Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable unix-chkpwd AppArmor profile #216

Merged
merged 2 commits into from
Jan 24, 2025
Merged

Disable unix-chkpwd AppArmor profile #216

merged 2 commits into from
Jan 24, 2025

Conversation

jsf9k
Copy link
Member

@jsf9k jsf9k commented Jan 21, 2025
edited
Loading

🗣 Description

This pull request disables the unix-chkpwd AppArmor profile before running Molecule tests against Fedora Docker containers.

💭 Motivation and context

This is necessary when running Molecule tests against Fedora 40 and 41; otherwise, the privileged container cannot successfully execute sudo and hence Ansible is unable to do anything.

Note that this change is reverted after the Molecule tests are run.

For now, disabling the unix-chkpwd AppArmor profile also requires an apt-get purge of the firefox and passt packages. It should be possible to remove this purge (and the ensuing systemctl reload apparmor.service) at a future date. See #215 for more details.

🧪 Testing

All automated tests pass.

✅ Pre-approval checklist

  • This PR has an informative and human-readable title.
  • Changes are limited to a single goal - eschew scope creep!
  • All future TODOs are captured in issues, which are referenced in code comments.
  • All relevant type-of-change labels have been added.
  • I have read the CONTRIBUTING document.
  • These code changes follow cisagov code standards.
  • All new and existing tests pass.

@jsf9k jsf9k added bug This issue or pull request addresses broken functionality github-actions Pull requests that update GitHub Actions code kraken 🐙 This pull request is ready to merge during the next Lineage Kraken release labels Jan 21, 2025
@jsf9k
Copy link
Member Author

jsf9k commented Jan 22, 2025

The failing tests should be fixed when ansible-community/molecule-plugins#294 is merged and a new release created.

@jsf9k jsf9k mentioned this pull request Jan 22, 2025
Merged
6 tasks
@jsf9k
Disable unix-chkpwd AppArmor profile
3e3ea4c 
This is necessary when running Molecule tests against Fedora 40 and
41; otherwise, the privileged container cannot successfully sudo and
hence Ansible is unable to do anything.

Note that this change is reverted after the Molecule tests are run.

For now, disabling the unix-chkpwd AppArmor profile also requires an
apt-get purge of the firefox and passt packages.  It should be
possible to remove this purge (and the ensuing systemctl reload
apparmor.service) at a future date.  See
#215 for more details.
@jsf9k jsf9k force-pushed the bugfix/disable-unix-chkpwd-apparmor-profile branch from bcefbbb to 3e3ea4c Compare January 22, 2025 16:59
@jsf9k jsf9k marked this pull request as ready for review January 23, 2025 19:12
@jsf9k jsf9k requested review from felddy and mcdonnnj as code owners January 23, 2025 19:12
@jsf9k jsf9k requested a review from a team January 23, 2025 19:12
@jsf9k
Copy link
Member Author

jsf9k commented Jan 23, 2025

The failing tests should be fixed when ansible-community/molecule-plugins#294 is merged and a new release created.

This prediction is now true!

mcdonnnj
mcdonnnj approved these changes Jan 23, 2025
View reviewed changes
Copy link
Member

@mcdonnnj mcdonnnj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM ✔️ Thanks for taking care of what I mentioned in person.

@jsf9k
Copy link
Member Author

jsf9k commented Jan 23, 2025
edited
Loading

LGTM ✔️ Thanks for taking care of what I mentioned in person.

No problem. See commit a473457.

@jsf9k jsf9k force-pushed the bugfix/disable-unix-chkpwd-apparmor-profile branch from d62d1d0 to 8cad420 Compare January 23, 2025 19:48
@jsf9k @mcdonnnj
Reinstall firefox and passt
a473457 
These system packages had to be uninstalled to allow the disabling of
the unix-chkpwd AppArmor profile, but can be reinstalled at this
point.

Co-authored-by: Nicholas McDonnell <[email protected]>
@jsf9k jsf9k force-pushed the bugfix/disable-unix-chkpwd-apparmor-profile branch from 8cad420 to a473457 Compare January 23, 2025 20:14
@jsf9k jsf9k added this pull request to the merge queue Jan 23, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Jan 23, 2025
@jsf9k jsf9k added this pull request to the merge queue Jan 23, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Jan 24, 2025
@jsf9k jsf9k added this pull request to the merge queue Jan 24, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Jan 24, 2025
@jsf9k jsf9k added this pull request to the merge queue Jan 24, 2025
Merged via the queue into develop with commit de58d6e Jan 24, 2025
57 checks passed
@jsf9k jsf9k deleted the bugfix/disable-unix-chkpwd-apparmor-profile branch January 24, 2025 02:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dv4harr10 dv4harr10 dv4harr10 approved these changes

@mcdonnnj mcdonnnj mcdonnnj approved these changes

@dav3r dav3r dav3r approved these changes

@felddy felddy Awaiting requested review from felddy felddy is a code owner

Assignees

@jsf9k jsf9k

@mcdonnnj mcdonnnj

Labels
bug This issue or pull request addresses broken functionality github-actions Pull requests that update GitHub Actions code kraken 🐙 This pull request is ready to merge during the next Lineage Kraken release
Projects
Next Kraken
Status: Done
Skeleton Maintenance
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jsf9k @dav3r @mcdonnnj @dv4harr10