[Bug 1495853] [NEW] puppet service enable broken on ubuntu vivid for services shipping sysvinit and systemd support
Public bug reported:
Running Puppet on Ubuntu 15.04 Vivid:
$ lsb_release -d
Description:Ubuntu 15.04
$ apt-cache policy puppet-common
puppet-common:
Installed: 3.7.2-1ubuntu2
Using the bird package as an example:
$ dpkg -L bird | vgrep service unit files
/lib/systemd/system/bird.service
/lib/systemd/system/bird6.service
/etc/init.d/bird6
/etc/init.d/bird
/etc/init/bird.conf
/etc/init/bird6.conf
Puppet appears to choose the debian provider for the bird service, over
the systemd provider:
$ sudo puppet resource --debug --param provider --param enable service
bird
Debug: Runtime environment: puppet_version=3.7.2, ruby_version=2.1.2,
run_mode=user, default_encoding=UTF-8
...
Debug: /Service[bird]: Provider debian does not support features
flaggable; not managing attribute flags
...
Debug: Service bird found in both debian and init; skipping the init
version
...
Debug: /Service[bird.service]: Provider systemd does not support
features flaggable; not managing attribute flags
...
Debug: Executing '/etc/init.d/bird status'
service { 'bird':
ensure => 'stopped',
enable => 'true',
provider => 'debian',
}
This means that while `ensure => running/stopped` works:
$ sudo puppet resource --debug --param provider service bird
ensure=stopped
Debug: Executing '/etc/init.d/bird status'
Debug: Executing '/etc/init.d/bird stop'
Notice: /Service[bird]/ensure: ensure changed 'running' to 'stopped'
Debug: Finishing transaction 3255100
Debug: Storing state
Debug: Stored state in 0.13 seconds
Debug: Executing '/etc/init.d/bird status'
service { 'bird':
ensure => 'stopped',
provider => 'debian',
}
The service `enabled => true/false` state does not:
$ sudo puppet resource --debug --param provider service bird
enable=false
Debug: Executing '/etc/init.d/bird status'
Debug: Executing '/usr/sbin/update-rc.d bird disable'
Notice: /Service[bird]/enable: enable changed 'true' to 'false'
Debug: Finishing transaction 23676980
Debug: Storing state
Debug: Stored state in 0.12 seconds
Debug: Executing '/etc/init.d/bird status'
service { 'bird':
ensure => 'stopped',
enable => 'false',
provider => 'debian',
}
$ sudo puppet resource --debug --param provider service bird enable=true
Debug: Executing '/etc/init.d/bird status'
Debug: Executing '/usr/sbin/update-rc.d -f bird remove'
Debug: Executing '/usr/sbin/update-rc.d bird defaults'
Notice: /Service[bird]/enable: enable changed 'false' to 'true'
Debug: Finishing transaction 12984740
Debug: Storing state
Debug: Stored state in 0.14 seconds
Debug: Executing '/etc/init.d/bird status'
service { 'bird':
ensure => 'stopped',
enable => 'true',
provider => 'debian',
}
$ ls /etc/rc?.d/*bird*
/etc/rc0.d/K01bird /etc/rc1.d/K01bird6 /etc/rc3.d/K01bird6
/etc/rc4.d/S02bird /etc/rc6.d/K01bird
/etc/rc0.d/K01bird6 /etc/rc2.d/K01bird6 /etc/rc3.d/S02bird
/etc/rc5.d/K01bird6 /etc/rc6.d/K01bird6
/etc/rc1.d/K01bird /etc/rc2.d/S02bird /etc/rc4.d/K01bird6
/etc/rc5.d/S02bird
$ sudo systemctl is-enabled bird
disabled
I presume that systemd ignores any sysvinit configuration (/etc/rc?.d/*)
for services that have a native systemd unit, and is thus blind to any
state inspected/changed by puppet's debian service provider.
