=== ephemer0l is now known as GeneralDiscourse
blahdeblahI just found a really annoying bug in the apparmor profile shipped with chrony.  This person found it earlier: https://askubuntu.com/questions/1411005/could-not-open-run-chrony-chronyd-pid-permission-denied01:27
blahdeblahI can't find any project to report this against in LP.  Any suggestions?01:27
blahdeblahIt just needs `@{run}/chrony/{,**} rw,` in the apparmor profile instead of `@{run}/chrony/{,*} rw,`01:28
arraybolt3`ubuntu-bug chrony` might do the trick.01:30
arraybolt3That should upload some debugging info and then give you the ability to fill out a bug report form.01:31
blahdeblahI should remember that by now... :-)  Thanks arraybolt301:40
jjohansenblahdeblah: if its apparmor related, and you aren't sure. Just file it against apparmor in lp https://bugs.launchpad.net/ubuntu/+source/apparmor01:40
jjohansenor against the upstream project in gitlab https://gitlab.com/apparmor/apparmor/-/issues01:41
sarnoldheya blahdeblah :)01:41
blahdeblahjjohansen: The file is shipped in the chrony package, so seems like it probably should be raised against that?01:41
blahdeblah\o sarnold01:41
jjohansenblahdeblah: sure, but if you aren't sure etc. better to report it, the apparmor people can always add affected packages in lp etc01:42
blahdeblahCool - thanks01:42
=== chris14_ is now known as chris14
=== chris14_ is now known as chris14
cpaelzerhi blahdeblah, gladly I highlight on chrony and can see the bug now - https://bugs.launchpad.net/ubuntu/+source/chrony/+bug/2004525 it is07:03
-ubottu:#ubuntu-security- Launchpad bug 2004525 in chrony (Ubuntu) "Fatal error : Could not open /run/chrony/chronyd.pid : Permission denied" [Undecided, Incomplete]07:03
cpaelzerhmm, so far I agree to amurray07:12
cpaelzera few more things to check ...07:12
blahdeblahamurray, cpaelzer: Thanks for looking.  Weird problem; what other data should I try to gather?07:33
blahdeblahI can back out my override and try again, I guess..07:34
cpaelzerblahdeblah: hi07:39
cpaelzerblahdeblah: I'm currently checking and upgrading a few older chrony systems of mine07:39
cpaelzerblahdeblah: so far, no issue here07:39
cpaelzerblahdeblah: but I've found a theory07:39
cpaelzerblahdeblah: the path changed from /run/chrony.pid to /run/chrony/chrony.pid07:39
cpaelzerblahdeblah: that was also adapted in the profile07:40
cpaelzerblahdeblah: but, if you'd have kept the old profile of focal - then it would show the issue you have07:40
cpaelzerblahdeblah: what does `grep 'run.*/chrony' /etc/apparmor.d/usr.sbin.chronyd` give you?07:40
blahdeblahYeah - I definitely checked that. It's correct.07:40
blahdeblahSo I commented out the line and it still works.  This upgrade did go a little pear-shaped on me and failed halfway through.07:41
blahdeblahI had to manually massage a few packages back into life.  Maybe one of them did something strange.07:41
blahdeblahThe upgrade seemed to have problems with duplicated utilities in /bin vs. /usr/bin.  I know on new systems they're just symlinked from / into /usr, but IIRC the old layout is kept on upgrades?07:41
cpaelzerblahdeblah: so you already have the new rule (having @{run}/chrony/{,*} rw,), and still without the one you suggested (@{run}/chrony/{,**} rw,) it doesn't work for you ?07:41
cpaelzerthe next upgrade I'm running is an rpi4 which is a bit slower, but so far I can't recreate the issue :-/07:42
cpaelzerblahdeblah: just for completeness, could you remove the rule you added and report the full apparmor denial message int he bug?07:43
blahdeblahcpaelzer: Output you asked for: https://pastebin.ubuntu.com/p/YY2Vj4pTzV/07:44
blahdeblahBut the thing is, now it works, without the override.07:45
cpaelzerumm, what07:45
blahdeblahyeah, weird07:45
blahdeblahI'll see if there was a deny in my logs07:45
