Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Installing to Ubuntu 24.04 server fails with "unexpected error occurred" in apparmor #14716

Open
jaraco opened this issue Apr 26, 2024 · 0 comments
Open

Installing to Ubuntu 24.04 server fails with "unexpected error occurred" in apparmor #14716

jaraco opened this issue Apr 26, 2024 · 0 comments

Comments

@jaraco
Copy link

jaraco commented Apr 26, 2024

Describe the bug

A clear and concise description of what the bug is.

To Reproduce

Steps to reproduce the behavior:

Following the "local install to Ubuntu server", I configured the virtualenv and then ran ./algo:

jaraco@kelvin:/opt/algo$ ./algo

PLAY [localhost] *********************************************************************************************************************************

TASK [Gathering Facts] ***************************************************************************************************************************
ok: [localhost]

TASK [Playbook dir stat] *************************************************************************************************************************
ok: [localhost]

TASK [Ensure Ansible is not being run in a world writable directory] *****************************************************************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}
[DEPRECATION WARNING]: Use 'ansible.utils.ipaddr' module instead. This feature will be removed from ansible.netcommon in a release after 
2024-01-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
[WARNING]: The value '' is not a valid IP address or network, passing this value to ipaddr filter might result in breaking change in future.

TASK [Ensure the requirements installed] *********************************************************************************************************
ok: [localhost]

TASK [Set required ansible version as a fact] ****************************************************************************************************
ok: [localhost] => (item=ansible==9.1.0)

TASK [Just get the list from default pip] ********************************************************************************************************
ok: [localhost]

TASK [Verify Python meets Algo VPN requirements] *************************************************************************************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [Verify Ansible meets Algo VPN requirements] ************************************************************************************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}
[WARNING]: Found variable using reserved name: no_log

PLAY [Ask user for the input] ********************************************************************************************************************

TASK [Gathering Facts] ***************************************************************************************************************************
ok: [localhost]
[Cloud prompt]
What provider would you like to use?
    1. DigitalOcean
    2. Amazon Lightsail
    3. Amazon EC2
    4. Microsoft Azure
    5. Google Compute Engine
    6. Hetzner Cloud
    7. Vultr
    8. Scaleway
    9. OpenStack (DreamCompute optimised)
    10. CloudStack (Exoscale optimised)
    11. Linode
    12. Install to existing Ubuntu latest LTS server (for more advanced users)
  
Enter the number of your desired provider
:

TASK [Cloud prompt] ******************************************************************************************************************************
ok: [localhost]

TASK [Set facts based on the input] **************************************************************************************************************
ok: [localhost]
[Cellular On Demand prompt]
Do you want macOS/iOS clients to enable "Connect On Demand" when connected to cellular networks?
[y/N]
:

TASK [Cellular On Demand prompt] *****************************************************************************************************************
ok: [localhost]
[Wi-Fi On Demand prompt]
Do you want macOS/iOS clients to enable "Connect On Demand" when connected to Wi-Fi?
[y/N]
:

TASK [Wi-Fi On Demand prompt] ********************************************************************************************************************
ok: [localhost]
[Retain the PKI prompt]
Do you want to retain the keys (PKI)? (required to add users in the future, but less secure)
[y/N]
:

TASK [Retain the PKI prompt] *********************************************************************************************************************
ok: [localhost]
[DNS adblocking prompt]
Do you want to enable DNS ad blocking on this VPN server?
[y/N]
:

TASK [DNS adblocking prompt] *********************************************************************************************************************
ok: [localhost]
[SSH tunneling prompt]
Do you want each user to have their own account for SSH tunneling?
[y/N]
:

TASK [SSH tunneling prompt] **********************************************************************************************************************
ok: [localhost]

TASK [Set facts based on the input] **************************************************************************************************************
ok: [localhost]

PLAY [Provision the server] **********************************************************************************************************************

TASK [Gathering Facts] ***************************************************************************************************************************
ok: [localhost]

--> Please include the following block of text when reporting issues:

Algo running on: Ubuntu 24.04 LTS (Virtualized: amazon)
Created from git fork. Last commit: 6ce6f5c Use region code instead of name to deploy in non-default Vultr region. (#14713)
Python 3.12.3
Runtime variables:
    algo_provider "local"
    algo_ondemand_cellular "False"
    algo_ondemand_wifi "False"
    algo_ondemand_wifi_exclude "X251bGw="
    algo_dns_adblocking "False"
    algo_ssh_tunneling "False"
    wireguard_enabled "True"
    dns_encryption "True"

TASK [Display the invocation environment] ********************************************************************************************************
changed: [localhost]

TASK [Install the requirements] ******************************************************************************************************************
changed: [localhost]

TASK [Include a provisioning role] ***************************************************************************************************************
[local : pause]
https://trailofbits.github.io/algo/deploy-to-ubuntu.html

Local installation might break your server. Use at your own risk.