Workaround is to explcitly use the systemd provider for the service
shipping a native systemd service unit:
$ sudo puppet resource --debug --param provider --param enable service
bird provider=systemd enable=true
Warning: Setting manifest is deprecated in puppet.conf. See
http://links.puppetlabs.com/env-settings-deprecations
Debug: Executing '/bin/systemctl is-active bird'
Debug: Executing '/bin/systemctl is-enabled bird'
Debug: Executing '/bin/systemctl enable bird'
Notice: /Service[bird]/enable: enable changed 'false' to 'true'
Debug: Finishing transaction 14759420
Debug: Storing state
Debug: Stored state in 0.20 seconds
Debug: Executing '/bin/systemctl is-active bird'
Debug: Executing '/bin/systemctl is-enabled bird'
service { 'bird':
ensure => 'stopped',
enable => 'true',
provider => 'systemd',
}
$ sudo systemctl is-enabled bird
enabled
** Affects: puppet (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server Team,
[Bug 1495853] Re: puppet service enable broken on ubuntu vivid for services shipping sysvinit and systemd support
Note that the same scenario behaves correctly under Debian jessie, with
the patched debian service provider in version 3.7.2-3:
https://bugs.debian.org/775795
Similar example on a Debian jessie system:
$ sudo lsb_release -d
Description:Debian GNU/Linux 8.2 (jessie)
$ apt-cache policy puppet
puppet:
Installed: 3.7.2-4
Candidate: 3.7.2-4
Version table:
*** 3.7.2-4 0
500 http://apt/debian/ jessie/main amd64 Packages
100 /var/lib/dpkg/status
$ dpkg -L bird | vgrep ...
/etc/init/bird.conf
/etc/init/bird6.conf
/etc/init.d/bird
/etc/init.d/bird6
/lib/systemd/system/bird.service
/lib/systemd/system/bird6.service
$ sudo puppet resource --debug --param provider --param enable service
bird
Debug: Executing '/usr/sbin/service bird status'
Debug: Executing '/bin/systemctl show -pSourcePath bird'
Debug: Executing '/bin/systemctl is-enabled bird'
service { 'bird':
ensure => 'running',
enable => 'true',
provider => 'debian',
}
$ sudo puppet resource --debug --param provider --param enable service
bird enable=false
Debug: Executing '/usr/sbin/service bird status'
Debug: Executing '/bin/systemctl show -pSourcePath bird'
Debug: Executing '/bin/systemctl is-enabled bird'
Debug: Executing '/bin/systemctl disable bird'
Notice: /Service[bird]/enable: enable changed 'true' to 'false'
Debug: Finishing transaction 16554200
Debug: Storing state
Debug: Stored state in 0.29 seconds
Debug: Executing '/usr/sbin/service bird status'
Debug: Executing '/bin/systemctl show -pSourcePath bird'
Debug: Executing '/bin/systemctl is-enabled bird'
service { 'bird':
ensure => 'running',
enable => 'false',
provider => 'debian',
}
$ sudo puppet resource --debug --param provider --param enable service
bird enable=true
Debug: Executing '/usr/sbin/service bird status'
Debug: Executing '/bin/systemctl show -pSourcePath bird'
Debug: Executing '/bin/systemctl is-enabled bird'
Debug: Executing '/bin/systemctl enable bird'
Notice: /Service[bird]/enable: enable changed 'false' to 'true'
Debug: Finishing transaction 18953360
Debug: Storing state
Debug: Stored state in 0.21 seconds
Debug: Executing '/usr/sbin/service bird status'
Debug: Executing '/bin/systemctl show -pSourcePath bird'
Debug: Executing '/bin/systemctl is-enabled bird'
service { 'bird':
ensure => 'running',
enable => 'true',
provider => 'debian',
}
** Bug watch added: Debian Bug tracker #775795
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775795
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to puppet in Ubuntu.
