AppArmor is restarted after ntpd

[quulah]

Cookbook version

3.5.4, had the same issue with 3.3.1

Chef-client version

12.18.31

Platform Details

Ubuntu 16.04

ntp::apparmor issues a notify to AppArmor after creating the usr.sbin.ntpd profile. I'm not sure if this happens during each run, but sometimes the restart for AppArmor happens after NTP.

This causes issues with (at least) the /etc/ntp.leapseconds file.

Dec 04 09:48:50 test-ubuntu-1604 ntpd[12018]: leapsecond file ('/etc/ntp.leapseconds'): open failed: Permission denied

After restarting NTP by hand on the converged node, it reads the file normally.

[florian-asche]

      - restart service service[ntp]
[2019-01-03T22:43:37+00:00] INFO: cookbook_file[/etc/apparmor.d/usr.sbin.ntpd] sending restart action to service[apparmor] (delayed)
  Recipe: ntp::apparmor
    * service[apparmor] action restart[2019-01-03T22:43:37+00:00] INFO: Processing service[apparmor] action restart (ntp::apparmor line 20)

      
      ================================================================================
      Error executing action `restart` on resource 'service[apparmor]'
      ================================================================================
      
      Mixlib::ShellOut::ShellCommandFailed
      ------------------------------------
      Expected process to exit with [0], but received '1'
      ---- Begin output of /bin/systemctl --system restart apparmor ----
      STDOUT: 
      STDERR: Job for apparmor.service failed because the control process exited with error code.
      See "systemctl status apparmor.service" and "journalctl -xe" for details.
      ---- End output of /bin/systemctl --system restart apparmor ----
      Ran /bin/systemctl --system restart apparmor returned 1
      
      Resource Declaration:
      ---------------------
      # In /root/chef-solo/local-mode-cache/cache/cookbooks/ntp/recipes/apparmor.rb
      
       20: service 'apparmor' do
       21:   action :nothing
       22: end
       23: 
      
      Compiled Resource:
      ------------------
      # Declared in /root/chef-solo/local-mode-cache/cache/cookbooks/ntp/recipes/apparmor.rb:20:in `from_file'
      
      service("apparmor") do
        action [:nothing]
        default_guard_interpreter :default
        service_name "apparmor"
        enabled nil
        running nil
        masked nil
        pattern "apparmor"
        declared_type :service
        cookbook_name "ntp"
        recipe_name "apparmor"
      end
      
      System Info:
      ------------
      chef_version=13.8.5
      platform=ubuntu
      platform_version=18.04
      ruby=ruby 2.4.3p205 (2017-12-14 revision 61247) [x86_64-linux]
      program_name=chef-solo worker: ppid=11169;start=22:41:11;
      executable=/opt/chef/bin/chef-solo

[florian-asche]

root@cloud:~# systemctl status apparmor.service
● apparmor.service - AppArmor initialization
   Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2019-01-03 23:52:36 CET; 7min ago
     Docs: man:apparmor(7)
           http://wiki.apparmor.net/
  Process: 17149 ExecStart=/etc/init.d/apparmor start (code=exited, status=123)
 Main PID: 17149 (code=exited, status=123)

Jan 03 23:52:35 cloud apparmor[17149]: /sbin/apparmor_parser: Unable to replace "/sbin/dhclient".  Permission denied; attempted to loa
Jan 03 23:52:35 cloud apparmor[17149]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Jan 03 23:52:35 cloud apparmor[17149]: /sbin/apparmor_parser: Unable to replace "/usr/bin/man".  Permission denied; attempted to load 
Jan 03 23:52:35 cloud apparmor[17149]: /sbin/apparmor_parser: Unable to replace "/usr/sbin/ntpd".  Permission denied; attempted to loa
Jan 03 23:52:35 cloud apparmor[17149]: /sbin/apparmor_parser: Unable to replace "/usr/sbin/tcpdump".  Permission denied; attempted to 
Jan 03 23:52:36 cloud apparmor[17149]: /sbin/apparmor_parser: Unable to replace "/sbin/dhclient".  Permission denied; attempted to loa
Jan 03 23:52:36 cloud apparmor[17149]:    ...fail!
Jan 03 23:52:36 cloud systemd[1]: apparmor.service: Main process exited, code=exited, status=123/n/a
Jan 03 23:52:36 cloud systemd[1]: apparmor.service: Failed with result 'exit-code'.
Jan 03 23:52:36 cloud systemd[1]: Failed to start AppArmor initialization.

[github-actions]

Marking stale due to inactivity. Remove stale label or comment or this will be closed in 7 days. Alternatively drop by the #sous-chefs channel on the Chef Community Slack and we'll be happy to help! Thanks, Sous-Chefs.

[florian-asche]

Is this problem fixed in newer ubuntu versions?