[neon/neon/livecd-rootfs/Neon/release] live-build: feat: support kernel with different apparmor feats

John Chittum null at kde.org
Mon May 22 15:24:15 BST 2023 

Git commit bd1690bd16c70f9631ee2798514b51ed2dc973d5 by John Chittum.
Committed on 07/04/2023 at 14:30.
Pushed by jriddell into branch 'Neon/release'.

feat: support kernel with different apparmor feats

Jammy HWE is rolling to 5.19. the 5.19 kernel introduced more apparmor
features, specifically ipc. due to the roll, we now must support builds
with 2 different feature sets.

This specifically affects snap-preseeding, where if a snap_preseed is
run with a mismatched apparmor feature set, snap will require a restart
to match the running kernel's feature set. in the clouds, this can add
somehwere between 5-10s (as of checks on 20230404). This is a large boot
time performance hit.

Implementation is done at the `snap_validate_seed` function level. This
function is called in snap scenarios. It checks for an installed kernel
in the chroot, gets the major.min version, and checks for
apparmor/$KERN. If found, it will do a copy of the directory, providing
a naive override mechanism.

For CPC builds, we are adding a call to `snap_validate_seed` at the end
of affected hooks as well. This is a safe procedure to call, as it
reruns the snap_preseed for all snaps. By running at the end of build
processes, it ensures that any kernel changes done during the build are
taken into account.

M  +11   -0    live-build/functions

https://invent.kde.org/neon/neon/livecd-rootfs/commit/bd1690bd16c70f9631ee2798514b51ed2dc973d5

diff --git a/live-build/functions b/live-build/functions
index d1ce2a61..17f2b075 100644
--- a/live-build/functions
+++ b/live-build/functions
@@ -760,6 +760,17 @@ snap_preseed() {
 snap_validate_seed() {
     local CHROOT_ROOT=$1
 
+    if [ -e ${CHROOT_ROOT}/boot/vmlinuz ]; then
+        local kern_major_min=$(readlink --canonicalize --no-newline ${CHROOT_ROOT}/boot/vmlinuz | grep  --extended-regexp --only-matching --max-count 1 '[0-9]+\.[0-9]+')
+        if [ -d /usr/share/livecd-rootfs/live-build/apparmor/${kern_major_min} ]; then
+            # if an Ubuntu version has different kernel apparmor features between LTS and HWE kernels
+            # a snap pre-seeding issue can occur, where the incorrect apparmor features are reported
+            # basic copy of a directory structure overriding the "generic" feature set
+            # which is tied to the LTS kernel
+            cp -R --verbose /usr/share/livecd-rootfs/live-build/apparmor/${kern_major_min}/* /usr/share/livecd-rootfs/live-build/apparmor/generic/
+        fi
+    fi
+
     if [ -e "${CHROOT_ROOT}/var/lib/snapd/seed/seed.yaml" ]; then
         snap debug validate-seed "${CHROOT_ROOT}/var/lib/snapd/seed/seed.yaml"
         /usr/lib/snapd/snap-preseed --reset $(realpath "${CHROOT_ROOT}")

More information about the Neon-commits mailing list