From 3e3ea4c77b733a70572cd26e8f3938a02324b85d Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 21 Jan 2025 12:01:14 -0500 Subject: [PATCH 1/2] Disable unix-chkpwd AppArmor profile This is necessary when running Molecule tests against Fedora 40 and 41; otherwise, the privileged container cannot successfully sudo and hence Ansible is unable to do anything. Note that this change is reverted after the Molecule tests are run. For now, disabling the unix-chkpwd AppArmor profile also requires an apt-get purge of the firefox and passt packages. It should be possible to remove this purge (and the ensuing systemctl reload apparmor.service) at a future date. See cisagov/skeleton-ansible-role#215 for more details. --- .github/workflows/build.yml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a30b335..f0a05ff 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -238,11 +238,43 @@ jobs: uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + # Disabling the unix-chkpwd AppArmor profile is necessary when + # running Molecule tests against Fedora 40 and 41; otherwise, + # the privileged container cannot successfully run sudo and + # hence Ansible is unable to do anything. See + # fedora-cloud/docker-brew-fedora#117 for more details. + # + # Purging firefox is currently necessary because the + # installation available on the GitHub runner instance provides + # two conflicting AppArmor profiles: + # /etc/apparmor.d/usr.bin.firefox and /etc/apparmor.d/firefox. + # This conflict causes the aa-disable /usr/sbin/unix_chkpwd + # command to fail. + # + # Purging passt is currently necessary because the installation + # available on the GitHub runner instance contains a wonky + # AppArmor file (/etc/apparmor.d/abstractions/passt) that causes + # the aa-disable command to fail. + # + # TODO: Remove the apt-get purge and systemctl reload commands + # when possible. See cisagov/skeleton-ansible-role#215 for more + # details. + - name: Disable unix-chkpwd AppArmor profile + run: | + sudo apt-get purge firefox passt + sudo systemctl reload apparmor.service + sudo apt-get install apparmor-utils + sudo aa-disable /usr/sbin/unix_chkpwd + if: ${{ startsWith(matrix.platform, 'fedora') }} - name: Run molecule tests run: >- molecule test --platform-name ${{ matrix.platform }}-${{ matrix.architecture }} --scenario-name ${{ matrix.scenario }} + - name: Re-enable unix-chkpwd AppArmor profile + run: >- + sudo aa-enforce /usr/sbin/unix_chkpwd + if: ${{ startsWith(matrix.platform, 'fedora') }} - name: Setup tmate debug session uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE From a473457a41123ad3f55861de30d6845421dcc782 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 23 Jan 2025 14:32:29 -0500 Subject: [PATCH 2/2] Reinstall firefox and passt These system packages had to be uninstalled to allow the disabling of the unix-chkpwd AppArmor profile, but can be reinstalled at this point. Co-authored-by: Nicholas McDonnell --- .github/workflows/build.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f0a05ff..6a002e8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -271,9 +271,12 @@ jobs: molecule test --platform-name ${{ matrix.platform }}-${{ matrix.architecture }} --scenario-name ${{ matrix.scenario }} + # TODO: Remove the apt-get install command when possible. See + # cisagov/skeleton-ansible-role#215 for more details. - name: Re-enable unix-chkpwd AppArmor profile - run: >- + run: | sudo aa-enforce /usr/sbin/unix_chkpwd + sudo apt-get install firefox passt if: ${{ startsWith(matrix.platform, 'fedora') }} - name: Setup tmate debug session uses: mxschmitt/action-tmate@v3