fix broken apparmor profile and add ci tests

Signed-off-by: jason yang <jasonyangshadow@gmail.com>
JasonYangShadow · Jul 17, 2024 · 64eef4c · 64eef4c
1 parent f79d371
commit 64eef4c
Show file tree

Hide file tree

Showing 6 changed files with 29 additions and 8 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -130,9 +130,24 @@ jobs:
           GO_ARCH: linux-amd64
         run: ./scripts/ci-docker-run
 
+  ubuntu-2310:
+    name: debbuild-ubuntu23
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v2
+      # fetch tags as checkout@v2 doesn't do that by default
+      - run: git fetch --prune --unshallow --tags --force
+
+      - name: Build and test deb under docker
+        env:
+          OS_TYPE: ubuntu
+          OS_VERSION: '23.10'
+          GO_ARCH: linux-amd64
+        run: ./scripts/ci-docker-run
+
   ubuntu-2404:
     name: debbuild-ubuntu24
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v2
       # fetch tags as checkout@v2 doesn't do that by default
@@ -144,7 +159,7 @@ jobs:
           OS_VERSION: 24.04
           GO_ARCH: linux-amd64
         run: ./scripts/ci-docker-run
-
+  
   rpmbuild-rocky8:
     runs-on: ubuntu-22.04
     name: rpmbuild-rocky8

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,7 @@ For older changes see the [archived Singularity change log](https://github.com/a
 
 - Fix sif-embedded overlay partitions for containers that are larger
   than 2 gigabytes.
+- Fix the broken apparmor profile and add ci tests.
 
 ## v1.3.3 - \[2024-07-03\]
 

diff --git a/dist/debian/apparmor-placeholder b/dist/debian/apparmor-placeholder
@@ -1,8 +1,8 @@
 # Permit unprivileged user namespace creation for apptainer starter, placeholder
-abi <abi/4.0>,
+abi <abi/3.0>,
 include <tunables/global>
 
-profile apptainer /usr/lib/@{multiarch}/apptainer/bin/starter{,-suid} flags=(unconfined) {
+profile apptainer /usr/libexec/apptainer/bin/starter{,-suid} flags=(unconfined) {
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/apptainer>
 }

diff --git a/dist/debian/apparmor-userns b/dist/debian/apparmor-userns
@@ -1,8 +1,8 @@
 # Permit unprivileged user namespace creation for apptainer starter
-abi <abi/4.0>,
+abi <abi/3.0>,
 include <tunables/global>
 
-profile apptainer /usr/lib/@{multiarch}/apptainer/bin/starter{,-suid} flags=(unconfined) {
+profile apptainer /usr/libexec/apptainer/bin/starter{,-suid} flags=(unconfined) {
   userns,
 
   # Site-specific additions and overrides. See local/README for details.

diff --git a/dist/debian/rules b/dist/debian/rules
@@ -5,6 +5,7 @@ pkgver = $(shell LC_ALL=C dpkg-parsechangelog --show-field Version )
 
 OS_MAJOR := $(shell grep ^VERSION_ID /etc/os-release | cut -d'=' -f2 | sed 's/\"//gI' | cut -d'.' -f1)
 OS_NAME := $(shell grep ^NAME /etc/os-release | cut -d '=' -f2 | sed 's/\"//gI')
+OS_VERSION := $(shell grep ^VERSION_ID /etc/os-release | cut -d'=' -f2 | sed 's/\"//gI')
 
 # Needed by debchange to set Name and EMAIL in changelog
 # DEBFULLNAME is filtered out by debuild
@@ -97,7 +98,7 @@ override_dh_auto_install:
 	@dh_auto_install -Smakefile -D$(DEB_SC_BUILDDIR)
 	@./scripts/install-dependencies $(pkgdir)/usr/libexec
 # Apparmor userns profile needed on Ubuntu 24.04, or unconfined placeholder for older versions.	
-	if [ $(OS_MAJOR) -gt 23 ] && [[ $(OS_NAME) = "Ubuntu" ]]; then \
+	if ([ $(OS_MAJOR) -gt 23 ] || [ "$(OS_VERSION)" = "23.10" ]) && [ "$(OS_NAME)" = "Ubuntu" ]; then \
 		echo "Ubuntu 24.04 or newer - installing apparmor userns profile"; \
 		install -D -m 644 dist/debian/apparmor-userns $(pkgdir)/etc/apparmor.d/apptainer; \
 	else \

diff --git a/scripts/ci-deb-build-test b/scripts/ci-deb-build-test
@@ -8,6 +8,7 @@
 
 OS_MAJOR=$(grep ^VERSION_ID /etc/os-release | cut -d'=' -f2 | sed 's/\"//gI' | cut -d'.' -f1)
 OS_NAME=$(grep ^NAME /etc/os-release | cut -d '=' -f2 | sed 's/\"//gI')
+OS_VERSION=$(grep ^VERSION_ID /etc/os-release | cut -d'=' -f2 | sed 's/\"//gI')
 
 # install dependencies
 apt-get update
@@ -45,7 +46,7 @@ mv .??* !(src) src
 # switch to an unprivileged user with sudo privileges
 apt-get install -y sudo
 
-if [[ $OS_NAME = "Ubuntu" ]] && [ $OS_MAJOR -gt 23 ]; then
+if [[ $OS_NAME = "Ubuntu" ]] && ([ $OS_MAJOR -gt 23 ] || [[ $OS_VERSION = "23.10" ]]); then
 # uid 1000 is occupied by user 'ubuntu' in ubuntu 24.04, here using a different uid = 1001
     useradd -u 1001 --create-home -s /bin/bash testuser
 else
@@ -82,5 +83,8 @@ su testuser -c '
   debuild --prepend-path $PATH --build=binary --no-sign --lintian-opts --display-info --show-overrides
   sudo dpkg -i ../apptainer*.deb
 
+  cat /etc/apparmor.d/apptainer
   apptainer exec oras://ghcr.io/apptainer/alpine:3.15.0 /bin/true
+  apptainer exec --userns oras://ghcr.io/apptainer/alpine:3.15.0 /bin/true
+  apptainer exec --fakeroot oras://ghcr.io/apptainer/alpine:3.15.0 /bin/true
 '