Ubuntu
linux package

linux-gcp 6.8.0-1005.5 (+ others) Noble kernel regression with new apparmor profiles/features

Bug #2061851 reported by Philip Roche
18
This bug affects 4 people
Affects Status Importance Assigned to Milestone
chrony (Ubuntu)
Invalid
Undecided
Unassigned
Noble
Invalid
Undecided
Unassigned
linux (Ubuntu)
Fix Released
Undecided
Unassigned
Noble
Fix Released
Undecided
Unassigned
linux-aws (Ubuntu)
Fix Released
Undecided
Unassigned
Noble
Fix Released
Undecided
Unassigned
linux-azure (Ubuntu)
Fix Released
Undecided
Unassigned
Noble
Fix Released
Undecided
Unassigned
linux-gcp (Ubuntu)
Fix Released
Undecided
Unassigned
Noble
Fix Released
Undecided
Unassigned
linux-ibm (Ubuntu)
Fix Released
Undecided
Unassigned
Noble
Fix Released
Undecided
Unassigned
linux-oracle (Ubuntu)
Fix Released
Undecided
Unassigned
Noble
Fix Released
Undecided
Unassigned
snapd (Ubuntu)
Invalid
Undecided
Unassigned
Noble
Invalid
Undecided
Unassigned

Bug Description

* Canonical Public Cloud discovered that `chronyc -c sources` now fails with `506 Cannot talk to daemon` with the latest kernels. We are seeing this in linux-azure and linux-gcp kernels (6.8.0-1005.5)
* Disabling AppArmor (`sudo systemctl stop apparmor`) completely results in no regression and `chronyc -c sources` returns as expected
* Disabling the apparmor profile for `chronyd` only results in no regression and `chronyc -c sources` returns as expected
* There are zero entries in dmesg when this occurs
* There are zero entries in dmesg when this occurs if the apparmor profile for `chronyd` is placed in complain mode instead of enforce mode
* We changed the time server from the internal GCP metadata.google.internal to the ubuntu time server ntp.ubuntu.com with no change in behaviour

We also noted issues with DNS resolution in snaps like `google-cloud-cli` in GCE images.

* Disabling apparmor completely for snaps too (`sudo systemctl stop snapd.apparmor`) results in no regression and calling the snaps returns as expected.

The same issues are present in azure kernel `linux-azure` `6.8.0-1005.5` and the -proposed `6.8.0-25.25` generic kernel.

This is a release blocker for Noble release

Brian Murray (brian-murray)
tags: added: block-proposed block-proposed-noble
Brian Murray (brian-murray)
tags: removed: block-proposed block-proposed-noble
Brian Murray (brian-murray)
Changed in chrony (Ubuntu Noble):
status: New → Invalid
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 6.8.0-28.28

---------------
linux (6.8.0-28.28) noble; urgency=medium

  * noble/linux: 6.8.0-28.28 -proposed tracker (LP: #2061867)

  * linux-gcp 6.8.0-1005.5 (+ others) Noble kernel regression iwth new apparmor
    profiles/features (LP: #2061851)
    - SAUCE: apparmor4.0.0 [92/90]: fix address mapping for recvfrom

 -- Paolo Pisati <email address hidden> Tue, 16 Apr 2024 18:29:17 +0200

Changed in linux (Ubuntu Noble):
status: New → Fix Released
Ricardo Dias Marques (ricmarques)
summary: - linux-gcp 6.8.0-1005.5 (+ others) Noble kernel regression iwth new
+ linux-gcp 6.8.0-1005.5 (+ others) Noble kernel regression with new
apparmor profiles/features
Philip Roche (philroche)
Changed in snapd (Ubuntu Noble):
status: New → Invalid
Changed in linux-aws (Ubuntu Noble):
status: New → Fix Released
Changed in linux-azure (Ubuntu Noble):
status: New → Fix Released
Changed in linux-gcp (Ubuntu Noble):
status: New → Fix Released
Changed in linux-ibm (Ubuntu Noble):
status: New → Fix Released
Changed in linux-oracle (Ubuntu Noble):
status: New → Fix Released
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-azure/6.8.0-1008.8 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux-azure' to 'verification-done-noble-linux-azure'. If the problem still exists, change the tag 'verification-needed-noble-linux-azure' to 'verification-failed-noble-linux-azure'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-noble-linux-azure-v2 verification-needed-noble-linux-azure
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-aws/6.8.0-1009.9 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux-aws' to 'verification-done-noble-linux-aws'. If the problem still exists, change the tag 'verification-needed-noble-linux-aws' to 'verification-failed-noble-linux-aws'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-noble-linux-aws-v2 verification-needed-noble-linux-aws
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-gcp/6.8.0-1008.9 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux-gcp' to 'verification-done-noble-linux-gcp'. If the problem still exists, change the tag 'verification-needed-noble-linux-gcp' to 'verification-failed-noble-linux-gcp'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-noble-linux-gcp-v2 verification-needed-noble-linux-gcp
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-gke/6.8.0-1004.7 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux-gke' to 'verification-done-noble-linux-gke'. If the problem still exists, change the tag 'verification-needed-noble-linux-gke' to 'verification-failed-noble-linux-gke'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-noble-linux-gke-v2 verification-needed-noble-linux-gke
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-raspi-realtime/6.8.0-2004.4 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux-raspi-realtime' to 'verification-done-noble-linux-raspi-realtime'. If the problem still exists, change the tag 'verification-needed-noble-linux-raspi-realtime' to 'verification-failed-noble-linux-raspi-realtime'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-noble-linux-raspi-realtime-v2 verification-needed-noble-linux-raspi-realtime
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-ibm/6.8.0-1006.6 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux-ibm' to 'verification-done-noble-linux-ibm'. If the problem still exists, change the tag 'verification-needed-noble-linux-ibm' to 'verification-failed-noble-linux-ibm'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-noble-linux-ibm-v2 verification-needed-noble-linux-ibm
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.