osmith has submitted this change. ( https://gerrit.osmocom.org/c/osmo-ci/+/42324?usp=email )

Change subject: ansible: osmocom-obs-worker: add mount-securityfs.service ......................................................................

ansible: osmocom-obs-worker: add mount-securityfs.service

Fix errors in lxc-start related to not having securityfs available:

[ 14s] booting lxc... [ 14s] lxc-start: obsbuild:root_6: lsm/apparmor.c: apparmor_prepare: 1132 If you really want to start this container, set [ 14s] lxc-start: obsbuild:root_6: lsm/apparmor.c: apparmor_prepare: 1133 lxc.apparmor.allow_incomplete = 1 [ 14s] lxc-start: obsbuild:root_6: lsm/apparmor.c: apparmor_prepare: 1134 in your container configuration file [ 14s] lxc-start: obsbuild:root_6: start.c: lxc_init: 879 Failed to initialize LSM [ 14s] lxc-start: obsbuild:root_6: start.c: __lxc_start: 2008 Failed to initialize container "obsbuild:root_6" [ 14s] lxc-start: obsbuild:root_6: tools/lxc_start.c: main: 306 The container failed to start [ 14s] lxc-start: obsbuild:root_6: tools/lxc_start.c: main: 312 Additional information can be obtained by setting the --logfile and --logpriority options [ 14s] '/var/cache/obs/worker/root_6/.build/_exitcode' not found or symlink

Usually systemd would mount the securityfs automatically as I understand it, but it doesn't work anymore without this service in our use case where osmocom-obs-worker runs inside an LXC itself. This is probably related to upgrading the opensuse version for the osmocom-obs-worker containers.

Change-Id: I0c708815440c67340531548361deb326c864aefe --- A ansible/roles/osmocom-obs-worker/files/mount-securityfs.service M ansible/roles/osmocom-obs-worker/tasks/obs.yml 2 files changed, 24 insertions(+), 0 deletions(-)

Approvals: fixeria: Looks good to me, approved Jenkins Builder: Verified pespin: Looks good to me, but someone else must approve

diff --git a/ansible/roles/osmocom-obs-worker/files/mount-securityfs.service b/ansible/roles/osmocom-obs-worker/files/mount-securityfs.service new file mode 100644 index 0000000..4066aa9 --- /dev/null +++ b/ansible/roles/osmocom-obs-worker/files/mount-securityfs.service @@ -0,0 +1,12 @@ +[Unit] +Description=Mount securityfs +Before=obsworker.service + +[Service] +Type=oneshot +ExecStart=/usr/bin/mount securityfs /sys/kernel/security -t securityfs +ExecStop=/usr/bin/umount /sys/kernel/security +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/ansible/roles/osmocom-obs-worker/tasks/obs.yml b/ansible/roles/osmocom-obs-worker/tasks/obs.yml index a0a6227..48024ec 100644 --- a/ansible/roles/osmocom-obs-worker/tasks/obs.yml +++ b/ansible/roles/osmocom-obs-worker/tasks/obs.yml @@ -46,6 +46,18 @@ name: - qemu-arm

+- name: install mount-securityfs.service + ansible.builtin.copy: + src: mount-securityfs.service + dest: /etc/systemd/system/mount-securityfs.service + +- name: start and enable the mount-securityfs service + systemd: + daemon_reload: true + state: started + name: mount-securityfs.service + enabled: yes + - name: ensure the systemd service is installed systemd: name: obsworker.service