Removing chrony from Apparmor fails for Debian on redeploy
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kolla-ansible |
Triaged
|
Medium
|
Unassigned |
Bug Description
Removing chrony from Apparmor fails for Debian on redeploy
**Bug Report**
chronyd debian-based kolla container is in a constant crash loop if server is rebooted / docker container restarted. More details below.
**Environment**:
- Base OS: Debian GNU/Linux 10 (buster) | docker images used (Ubuntu) from 26th Jan 2021 (likely cf305aaaf commit in kolla repo)
- Kernel: Linux 4.19.0-
- kolla-ansible branch: stable/victoria (commit-id: 05e6d4a4d (HEAD) Fix dpdk deploy failed)
- Used images pulled from docker-hub on 26th Jan 2021 (Debian / stable-victoria)
- chrondyd_enabled = True
- Ansible is configured to fail on errors
- Strategy used: ALWAYS_COPY
### Problem Description
Bug https:/
Nevertheless, it seems that this was done/tested on Ubuntu and RHEL, but not on Debian based OS.
How to reproduce the issue:
1. kolla deploy was run for the first time (all OK)
2. if we rerun the kolla-bootstrap
This fails on the second run, most likely as if the first run removed the policy we can't do it once again (by the subsequent runs) as policy is not there.
This is why one of the fix approaches may be taken below.
Error example (when deploying for the second time):
```
ok: [control02]TASK [baremetal : Remove apparmor profile for chrony] *******
fatal: [compute02]: FAILED! => {"changed": true, "cmd": ["apparmor_parser", "-R", "/etc/apparmor.
```
## Potential resolution:
One option _may_ be to combine -C and -R commands, but this will only going to work if we have buster for example, that will by default enable apparmour on chronyd.
```
diff --git a/ansible/
index 5fdc471b0.
--- a/ansible/
+++ b/ansible/
@@ -168,7 +168,9 @@
- enable_chrony | bool
- name: Remove apparmor profile for chrony
- command: apparmor_parser -R /etc/apparmor.
+ shell: |
+ apparmor_parser -C /etc/apparmor.
+ apparmor_parser -R /etc/apparmor.
become: True
when:
- ansible_os_family == "Debian"
```
Now this may not be working of course if older versions are there, that do not have apparmor enabled on chronyd to begin with.
Thus to fix this in kolla for different versions, we need slightly different approach:
1. Execute removal (-R) of the policy if and only if:
- apparmour status (apparmor_status --json) command succeeds
- apparmour has chronyd policy set (from (apparmor_
I will try to create this fix and we can take it from there.
Hi, we had a recent fix for a similar issue for the libvirtd profile. Would something like it work?
https:/ /opendev. org/openstack/ kolla-ansible/ commit/ 891ec51dd417af8 94f7dde0dfa68b2 333f497dcf