Public bug reported: 1. What is the problem On Questing, pollinate fails because it is unable to read from /tmp
On an Azure VM this was first noticed with this AppArmor denied log: 'Jul 19 21:42:00 alan-questing-base-qmnqdpkjhr kernel: audit: type=1400 audit(1752961320.498:173): apparmor="DENIED" operation="open" class="file" profile="curl" name="/tmp/pollinate.MUbjijIRZipY/challenge" pid=989 comm="curl" requested_mask="r" denied_mask="r" fsuid=105 ouid=105' We started seeing this log appear after the images started including AppArmor 4.1.1-0ubuntu3, changelog: https://launchpad.net/ubuntu/+source/apparmor/4.1.1-0ubuntu3 This version of AppArmor introduced a profile for curl which allows writing but not reading from /tmp From reviewing the source I believe pollinate is reading from /tmp when it use's curls --data @filename flag to send POST data. The relevant source code is: if curl --connect-timeout "${WAIT}" --max-time "${WAIT}" -A "${USER_AGENT}" -o- -v --trace-time --data @${f1} ${CURL_OPTS} ${server} >"${out}" 2>"${err}"; then from https://git.launchpad.net/ubuntu/+source/pollinate/tree/pollinate#n234 2. Steps to reproduce with LXD # Get the questing image assets from before the apparmor update wget https://cloud-images.ubuntu.com/questing/20250617/questing-server-cloudimg-amd64-lxd.tar.xz wget https://cloud-images.ubuntu.com/questing/20250617/questing-server-cloudimg-amd64-root.tar.xz # Import the image in lxc, this returns a fingerprint lxc image import questing-server-cloudimg-amd64-lxd.tar.xz questing-server-cloudimg-amd64-root.tar.xz # Start a container from this image lxc launch <fingerprint> pollinate-testing lxc exec pollinate-testing /bin/bash apt list --installed pollinate apt list --installed apparmor # running pollinate works pollinate # Update apparmor which will bring in the new curl profile apt update apt-get install --only-upgrade apparmor # running with --reseed is necessary after the first time # this will fail because we have updated apparmor and the curl profile now blocks pollinate from reading from /tmp pollinate --reseed <13>Jul 31 15:47:51 pollinate[2159]: system was previously seeded at [2025-07-31 15:46:39.391715413 +0000] <13>Jul 31 15:47:51 pollinate[2159]: client sent challenge to [https://entropy.ubuntu.com/] <13>Jul 31 15:47:51 pollinate[2159]: WARNING: Network communication failed [26] curl: Failed to open /tmp/pollinate.rGrxuFK3fHGU/challenge curl: option --data: error encountered when reading a file curl: try 'curl --help' or 'curl --manual' for more information # To clean up afterwards lxc delete --force pollinate-testing ** Affects: pollinate (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2119237 Title: Pollinate on Questing fails while reading from /tmp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pollinate/+bug/2119237/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