Proceed? Press ENTER to continue or CTRL+C and A to abort...:

TASK [local : pause] *****************************************************************************************************************************
ok: [localhost] => (item=https://trailofbits.github.io/algo/deploy-to-ubuntu.html

Local installation might break your server. Use at your own risk.

Proceed? Press ENTER to continue or CTRL+C and A to abort...)
[local : pause]
Enter the IP address of your server: (or use localhost for local installation):
[localhost]
:

TASK [local : pause] *****************************************************************************************************************************
ok: [localhost]

TASK [local : Set the facts] *********************************************************************************************************************
ok: [localhost]
[local : pause]
Enter the public IP address or domain name of your server: (IMPORTANT! This is used to verify the certificate)
[localhost]
:

TASK [local : pause] *****************************************************************************************************************************
ok: [localhost]

TASK [local : Set the facts] *********************************************************************************************************************
ok: [localhost]

TASK [Set subjectAltName as a fact] **************************************************************************************************************
ok: [localhost]

TASK [Add the server to an inventory group] ******************************************************************************************************
changed: [localhost]

TASK [Linux | set OS specific facts] *************************************************************************************************************
ok: [localhost]

TASK [Set config paths as facts] *****************************************************************************************************************
ok: [localhost]

TASK [Update config paths] ***********************************************************************************************************************
changed: [localhost]

TASK [debug] *************************************************************************************************************************************
ok: [localhost] => {
    "IP_subject_alt_name": "vpn.jaraco.com"
}
[WARNING]: Reset is not implemented for this connection

TASK [Wait 600 seconds for target connection to become reachable/usable] *************************************************************************
ok: [localhost] => (item=localhost)

PLAY [Configure the server and install required software] ****************************************************************************************

TASK [common : Check the system] *****************************************************************************************************************
ok: [localhost]

TASK [common : include_tasks] ********************************************************************************************************************
included: /opt/algo/roles/common/tasks/ubuntu.yml for localhost

TASK [common : Gather facts] *********************************************************************************************************************
ok: [localhost]

TASK [common : Install unattended-upgrades] ******************************************************************************************************
ok: [localhost]

TASK [common : Configure unattended-upgrades] ****************************************************************************************************
changed: [localhost]

TASK [common : Periodic upgrades configured] *****************************************************************************************************
changed: [localhost]

TASK [common : Disable MOTD on login and SSHD] ***************************************************************************************************
changed: [localhost] => (item={'regexp': '^session.*optional.*pam_motd.so.*', 'line': '# MOTD DISABLED', 'file': '/etc/pam.d/login'})
changed: [localhost] => (item={'regexp': '^session.*optional.*pam_motd.so.*', 'line': '# MOTD DISABLED', 'file': '/etc/pam.d/sshd'})
[WARNING]: Module remote_tmp /root/.ansible/tmp did not exist and was created with a mode of 0700, this may cause issues when running as another
user. To avoid this, create the remote_tmp dir with the correct permissions manually

TASK [common : Ensure fallback resolvers are set] ************************************************************************************************
changed: [localhost]
[DEPRECATION WARNING]: Use 'ansible.utils.ipmath' module instead. This feature will be removed from ansible.netcommon in a release after 
2024-01-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.

