** Description changed: 1. What is the problem On Questing, pollinate fails because it is unable to read from /tmp On an Azure VM this was first noticed with this AppArmor denied log: 'Jul 19 21:42:00 alan-questing-base-qmnqdpkjhr kernel: audit: type=1400 audit(1752961320.498:173): apparmor="DENIED" operation="open" class="file" profile="curl" name="/tmp/pollinate.MUbjijIRZipY/challenge" pid=989 comm="curl" requested_mask="r" denied_mask="r" fsuid=105 ouid=105' We started seeing this log appear after the images started including AppArmor 4.1.1-0ubuntu3, changelog: https://launchpad.net/ubuntu/+source/apparmor/4.1.1-0ubuntu3 This version of AppArmor introduced a profile for curl which allows writing but not reading from /tmp From reviewing the source I believe pollinate is reading from /tmp when it use's curls --data @filename flag to send POST data. The relevant source code is: if curl --connect-timeout "${WAIT}" --max-time "${WAIT}" -A "${USER_AGENT}" -o- -v --trace-time --data @${f1} ${CURL_OPTS} ${server} >"${out}" 2>"${err}"; then from https://git.launchpad.net/ubuntu/+source/pollinate/tree/pollinate#n234 + 2. Steps to reproduce with LXD + # Get the questing image assets from before the apparmor update + wget https://cloud-images.ubuntu.com/questing/20250617/questing-server-cloudimg-amd64-lxd.tar.xz + wget https://cloud-images.ubuntu.com/questing/20250617/questing-server-cloudimg-amd64-root.tar.xz - 2. Steps to reproduce with LXD - # Get the questing image assets from before the apparmor update - wget https://cloud-images.ubuntu.com/questing/20250617/questing-server-cloudimg-amd64-lxd.tar.xz - wget https://cloud-images.ubuntu.com/questing/20250617/questing-server-cloudimg-amd64-root.tar.xz + # Import the image in lxc, this returns a fingerprint + lxc image import questing-server-cloudimg-amd64-lxd.tar.xz questing-server-cloudimg-amd64-root.tar.xz --alias lp2119237 - # Import the image in lxc, this returns a fingerprint - lxc image import questing-server-cloudimg-amd64-lxd.tar.xz questing-server-cloudimg-amd64-root.tar.xz + # Start a container from this image + lxc launch local:lp2119237 pollinate-testing - # Start a container from this image - lxc launch <fingerprint> pollinate-testing + lxc exec pollinate-testing /bin/bash - lxc exec pollinate-testing /bin/bash + apt list --installed pollinate + apt list --installed apparmor - apt list --installed pollinate - apt list --installed apparmor + # running pollinate works + pollinate - # running pollinate works - pollinate + # Update apparmor which will bring in the new curl profile + apt update + apt-get install --only-upgrade apparmor - # Update apparmor which will bring in the new curl profile - apt update - apt-get install --only-upgrade apparmor + # running with --reseed is necessary after the first time + # this will fail because we have updated apparmor and the curl profile now blocks pollinate from reading from /tmp + pollinate --reseed - # running with --reseed is necessary after the first time - # this will fail because we have updated apparmor and the curl profile now blocks pollinate from reading from /tmp - pollinate --reseed + <13>Jul 31 15:47:51 pollinate[2159]: system was previously seeded at [2025-07-31 15:46:39.391715413 +0000] + <13>Jul 31 15:47:51 pollinate[2159]: client sent challenge to [https://entropy.ubuntu.com/] + <13>Jul 31 15:47:51 pollinate[2159]: WARNING: Network communication failed [26] curl: Failed to open /tmp/pollinate.rGrxuFK3fHGU/challenge + curl: option --data: error encountered when reading a file + curl: try 'curl --help' or 'curl --manual' for more information - <13>Jul 31 15:47:51 pollinate[2159]: system was previously seeded at [2025-07-31 15:46:39.391715413 +0000] - <13>Jul 31 15:47:51 pollinate[2159]: client sent challenge to [https://entropy.ubuntu.com/] - <13>Jul 31 15:47:51 pollinate[2159]: WARNING: Network communication failed [26] curl: Failed to open /tmp/pollinate.rGrxuFK3fHGU/challenge - curl: option --data: error encountered when reading a file - curl: try 'curl --help' or 'curl --manual' for more information - - # To clean up afterwards - lxc delete --force pollinate-testing + # To clean up afterwards + lxc delete --force pollinate-testing
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2119237 Title: Pollinate on Questing fails while reading from /tmp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pollinate/+bug/2119237/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
