osmith submitted this change.
ansible: osmocom-obs-worker: add mount-securityfs.service
Fix errors in lxc-start related to not having securityfs available:
[ 14s] booting lxc...
[ 14s] lxc-start: obsbuild:root_6: lsm/apparmor.c: apparmor_prepare: 1132 If you really want to start this container, set
[ 14s] lxc-start: obsbuild:root_6: lsm/apparmor.c: apparmor_prepare: 1133 lxc.apparmor.allow_incomplete = 1
[ 14s] lxc-start: obsbuild:root_6: lsm/apparmor.c: apparmor_prepare: 1134 in your container configuration file
[ 14s] lxc-start: obsbuild:root_6: start.c: lxc_init: 879 Failed to initialize LSM
[ 14s] lxc-start: obsbuild:root_6: start.c: __lxc_start: 2008 Failed to initialize container "obsbuild:root_6"
[ 14s] lxc-start: obsbuild:root_6: tools/lxc_start.c: main: 306 The container failed to start
[ 14s] lxc-start: obsbuild:root_6: tools/lxc_start.c: main: 312 Additional information can be obtained by setting the --logfile and --logpriority options
[ 14s] '/var/cache/obs/worker/root_6/.build/_exitcode' not found or symlink
Usually systemd would mount the securityfs automatically as I understand
it, but it doesn't work anymore without this service in our use case
where osmocom-obs-worker runs inside an LXC itself. This is probably
related to upgrading the opensuse version for the osmocom-obs-worker
containers.
Change-Id: I0c708815440c67340531548361deb326c864aefe
---
A ansible/roles/osmocom-obs-worker/files/mount-securityfs.service
M ansible/roles/osmocom-obs-worker/tasks/obs.yml
2 files changed, 24 insertions(+), 0 deletions(-)
diff --git a/ansible/roles/osmocom-obs-worker/files/mount-securityfs.service b/ansible/roles/osmocom-obs-worker/files/mount-securityfs.service
new file mode 100644
index 0000000..4066aa9
--- /dev/null
+++ b/ansible/roles/osmocom-obs-worker/files/mount-securityfs.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Mount securityfs
+Before=obsworker.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/mount securityfs /sys/kernel/security -t securityfs
+ExecStop=/usr/bin/umount /sys/kernel/security
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ansible/roles/osmocom-obs-worker/tasks/obs.yml b/ansible/roles/osmocom-obs-worker/tasks/obs.yml
index a0a6227..48024ec 100644
--- a/ansible/roles/osmocom-obs-worker/tasks/obs.yml
+++ b/ansible/roles/osmocom-obs-worker/tasks/obs.yml
@@ -46,6 +46,18 @@
name:
- qemu-arm
+- name: install mount-securityfs.service
+ ansible.builtin.copy:
+ src: mount-securityfs.service
+ dest: /etc/systemd/system/mount-securityfs.service
+
+- name: start and enable the mount-securityfs service
+ systemd:
+ daemon_reload: true
+ state: started
+ name: mount-securityfs.service
+ enabled: yes
+
- name: ensure the systemd service is installed
systemd:
name: obsworker.service
To view, visit change 42324. To unsubscribe, or for help writing mail filters, visit settings.