Ubuntu
snapd package

snapd/snap-confine leaves behind /etc/apparmor.d/usr.lib.snapd.snap-confine on upgrade

Bug #1682023 reported by Steve Beattie
34
This bug affects 8 people
Affects Status Importance Assigned to Milestone
snapd
Fix Released
Undecided
Michael Vogt
snapd 2.43
snapd (Ubuntu)
Fix Released
Undecided
Michael Vogt

Bug Description

The kernel ADT tests failed when running some of the apparmor tests against the apparmor utilities, with error messages:

   ERROR: Conflicting profiles for /usr/lib/snapd/snap-confine defined in two files:
   - /etc/apparmor.d/usr.lib.snapd.snap-confine.real
   - /etc/apparmor.d/usr.lib.snapd.snap-confine

See log at https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-xenial/xenial/amd64/l/linux-hwe-edge/20170410_201241_f4dfd@/log.gz

Examining the log, the ADT harness uninstalls snapd 2.22.6 without purging and without uninstall snap-confine (which contains /etc/apparmor.d/usr.lib.snapd.snap-confine). It then later installs snapd 2.23.6 (which contains /etc/apparmor.d/usr.lib.snapd.snap-confine.real) before running the tests.

The snapd 2.23.6 package contains the following in its postrm file:

  dpkg-maintscript-helper rm_conffile /etc/apparmor.d/usr.lib.snapd.snap-confine 2.23.6~ -- "$@"

Steve Beattie (sbeattie)
summary: - snapd/snapd-confine leaves behind /etc/apparmor.d/usr.lib.snapd.snap-
+ snapd/snap-confine leaves behind /etc/apparmor.d/usr.lib.snapd.snap-
confine on upgrade
Andy Whitcroft (apw)
Changed in snapd (Ubuntu):
status: New → Confirmed
Revision history for this message
Andy Whitcroft (apw) wrote :

Managed to reproduce by purging the current snapd, installing a 2.22.x version, purging just snapd, and finally installing the latest snapd. See attached transcript.

Revision history for this message
Michael Vogt (mvo) wrote :

https://github.com/snapcore/snapd/pull/3181

Changed in snapd (Ubuntu):
status: Confirmed → In Progress
Revision history for this message
Pieter (diepes) wrote :

apparmor failed to start.

apparmor[30240]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /etc/apparmor.d/usr.lib.snapd.snap-confine.real at line 11: Could not open '/var/lib/snapd/apparmor/snap-confine.d'

Revision history for this message
Zygmunt Krynicki (zyga) wrote :

I believe a part of this issue was fixed but the fix only works when a package is purged. Not when the package is removed but the conffiles stay behind.

This is a duplicate of another bug. I'll find it shortly.

Revision history for this message
Zygmunt Krynicki (zyga) wrote :

Please forgive me, I misread the bug description.

This bug is about the package leaving the non-suffixed (with the extension .real) conffine on upgrade.

Revision history for this message
Zygmunt Krynicki (zyga) wrote :

I believe this pull request is relevant https://github.com/snapcore/snapd/pulls/mvo5

Changed in snapd:
status: New → In Progress
assignee: nobody → Michael Vogt (mvo)
Changed in snapd (Ubuntu):
assignee: nobody → Michael Vogt (mvo)
Revision history for this message
Zygmunt Krynicki (zyga) wrote :

I realised my last comment used incorrect link. The URL I meant to share was https://github.com/snapcore/snapd/pull/7661

Changed in snapd:
milestone: none → 2.43
Paweł Stołowski (stolowski)
Changed in snapd:
status: In Progress → Fix Committed
Revision history for this message
Zygmunt Krynicki (zyga) wrote :

Snapd 2.43 has been released a while ago. Marking as released.

Changed in snapd:
status: Fix Committed → Fix Released
Changed in snapd (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.