Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove apt-get purge of firefox and passt when possible #215

Open
jsf9k opened this issue Jan 21, 2025 · 0 comments
Open

Remove apt-get purge of firefox and passt when possible #215

jsf9k opened this issue Jan 21, 2025 · 0 comments
Labels
github-actions Pull requests that update GitHub Actions code improvement This issue or pull request will add or improve functionality, maintainability, or ease of use

Comments

@jsf9k
Copy link
Member

jsf9k commented Jan 21, 2025

💡 Summary

Remove the following when possible:

  • apt-get purge of the firefox and passt packages
  • systemctl reload of apparmor.service

Motivation and context

Purging firefox is currently necessary because the installation available on the GitHub runner instance provides two conflicting AppArmor profiles:

  • /etc/apparmor.d/usr.bin.firefox
  • /etc/apparmor.d/firefox
    This conflict causes the aa-disable /usr/sbin/unix_chkpwd command to fail.

Purging passt is currently necessary because the installation available on the GitHub runner instance contains a wonky AppArmor file (/etc/apparmor.d/abstractions/passt) that causes the aa-disable /usr/sbin/unix_chkpwd command to fail.

The systemctl reload of apparmor.service is required to force AppArmor to remove the corresponding profiles after the packages are purged. (AppArmor profiles count as configuration files in Debian-based distributions.)

Once newer versions of these packages without these limitations are available on the GitHub runners these apt-get purge commands and the systemctl reload apparmor.service command that follows can be safely removed.
@jsf9k jsf9k added github-actions Pull requests that update GitHub Actions code improvement This issue or pull request will add or improve functionality, maintainability, or ease of use labels Jan 21, 2025
jsf9k added a commit that referenced this issue Jan 21, 2025
@jsf9k
Disable unix-chkpwd AppArmor profile
bcefbbb 
This is necessary when running Molecule tests against Fedora 40 and
41; otherwise, the privileged container cannot successfully sudo and
hence Ansible is unable to do anything.

Note that this change is reverted after the Molecule tests are run.

For now, disabling the unix-chkpwd AppArmor profile also requires an
apt-get purge of the firefox and passt packages.  It should be
possible to remove this purge (and the ensuing systemctl reload
apparmor.service) at a future date.  See
#215 for more details.
@jsf9k jsf9k mentioned this issue Jan 21, 2025
Merged
7 tasks
jsf9k added a commit that referenced this issue Jan 22, 2025
@jsf9k
Disable unix-chkpwd AppArmor profile
3e3ea4c 
This is necessary when running Molecule tests against Fedora 40 and
41; otherwise, the privileged container cannot successfully sudo and
hence Ansible is unable to do anything.

Note that this change is reverted after the Molecule tests are run.

For now, disabling the unix-chkpwd AppArmor profile also requires an
apt-get purge of the firefox and passt packages.  It should be
possible to remove this purge (and the ensuing systemctl reload
apparmor.service) at a future date.  See
#215 for more details.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
github-actions Pull requests that update GitHub Actions code improvement This issue or pull request will add or improve functionality, maintainability, or ease of use
Projects
Skeleton Maintenance
Status: To do
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jsf9k