** Description changed: [SRU] 2.75.2 [ Impact ] Race in changing AppArmor hat results in nvidia-container- toolkit.service failure. [ Test Plan ] - This change completely removed the code paths that previously caused the - error, so this may no longer happen. There is nothing to test. + 1. Reproduce with snapd deb < 2.75 + + Follow the reproducer steps in the original description and verify the + issues occurs. + + 2. Prove fixed with snapd deb 2.75 + + Follow the reproducer steps in the original description and verify that + after some long amount of time, the issue never occurs. + + [ Where problems could occur ] + + The fix was removing the apparmor hat code and merged permissions into + the main profile. It is a simplification and should cause no issues. ---original--- Hi team, When we're verifying a snapd solution (https://bugs.launchpad.net/snapd/+bug/2134364) under resolute desktop environment, we found snap service cannot change the apparmor hat in probability (can be reproduced in a half-day). ===issue log=== systemd[1]: Starting snap.docker.nvidia-container-toolkit.service - Service for snap application docke> docker.nvidia-container-toolkit[1708]: cannot change apparmor hat: No child processes docker.nvidia-container-toolkit[1590]: cannot send command 1 to helper process: Broken pipe systemd[1]: snap.docker.nvidia-container-toolkit.service: Main process exited, code=exited, status=1/F> systemd[1]: snap.docker.nvidia-container-toolkit.service: Failed with result 'exit-code'. =============== Based on some comparisons, a. The snapd (deb) v2.73 and v2.74 can reproduce the issue in resolute. b. The snapd (deb) v2.73 can NOT reproduce the issue in noble. c. The snapd (snap) v2.74 can NOT reproduce the issue in UC24. d. The Docker snap is the same version in resolute, noble, and UC24. AppArmor Versions: - Resolute uses 5.0.0~alpha1-0ubuntu9 - Noble uses 4.0.1really4.0.1-0ubuntu0.24.04.5 We think the issue is happening at AppArmor side in resolute, because the snapd (deb) is using the host AppArmor as the following log. Could you help check this issue? ===log=== $ snap debug execution apparmor apparmor-parser: /usr/sbin/apparmor_parser apparmor-parser-command: /usr/sbin/apparmor_parser --policy-features /etc/apparmor.d/abi/3.0 internal: false ========= [Reproduce method] 1. A x86_64 device working with resolute desktop environment 2. $ sudo apt update 3. $ sudo apt upgrade -y 4. $ sudo snap refresh 5. $ sudo snap install docker 6. $ sudo snap install checkbox24 7. $ sudo snap install checkbox-ce-oem --classic 8. $ sudo vi /etc/systemd/system/auto-reboot.service [Unit] Description=Service to check systemd status and reboot every 60 seconds After=snap.docker.nvidia-container-toolkit.service [Service] Type=simple ExecStart=/home/<username>/run.sh TimeoutStopSec=60 9. sudo systemctl enable /etc/systemd/system/auto-reboot.service 10. vi run.sh #!/bin/bash systemctl status snap.docker.nvidia-container-toolkit.service | grep 'inactive (dead) since' if [ $? -eq 1 ]; then echo "FAILED" exit 1 else echo "Sleep 60" systemctl reboot fi 11. chmod +x run.sh When the reboot stress test is stopped, check the log of snap.docker.nvidia-container-toolkit.service 12. systemctl status snap.docker.nvidia-container-toolkit.service
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2139664 Title: snap service cannot change apparmor hat To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2139664/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