blahdeblah(from apparmor)07:46
cpaelzeryep, thanks07:46
cpaelzerso what might we look at then, dh_apparmor not issuing a reload of the profile maybe?07:46
cpaelzerwell, let us start with the denial in your logs07:46
blahdeblahNo denial ;-( https://pastebin.ubuntu.com/p/Vpk3dSYYg3/07:48
cpaelzerso the "apparmor fix" was a red herring?07:49
blahdeblahSeems like it. :-(07:49
cpaelzerI updated the bug with all we discussed07:51
blahdeblahA number of systemd files ended up with old versions in /usr/bin and new versions in /bin, and I had to move the old ones aside to complete the upgrade, so it might be that one of those was interfering with apparmor profile loads?07:51
cpaelzerI hope to get the issue on my system that is upgrading in background07:51
cpaelzerwell, if it would not have loaded the new apparmor, then it would have had a denial07:51
blahdeblahYeah, you would think so... :-\07:51
cpaelzeroh wait07:52
cpaelzermaybe it is vice versa07:52
blahdeblahThe fact that one other person in the world had it suggests to me that there is some kind of obscure bug involved, but I honestly don't think it's worth chasing down.  I think I'll close the bug now that I can't reproduce.07:52
cpaelzerPIDFile=/run/chrony/chronyd.pid is an entry in the .service file07:52
cpaelzermaybe it was using the wrong path there due to your systemd service confusion07:52
cpaelzerscrolling to your old systemctl status in the bug ...07:52
cpaelzernone there and it isn't seen in the askubuntu post07:53
cpaelzertoo bad, I had hoped we might find evidence of it using the wrong path there07:54
cpaelzerI'm looking into file permissions08:02
cpaelzerand hoping to find something with my last system upgrading08:02
cpaelzerbut if not, then this will have to stay incomplete for now :-/08:03
=== cpaelzer_ is now known as cpaelzer
sdezielis there any use to have a source.list entry for security.ubuntu.com when one uses {uk,us}.archive.ubuntu.com which are AFAIK, 2 official primary mirrors run by Canonical directly? AFAIK, security.ubuntu.com is there to ensure a non-Canonical run mirror starts lagging and doesn't publish security fixes quickly enough18:45
tomreynsdeziel: https://wiki.ubuntu.com/SecurityTeam/FAQ#What_repositories_and_pockets_should_I_use_to_make_sure_my_systems_are_up_to_date.3F19:37
tomreynmy understanding is it's not just about who maintains the mirrors but also about how timely updates are pushed to them19:38
tomreyn(and to the different pockets)19:38
sdezieltomreyn: AFAIK, stuff going to -security goes to -updates soon after so that's one reason, are you aware of another? I'm asking cause we are talking about few minutes or maybe hours19:40
tomreynsdeziel: i'm not, but i'm not leosilva (who, according to the /topic, could potentially answer your question)19:41
mdeslaursdeziel: there's no guarantee that mirrors won't enter us and uk, but if it's just canonical ips, there's no reason for security.19:45
sdezielmdeslaur: oh interesting, thanks!19:46
mdeslauryes, security.u.c is to prevent a laggy mirror from not having the latest updates19:46
mdeslaurhrm, I wonder why the uk and us mirors aren't under us and uk https://launchpad.net/ubuntu/+archivemirrors19:47
sarnoldwild guessing, that list is generated by the mirror prober script, and that's not going to be checking our own mirrors19:59
mdeslauryeah, but aren't public mirrors part of our round-robin dns thingy?20:03
sarnoldwe'll use the public mirrors for many of the other country-specific mirrors, eg se.archive.ubuntu.com is donated; a lot of countries have an in-country or nearby-country mirror. I don't *think* those are round-robind, though, I think each country gets *one* such mirror, to prevent problems due to different sync frequencies20:13

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!