TASK [common : Loopback for services configured] *************************************************************************************************
changed: [localhost]

TASK [common : systemd services enabled and started] *********************************************************************************************
ok: [localhost] => (item=systemd-networkd)
ok: [localhost] => (item=systemd-resolved)

RUNNING HANDLER [common : restart systemd-networkd] **********************************************************************************************
changed: [localhost]

RUNNING HANDLER [common : restart systemd-resolved] **********************************************************************************************
changed: [localhost]

TASK [common : Check apparmor support] ***********************************************************************************************************
ok: [localhost]

TASK [common : Set fact if apparmor enabled] *****************************************************************************************************
ok: [localhost]

TASK [common : Define facts] *********************************************************************************************************************
ok: [localhost]

TASK [common : Set facts] ************************************************************************************************************************
ok: [localhost]

TASK [common : Set IPv6 support as a fact] *******************************************************************************************************
ok: [localhost]

TASK [common : Check size of MTU] ****************************************************************************************************************
ok: [localhost]

TASK [common : Set OS specific facts] ************************************************************************************************************
ok: [localhost]

TASK [common : Install tools] ********************************************************************************************************************
changed: [localhost]

TASK [common : include_tasks] ********************************************************************************************************************
included: /opt/algo/roles/common/tasks/iptables.yml for localhost

TASK [common : Iptables configured] **************************************************************************************************************
changed: [localhost] => (item={'src': 'rules.v4.j2', 'dest': '/etc/iptables/rules.v4'})
[DEPRECATION WARNING]: Use 'ansible.utils.next_nth_usable' module instead. This feature will be removed from ansible.netcommon in a release after
 2024-01-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.

TASK [common : Iptables configured] **************************************************************************************************************
changed: [localhost] => (item={'src': 'rules.v6.j2', 'dest': '/etc/iptables/rules.v6'})

TASK [common : Sysctl tuning] ********************************************************************************************************************
changed: [localhost] => (item={'item': 'net.ipv4.ip_forward', 'value': 1})
changed: [localhost] => (item={'item': 'net.ipv4.conf.all.forwarding', 'value': 1})
changed: [localhost] => (item={'item': 'net.ipv6.conf.all.forwarding', 'value': 1})

RUNNING HANDLER [common : restart iptables] ******************************************************************************************************
changed: [localhost]

TASK [dns : Include tasks for Ubuntu] ************************************************************************************************************
included: /opt/algo/roles/dns/tasks/ubuntu.yml for localhost

TASK [dns : Install dnscrypt-proxy] **************************************************************************************************************
changed: [localhost]

TASK [dns : Ubuntu | Configure AppArmor policy for dnscrypt-proxy] *******************************************************************************
changed: [localhost]

TASK [dns : Ubuntu | Enforce the dnscrypt-proxy AppArmor policy] *********************************************************************************
ok: [localhost]

TASK [dns : Ubuntu | Ensure that the dnscrypt-proxy service directory exist] *********************************************************************
changed: [localhost]

TASK [dns : Ubuntu | Add custom requirements to successfully start the unit] *********************************************************************
changed: [localhost]

TASK [dns : dnscrypt-proxy ip-blacklist configured] **********************************************************************************************
changed: [localhost]

TASK [dns : dnscrypt-proxy configured] ***********************************************************************************************************
changed: [localhost]

RUNNING HANDLER [dns : restart dnscrypt-proxy] ***************************************************************************************************
changed: [localhost]

TASK [dns : dnscrypt-proxy enabled and started] **************************************************************************************************
ok: [localhost]

TASK [wireguard : Ensure the required directories exist] *****************************************************************************************
changed: [localhost] => (item=configs/vpn.jaraco.com/wireguard//.pki//preshared)
changed: [localhost] => (item=configs/vpn.jaraco.com/wireguard//.pki//private)
changed: [localhost] => (item=configs/vpn.jaraco.com/wireguard//.pki//public)
changed: [localhost] => (item=configs/vpn.jaraco.com/wireguard//apple/ios)
changed: [localhost] => (item=configs/vpn.jaraco.com/wireguard//apple/macos)

TASK [wireguard : Include tasks for Ubuntu] ******************************************************************************************************
included: /opt/algo/roles/wireguard/tasks/ubuntu.yml for localhost

TASK [wireguard : WireGuard installed] ***********************************************************************************************************
changed: [localhost]

TASK [wireguard : Set OS specific facts] *********************************************************************************************************
ok: [localhost]

TASK [wireguard : Generate private keys] *********************************************************************************************************
changed: [localhost] => (item=phone)
changed: [localhost] => (item=laptop)
changed: [localhost] => (item=desktop)
changed: [localhost] => (item=vpn.jaraco.com)

