From d47847b1a2b983a41099a63954df9b569d414959 Mon Sep 17 00:00:00 2001 From: Stanislav Levin Date: Mar 30 2021 10:18:09 +0000 Subject: Azure: Warn about Host's AVC and SECCOMP Azure's VM distro is Ubuntu, which has enabled AppArmor. This security module sometimes interferes with CI Docker containers, but to be completely disabled it requires reboot(this is impossible, at least for now). So, Azure will warn about AVC records in Host's journal as a possible clue. It will be equally important to be warned about SECCOMP records to see possible blocked syscalls(requires SCMP_ACT_LOG as defaultAction in seccomp profile). Signed-off-by: Stanislav Levin Reviewed-By: Alexander Bokovoy --- diff --git a/ipatests/azure/Dockerfiles/seccomp.json b/ipatests/azure/Dockerfiles/seccomp.json index d5a5631..350f1b4 100644 --- a/ipatests/azure/Dockerfiles/seccomp.json +++ b/ipatests/azure/Dockerfiles/seccomp.json @@ -1,5 +1,6 @@ { - "defaultAction": "SCMP_ACT_ERRNO", + "__defaultAction": "Change defaultAction to SCMP_ACT_LOG and then check Host's journal for SECCOMP", + "defaultAction": "SCMP_ACT_ERRNO", "archMap": [ { "architecture": "SCMP_ARCH_X86_64", diff --git a/ipatests/azure/templates/test-jobs.yml b/ipatests/azure/templates/test-jobs.yml index 69637c2..0132625 100644 --- a/ipatests/azure/templates/test-jobs.yml +++ b/ipatests/azure/templates/test-jobs.yml @@ -64,6 +64,16 @@ steps: HOST_JOURNAL_PATH="${IPA_TESTS_ENV_WORKING_DIR}/${HOST_JOURNAL}.tar.gz" sudo journalctl -b | tee "$HOST_JOURNAL" + function emit_warning() { + printf "##vso[task.logissue type=warning]%s\n" "$1" + } + + printf "AVC:\n" + grep 'AVC apparmor="DENIED"' "$HOST_JOURNAL" && \ + emit_warning "There are Host's AVCs. Please, check the logs." + printf "SECCOMP:\n" + grep ' SECCOMP ' "$HOST_JOURNAL" && \ + emit_warning "There are reported SECCOMP syscalls. Please, check the logs." tar --ignore-failed-read -czf "$HOST_JOURNAL_PATH" "$HOST_JOURNAL" condition: succeededOrFailed() displayName: Host's systemd journal