bird]: Provider debian does not support features flaggable; not managing attribute flags ... Debug: Service bird found in both debian and init; skipping the init version ... Debug: /Service[bird.service]: Provider systemd does not support features flaggable; not managing attribute flags ... Debug: Executing '/etc/init.d/bird status' service { 'bird': ensure => 'stopped', enable => 'true', provider => 'debian', } This means that while `ensure => running/stopped` works: $ sudo puppet resource --debug --param provider service bird ensure=stopped Debug: Executing '/etc/init.d/bird status' Debug: Executing '/etc/init.d/bird stop' Notice: /Service[bird]/ensure: ensure changed 'running' to 'stopped' Debug: Finishing transaction 3255100 Debug: Storing state Debug: Stored state in 0.13 seconds Debug: Executing '/etc/init.d/bird status' service { 'bird': ensure => 'stopped', provider => 'debian', } The service `enabled => true/false` state does not: $ sudo puppet resource --debug --param provider service bird enable=false Debug: Executing '/etc/init.d/bird status' Debug: Executing '/usr/sbin/update-rc.d bird disable' Notice: /Service[bird]/enable: enable changed 'true' to 'false' Debug: Finishing transaction 23676980 Debug: Storing state Debug: Stored state in 0.12 seconds Debug: Executing '/etc/init.d/bird status' service { 'bird': ensure => 'stopped', enable => 'false', provider => 'debian', } $ sudo puppet resource --debug --param provider service bird enable=true Debug: Executing '/etc/init.d/bird status' Debug: Executing '/usr/sbin/update-rc.d -f bird remove' Debug: Executing '/usr/sbin/update-rc.d bird defaults' Notice: /Service[bird]/enable: enable changed 'false' to 'true' Debug: Finishing transaction 12984740 Debug: Storing state Debug: Stored state in 0.14 seconds Debug: Executing '/etc/init.d/bird status' service { 'bird': ensure => 'stopped', enable => 'true', provider => 'debian', } $ ls /etc/rc?.d/*bird* /etc/rc0.d/K01bird /etc/rc1.d/K01bird6 /etc/rc3.d/K01bird6 /etc/rc4.d/S02bird /etc/rc6.d/K01bird /etc/rc0.d/K01bird6 /etc/rc2.d/K01bird6 /etc/rc3.d/S02bird /etc/rc5.d/K01bird6 /etc/rc6.d/K01bird6 /etc/rc1.d/K01bird /etc/rc2.d/S02bird /etc/rc4.d/K01bird6 /etc/rc5.d/S02bird $ sudo systemctl is-enabled bird disabled I presume that systemd ignores any sysvinit configuration (/etc/rc?.d/*) for services that have a native systemd unit, and is thus blind to any state inspected/changed by puppet's debian service provider. Workaround is to explcitly use the systemd provider for the service shipping a native systemd service unit: $ sudo puppet resource --debug --param provider --param enable service bird provider=systemd enable=true Warning: Setting manifest is deprecated in puppet.conf. See http://links.puppetlabs.com/env-settings-deprecations Debug: Executing '/bin/systemctl is-active bird' Debug: Executing '/bin/systemctl is-enabled bird' Debug: Executing '/bin/systemctl enable bird' Notice: /Service[bird]/enable: enable changed 'false' to 'true' Debug: Finishing transaction 14759420 Debug: Storing state Debug: Stored state in 0.20 seconds Debug: Executing '/bin/systemctl is-active bird' Debug: Executing '/bin/systemctl is-enabled bird' service { 'bird': ensure => 'stopped', enable => 'true', provider => 'systemd', } $ sudo systemctl is-enabled bird enabled ** Affects: puppet (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team,
[Bug 1495853] Re: puppet service enable broken on ubuntu vivid for services shipping sysvinit and systemd support
Note that the same scenario behaves correctly under Debian jessie, with the patched debian service provider in version 3.7.2-3: https://bugs.debian.org/775795 Similar example on a Debian jessie system: $ sudo lsb_release -d Description:Debian GNU/Linux 8.2 (jessie) $ apt-cache policy puppet puppet: Installed: 3.7.2-4 Candidate: 3.7.2-4 Version table: *** 3.7.2-4 0 500 http://apt/debian/ jessie/main amd64 Packages 100 /var/lib/dpkg/status $ dpkg -L bird | vgrep ... /etc/init/bird.conf /etc/init/bird6.conf /etc/init.d/bird /etc/init.d/bird6 /lib/systemd/system/bird.service /lib/systemd/system/bird6.service $ sudo puppet resource --debug --param provider --param enable service bird Debug: Executing '/usr/sbin/service bird status' Debug: Executing '/bin/systemctl show -pSourcePath bird' Debug: Executing '/bin/systemctl is-enabled bird' service { 'bird': ensure => 'running', enable => 'true', provider => 'debian', } $ sudo puppet resource --debug --param provider --param enable service bird enable=false Debug: Executing '/usr/sbin/service bird status' Debug: Executing '/bin/systemctl show -pSourcePath