https://bugs.launchpad.net/bugs/1495853
Title:
puppet service enable broken on ubuntu vivid with debian provider
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/puppet/+bug/1495853/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1495853] Re: puppet service enable broken on ubuntu vivid with debian provider
** Summary changed:
- puppet service enable broken on ubuntu vivid for services shipping sysvinit
and systemd support
+ puppet service enable broken on ubuntu vivid with debian provider
** Description changed:
Running Puppet on Ubuntu 15.04 Vivid:
- $ lsb_release -d
- Description:Ubuntu 15.04
+ $ lsb_release -d
+ Description: Ubuntu 15.04
- $ apt-cache policy puppet-common
- puppet-common:
- Installed: 3.7.2-1ubuntu2
+ $ apt-cache policy puppet-common
+ puppet-common:
+ Installed: 3.7.2-1ubuntu2
- Using the bird package as an example:
+ Using the bird package as an example, which ships both sysvinit and
+ systemd service files:
- $ dpkg -L bird | vgrep service unit files
- /lib/systemd/system/bird.service
- /lib/systemd/system/bird6.service
- /etc/init.d/bird6
- /etc/init.d/bird
- /etc/init/bird.conf
- /etc/init/bird6.conf
+ $ dpkg -L bird | vgrep service unit files
+ /lib/systemd/system/bird.service
+ /lib/systemd/system/bird6.service
+ /etc/init.d/bird6
+ /etc/init.d/bird
+ /etc/init/bird.conf
+ /etc/init/bird6.conf
Puppet appears to choose the debian provider for the bird service, over
the systemd provider:
- $ sudo puppet resource --debug --param provider --param enable service
bird
- Debug: Runtime environment: puppet_version=3.7.2, ruby_version=2.1.2,
run_mode=user, default_encoding=UTF-8
- ...
- Debug: /Service[bird]: Provider debian does not support features
flaggable; not managing attribute flags
- ...
- Debug: Service bird found in both debian and init; skipping the init
version
- ...
- Debug: /Service[bird.service]: Provider systemd does not support
features flaggable; not managing attribute flags
- ...
- Debug: Executing '/etc/init.d/bird status'
- service { 'bird':
- ensure => 'stopped',
- enable => 'true',
- provider => 'debian',
- }
+ $ sudo puppet resource --debug --param provider --param enable service bird
+ Debug: Runtime environment: puppet_version=3.7.2, ruby_version=2.1.2,
run_mode=user, default_encoding=UTF-8
+ ...
+ Debug: /Service[bird]: Provider debian does not support features flaggable;
not managing attribute flags
+ ...
+ Debug: Service bird found in both debian and init; skipping the init version
+ ...
+ Debug: /Service[bird.service]: Provider systemd does not support features
flaggable; not managing attribute flags
+ ...
+ Debug: Executing '/etc/init.d/bird status'
+ service { 'bird':
+ ensure => 'stopped',
+ enable => 'true',
+ provider => 'debian',
+ }
This means that while `ensure => running/stopped` works:
- $ sudo puppet resource --debug --param provider service bird
ensure=stopped
- Debug: Executing '/etc/init.d/bird status'
- Debug: Executing '/etc/init.d/bird stop'
- Notice: /Service[bird]/ensure: ensure changed 'running' to 'stopped'
- Debug: Finishing transaction 3255100
- Debug: Storing state
- Debug: Stored state in 0.13 seconds
- Debug: Executing '/etc/init.d/bird status'
- service { 'bird':
- ensure => 'stopped',
- provider => 'debian',
- }
+ $ sudo puppet resource --debug --param provider service bird ensure=stopped
+ Debug: Executing '/etc/init.d/bird status'
+ Debug: Executing '/etc/init.d/bird stop'
+ Notice: /Service[bird]/ensure: ensure changed 'running' to 'stopped'
+ Debug: Finishing transaction 3255100
+ Debug: Storing state
+ Debug: Stored state in 0.13 seconds
+ Debug: Executing '/etc/init.d/bird status'
+ service { 'bird':
+ ensure => 'stopped',
+ provider => 'debian',
+ }
The service `enabled => true/false` state does not:
- $ sudo puppet resource --debug --param provider service bird
enable=false
- Debug: Executing '/etc/init.d/bird status'
- Debug: Executing '/usr/sbin/update-rc.d bird disable'