TASK [wireguard : Save private keys] *************************************************************************************************************
changed: [localhost] => (item=None)
changed: [localhost] => (item=None)
changed: [localhost] => (item=None)
changed: [localhost] => (item=None)
changed: [localhost]

TASK [wireguard : Touch the lock file] ***********************************************************************************************************
changed: [localhost] => (item=phone)
changed: [localhost] => (item=laptop)
changed: [localhost] => (item=desktop)
changed: [localhost] => (item=vpn.jaraco.com)

TASK [wireguard : Generate preshared keys] *******************************************************************************************************
changed: [localhost] => (item=phone)
changed: [localhost] => (item=laptop)
changed: [localhost] => (item=desktop)
changed: [localhost] => (item=vpn.jaraco.com)

TASK [wireguard : Save preshared keys] ***********************************************************************************************************
changed: [localhost] => (item=None)
changed: [localhost] => (item=None)
changed: [localhost] => (item=None)
changed: [localhost] => (item=None)
changed: [localhost]

TASK [wireguard : Touch the preshared lock file] *************************************************************************************************
changed: [localhost] => (item=phone)
changed: [localhost] => (item=laptop)
changed: [localhost] => (item=desktop)
changed: [localhost] => (item=vpn.jaraco.com)

TASK [wireguard : Generate public keys] **********************************************************************************************************
ok: [localhost] => (item=phone)
ok: [localhost] => (item=laptop)
ok: [localhost] => (item=desktop)
ok: [localhost] => (item=vpn.jaraco.com)

TASK [wireguard : Save public keys] **************************************************************************************************************
changed: [localhost] => (item=None)
changed: [localhost] => (item=None)
changed: [localhost] => (item=None)
changed: [localhost] => (item=None)
changed: [localhost]

TASK [wireguard : WireGuard user list updated] ***************************************************************************************************
changed: [localhost] => (item=phone)
changed: [localhost] => (item=laptop)
changed: [localhost] => (item=desktop)

TASK [wireguard : set_fact] **********************************************************************************************************************
ok: [localhost]

TASK [wireguard : WireGuard users config generated] **********************************************************************************************
changed: [localhost] => (item=[0, 'phone'])
changed: [localhost] => (item=[1, 'laptop'])
changed: [localhost] => (item=[2, 'desktop'])

TASK [wireguard : include_tasks] *****************************************************************************************************************
included: /opt/algo/roles/wireguard/tasks/mobileconfig.yml for localhost => (item=ios)
included: /opt/algo/roles/wireguard/tasks/mobileconfig.yml for localhost => (item=macos)

TASK [wireguard : WireGuard apple mobileconfig generated] ****************************************************************************************
changed: [localhost] => (item=[0, 'phone'])
changed: [localhost] => (item=[1, 'laptop'])
changed: [localhost] => (item=[2, 'desktop'])

TASK [wireguard : WireGuard apple mobileconfig generated] ****************************************************************************************
changed: [localhost] => (item=[0, 'phone'])
changed: [localhost] => (item=[1, 'laptop'])
changed: [localhost] => (item=[2, 'desktop'])

TASK [wireguard : Generate QR codes] *************************************************************************************************************
ok: [localhost] => (item=[0, 'phone'])
ok: [localhost] => (item=[1, 'laptop'])
ok: [localhost] => (item=[2, 'desktop'])
[DEPRECATION WARNING]: Use 'ansible.utils.ipv4' module instead. This feature will be removed from ansible.netcommon in a release after 
2024-01-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
[DEPRECATION WARNING]: Use 'ansible.utils.ipv6' module instead. This feature will be removed from ansible.netcommon in a release after 
2024-01-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.