bird' Debug: Executing '/bin/systemctl is-enabled bird' Debug: Executing '/bin/systemctl disable bird' Notice: /Service[bird]/enable: enable changed 'true' to 'false' Debug: Finishing transaction 16554200 Debug: Storing state Debug: Stored state in 0.29 seconds Debug: Executing '/usr/sbin/service bird status' Debug: Executing '/bin/systemctl show -pSourcePath bird' Debug: Executing '/bin/systemctl is-enabled bird' service { 'bird': ensure => 'running', enable => 'false', provider => 'debian', } $ sudo puppet resource --debug --param provider --param enable service bird enable=true Debug: Executing '/usr/sbin/service bird status' Debug: Executing '/bin/systemctl show -pSourcePath bird' Debug: Executing '/bin/systemctl is-enabled bird' Debug: Executing '/bin/systemctl enable bird' Notice: /Service[bird]/enable: enable changed 'false' to 'true' Debug: Finishing transaction 18953360 Debug: Storing state Debug: Stored state in 0.21 seconds Debug: Executing '/usr/sbin/service bird status' Debug: Executing '/bin/systemctl show -pSourcePath bird' Debug: Executing '/bin/systemctl is-enabled bird' service { 'bird': ensure => 'running', enable => 'true', provider => 'debian', } ** Bug watch added: Debian Bug tracker #775795 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775795 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to puppet in Ubuntu. https://bugs.launchpad.net/bugs/1495853 Title: puppet service enable broken on ubuntu vivid with debian provider To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/puppet/+bug/1495853/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1495853] Re: puppet service enable broken on ubuntu vivid with debian provider
** Summary changed: - puppet service enable broken on ubuntu vivid for services shipping sysvinit and systemd support + puppet service enable broken on ubuntu vivid with debian provider ** Description changed: Running Puppet on Ubuntu 15.04 Vivid: - $ lsb_release -d - Description:Ubuntu 15.04 + $ lsb_release -d + Description: Ubuntu 15.04 - $ apt-cache policy puppet-common - puppet-common: - Installed: 3.7.2-1ubuntu2 + $ apt-cache policy puppet-common + puppet-common: + Installed: 3.7.2-1ubuntu2 - Using the bird package as an example: + Using the bird package as an example, which ships both sysvinit and + systemd service files: - $ dpkg -L bird | vgrep service unit files - /lib/systemd/system/bird.service - /lib/systemd/system/bird6.service - /etc/init.d/bird6 - /etc/init.d/bird - /etc/init/bird.conf - /etc/init/bird6.conf + $ dpkg -L bird | vgrep service unit files + /lib/systemd/system/bird.service + /lib/systemd/system/bird6.service + /etc/init.d/bird6 + /etc/init.d/bird + /etc/init/bird.conf + /etc/init/bird6.conf Puppet appears to choose the debian provider for the bird service, over the systemd provider: - $ sudo puppet resource --debug --param provider --param enable service bird - Debug: Runtime environment: puppet_version=3.7.2, ruby_version=2.1.2, run_mode=user, default_encoding=UTF-8 - ... - Debug: /Service[bird]: Provider debian does not support features flaggable; not managing attribute flags - ... - Debug: Service bird found in both debian and init; skipping the init version - ... - Debug: /Service[bird.service]: Provider systemd does not support features flaggable; not managing attribute flags - ... - Debug: Executing '/etc/init.d/bird status' - service { 'bird': - ensure => 'stopped', - enable => 'true', - provider => 'debian', - } + $ sudo puppet resource --debug --param provider --param enable service bird + Debug: Runtime environment: puppet_version=3.7.2, ruby_version=2.1.2, run_mode=user, default_encoding=UTF-8 + ... + Debug: /Service[bird]: Provider debian does not support features flaggable; not managing attribute flags + ... + Debug: Service bird found in both debian and init; skipping the init version + ... + Debug: /Service[bird.service]: Provider systemd does not support features flaggable; not managing attribute flags + ... + Debug: Executing '/etc/init.d/bird status' + service { 'bird': + ensure => 'stopped', + enable => 'true', + provider => 'debian', + } This means that while `ensure => running/stopped` works: - $ sudo puppet resource --debug --param provider service bird ensure=stopped - Debug: Executing '/etc/init.d/bird status' - Debug: Executing '/etc/init.d/bird stop' - Notice: /Service[bird]/ensure: ensure changed 'running' to 'stopped' - Debug: Finishing transaction 3255100 - Debug: Storing state - Debug: Stored state in 0.13 seconds - Debug: Executing '/etc/init.d/bird status' - service { 'bird': - ensure => 'stopped', - provider => 'debian', - } + $ sudo