- Notice: /Service[bird]/enable: enable changed 'true' to 'false'
- Debug: Finishing transaction 23676980
- Debug: Storing state
- Debug: Stored state in 0.12 seconds
- Debug: Executing '/etc/init.d/bird status'
- service { 'bird':
- ensure => 'stopped',
- enable => 'false',
- provider => 'debian',
- }
- $ sudo puppet resource --debug --param provider service bird enable=true
- Debug: Executing '/etc/init.d/bird status'
- Debug: Executing '/usr/sbin/update-rc.d -f bird remove'
- Debug: Executing '/usr/sbin/update-rc.d bird defaults'
- Notice: /Service[bird]/enable: enable changed 'false' to 'true'
- Debug: Finishing transaction 12984740
- Debug: Storing state
- Debug: Stored state in 0.14 seconds
- Debug: Executing '/etc/init.d/bird status'
- service { 'bird':
- ensure => 'stopped',
- enable => 'true',
- provider =>
[Bug 1343245] [NEW] virt-aa-helper does not whitelist actual source dev='...' paths for domain disk type='volume'
Public bug reported: Release:14.04 Package:libvirt-bin Version: 1.2.2-0ubuntu13.1.1 For a normal block-based LVM disk definition disk type='block' device='disk' driver name='qemu' type='raw'/ source dev='/dev/host-vg/guest.img'/ target dev='vda' bus='virtio'/ /disk virt-aa-helper will generate /dev/dm-X rw rules in the /etc/apparmor.d/libvirt/libvirt-*.files /dev/dm-10 rw, However, using a storage pool: pool type='logical' namelvm/name source namehost-vg/name /source target path/dev/host-vg/path /target /pool to create the volume: volume nameguest.img/name capacity/capacity /volume and attempting to use the equivalent: disk type='volume' device='disk' driver name='qemu' type='raw'/ source pool='lvm' volume='guest.img'/ target dev='vda' bus='virtio'/ address type='pci' domain='0x' bus='0x00' slot='0x04' function='0x0'/ /disk Results in the following with `virsh start guest` error: Failed to start domain guest error: internal error: process exited while connecting to monitor: qemu-system-x86_64: -drive file=/dev/host-vg/guest.img,if=none,id=drive-virtio-disk0,format=raw: could not open disk image /dev/host-vg/guest.img: Could not open '/dev/host-vg/guest.img': Permission denied And: [164096.938448] type=1400 audit(1405596016.664:100): apparmor=DENIED operation=open profile=libvirt-fdd84027-cb8e-42d5-bca1-a662871d97bb name=/dev/dm-10 pid=26835 comm=qemu-system-x86 requested_mask=r denied_mask=r fsuid=109 ouid=109 [164096.938472] type=1400 audit(1405596016.664:101): apparmor=DENIED operation=open profile=libvirt-fdd84027-cb8e-42d5-bca1-a662871d97bb name=/dev/dm-10 pid=26835 comm=qemu-system-x86 requested_mask=r denied_mask=r fsuid=109 ouid=109 [164096.938515] type=1400 audit(1405596016.664:102): apparmor=DENIED operation=open profile=libvirt-fdd84027-cb8e-42d5-bca1-a662871d97bb name=/dev/dm-10 pid=26835 comm=qemu-system-x86 requested_mask=rw denied_mask=rw fsuid=109 ouid=109 The apparmor libvirt-*.files does not contain any /dev/dm-* rules. I'm not familar enough with the virAppArmorSecurityDriver code to know if the load_profile() call to virDomainDefFormat() will give the persistent or live xml config, but when testing with virt-aa-helper manually, feeding it the inactive config (i.e. `virsh dumpxml` while the domain is stopped) will cause get_files() to call virDomainDiskDefForeachPath() with a virDomainDiskDefPtr of type=VIR_DOMAIN_DISK_TYPE_VOLUME and src=NULL, so it never iters over the disk. I suspect that virt-aa-helper should instead be fed the active config, i.e. one where the disk type='volume' has been fed through qemuTranslateDiskSourcePool() to resolve it into the actual disk type='block'source dev='...' //disk? ** Affects: libvirt (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in Ubuntu. https://bugs.launchpad.net/bugs/1343245 Title: virt-aa-helper does not whitelist actual source dev='...' paths for domain disk type='volume' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1343245/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