TASK [wireguard : WireGuard configured] **********************************************************************************************************
changed: [localhost]

TASK [wireguard : WireGuard enabled and started] *************************************************************************************************
changed: [localhost]

RUNNING HANDLER [wireguard : restart wireguard] **************************************************************************************************
changed: [localhost]

TASK [strongswan : include_tasks] ****************************************************************************************************************
included: /opt/algo/roles/strongswan/tasks/ubuntu.yml for localhost

TASK [strongswan : Set OS specific facts] ********************************************************************************************************
ok: [localhost]

TASK [strongswan : Ubuntu | Install strongSwan] **************************************************************************************************
changed: [localhost]

TASK [strongswan : Ubuntu | Charon profile for apparmor configured] ******************************************************************************
changed: [localhost]

TASK [strongswan : Ubuntu | Enforcing ipsec with apparmor] ***************************************************************************************
ok: [localhost] => (item=/usr/lib/ipsec/charon)
failed: [localhost] (item=/usr/lib/ipsec/lookip) => {"ansible_loop_var": "item", "changed": false, "cmd": ["aa-enforce", "/usr/lib/ipsec/lookip"], "delta": "0:00:00.338998", "end": "2024-04-26 22:59:20.178878", "item": "/usr/lib/ipsec/lookip", "msg": "non-zero return code", "rc": 1, "start": "2024-04-26 22:59:19.839880", "stderr": "Traceback (most recent call last):\n  File \"/usr/sbin/aa-enforce\", line 33, in <module>\n    tool.cmd_enforce()\n  File \"/usr/lib/python3/dist-packages/apparmor/tools.py\", line 134, in cmd_enforce\n    for (program, prof_filename, output_name) in self.get_next_for_modechange():\n  File \"/usr/lib/python3/dist-packages/apparmor/tools.py\", line 97, in get_next_for_modechange\n    aaui.UI_Info(_('Profile for %s not found, skipping') % output_name)\n                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\nTypeError: 'NoneType' object is not callable\n\n\nAn unexpected error occurred!\n\nFor details, see /tmp/apparmor-bugreport-9561bd2j.txt\nPlease consider reporting a bug at https://gitlab.com/apparmor/apparmor/-/issues\nand attach this file.", "stderr_lines": ["Traceback (most recent call last):", "  File \"/usr/sbin/aa-enforce\", line 33, in <module>", "    tool.cmd_enforce()", "  File \"/usr/lib/python3/dist-packages/apparmor/tools.py\", line 134, in cmd_enforce", "    for (program, prof_filename, output_name) in self.get_next_for_modechange():", "  File \"/usr/lib/python3/dist-packages/apparmor/tools.py\", line 97, in get_next_for_modechange", "    aaui.UI_Info(_('Profile for %s not found, skipping') % output_name)", "                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^", "TypeError: 'NoneType' object is not callable", "", "", "An unexpected error occurred!", "", "For details, see /tmp/apparmor-bugreport-9561bd2j.txt", "Please consider reporting a bug at https://gitlab.com/apparmor/apparmor/-/issues", "and attach this file."], "stdout": "", "stdout_lines": []}
ok: [localhost] => (item=/usr/lib/ipsec/stroke)

TASK [include_tasks] *****************************************************************************************************************************
included: /opt/algo/playbooks/rescue.yml for localhost

TASK [debug] *************************************************************************************************************************************
ok: [localhost] => {
    "fail_hint": [
        "Sorry, but something went wrong!",
        "Please check the troubleshooting guide.",
        "https://trailofbits.github.io/algo/troubleshooting.html"
    ]
}

TASK [Fail the installation] *********************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed as requested from task"}

PLAY RECAP ***************************************************************************************************************************************
localhost                  : ok=96   changed=41   unreachable=0    failed=1    skipped=32   rescued=1    ignored=0

The traceback emitted by apparmor is:

Traceback (most recent call last):
  File "/usr/sbin/aa-enforce", line 33, in <module>
    tool.cmd_enforce()
  File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 134, in cmd_enforce
    for (program, prof_filename, output_name) in self.get_next_for_modechange():
  File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 97, in get_next_for_modechange
    aaui.UI_Info(_('Profile for %s not found, skipping') % output_name)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: 'NoneType' object is not callable


An unexpected error occurred!

For details, see /tmp/apparmor-bugreport-9561bd2j.txt
Please consider reporting a bug at https://gitlab.com/apparmor/apparmor/-/issues
and attach this file.

The referenced file is attached:

apparmor-bugreport-9561bd2j.txt

Expected behavior

Apparmor shouldn't error when trying to localize a string.
@jaraco jaraco changed the title Installing to Ubuntu 24.04 server fails with "unexpected error occurred" Installing to Ubuntu 24.04 server fails with "unexpected error occurred" in apparmor Apr 26, 2024
@jackivanov jackivanov mentioned this issue May 14, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jaraco