puppet resource --debug --param provider service bird ensure=stopped + Debug: Executing '/etc/init.d/bird status' + Debug: Executing '/etc/init.d/bird stop' + Notice: /Service[bird]/ensure: ensure changed 'running' to 'stopped' + Debug: Finishing transaction 3255100 + Debug: Storing state + Debug: Stored state in 0.13 seconds + Debug: Executing '/etc/init.d/bird status' + service { 'bird': + ensure => 'stopped', + provider => 'debian', + } The service `enabled => true/false` state does not: - $ sudo puppet resource --debug --param provider service bird enable=false - Debug: Executing '/etc/init.d/bird status' - Debug: Executing '/usr/sbin/update-rc.d bird disable' - Notice: /Service[bird]/enable: enable changed 'true' to 'false' - Debug: Finishing transaction 23676980 - Debug: Storing state - Debug: Stored state in 0.12 seconds - Debug: Executing '/etc/init.d/bird status' - service { 'bird': - ensure => 'stopped', - enable => 'false', - provider => 'debian', - } - $ sudo puppet resource --debug --param provider service bird enable=true - Debug: Executing '/etc/init.d/bird status' - Debug: Executing '/usr/sbin/update-rc.d -f bird remove' - Debug: Executing '/usr/sbin/update-rc.d bird defaults' - Notice: /Service[bird]/enable: enable changed 'false' to 'true' - Debug: Finishing transaction 12984740 - Debug: Storing state - Debug: Stored state in 0.14 seconds - Debug: Executing '/etc/init.d/bird status' - service { 'bird': - ensure => 'stopped', - enable => 'true', - provider =>
[Bug 1343245] [NEW] virt-aa-helper does not whitelist actual source dev='...' paths for domain disk type='volume'
Public bug reported: Release:14.04 Package:libvirt-bin Version: 1.2.2-0ubuntu13.1.1 For a normal block-based LVM disk definition disk type='block' device='disk' driver name='qemu' type='raw'/ source dev='/dev/host-vg/guest.img'/ target dev='vda' bus='virtio'/ /disk virt-aa-helper will generate /dev/dm-X rw rules in the /etc/apparmor.d/libvirt/libvirt-*.files /dev/dm-10 rw, However, using a storage pool: pool type='logical' namelvm/name source namehost-vg/name /source target path/dev/host-vg/path /target /pool to create the volume: volume nameguest.img/name capacity/capacity /volume and attempting to use the equivalent: disk type='volume' device='disk' driver name='qemu' type='raw'/ source pool='lvm' volume='guest.img'/ target dev='vda' bus='virtio'/ address type='pci' domain='0x' bus='0x00' slot='0x04' function='0x0'/ /disk Results in the following with `virsh start guest` error: Failed to start domain guest error: internal error: process exited while connecting to monitor: qemu-system-x86_64: -drive file=/dev/host-vg/guest.img,if=none,id=drive-virtio-disk0,format=raw: could not open disk image /dev/host-vg/guest.img: Could not open '/dev/host-vg/guest.img': Permission denied And: [164096.938448] type=1400 audit(1405596016.664:100): apparmor=DENIED operation=open profile=libvirt-fdd84027-cb8e-42d5-bca1-a662871d97bb name=/dev/dm-10 pid=26835 comm=qemu-system-x86 requested_mask=r denied_mask=r fsuid=109 ouid=109 [164096.938472] type=1400 audit(1405596016.664:101): apparmor=DENIED operation=open profile=libvirt-fdd84027-cb8e-42d5-bca1-a662871d97bb name=/dev/dm-10 pid=26835 comm=qemu-system-x86 requested_mask=r denied_mask=r fsuid=109 ouid=109 [164096.938515] type=1400 audit(1405596016.664:102): apparmor=DENIED operation=open profile=libvirt-fdd84027-cb8e-42d5-bca1-a662871d97bb name=/dev/dm-10 pid=26835 comm=qemu-system-x86 requested_mask=rw denied_mask=rw fsuid=109 ouid=109 The apparmor libvirt-*.files does not contain any /dev/dm-* rules. I'm not familar enough with the virAppArmorSecurityDriver code to know if the load_profile() call to virDomainDefFormat() will give the persistent or live xml config, but when testing with virt-aa-helper manually, feeding it the inactive config (i.e. `virsh dumpxml` while the domain is stopped) will cause get_files() to call virDomainDiskDefForeachPath() with a virDomainDiskDefPtr of type=VIR_DOMAIN_DISK_TYPE_VOLUME and src=NULL, so it never iters over the disk. I suspect that virt-aa-helper should instead be fed the active config, i.e. one where the disk type='volume' has been fed through qemuTranslateDiskSourcePool() to resolve it into the actual disk type='block'source dev='...' //disk? ** Affects: libvirt (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in Ubuntu. https://bugs.launchpad.net/bugs/1343245 Title: virt-aa-helper does not whitelist actual source dev='...' paths for domain disk type='volume' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1343245/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs