test_apparmor.py failure on CI for Focal rebase job.

[kushaldas]

Description

I could not reproduce it locally.

Steps to Reproduce

• CI job rebase-with-staging-focal fails for this test.

Expected Behavior

• this test should pass.

Actual Behavior

    ______________ test_aa_no_denies_in_syslog[ansible://app-staging] ______________
    [gw0] linux -- Python 3.7.3 /home/sdci/securedrop-source/.venv/bin/python3
    
    host = <testinfra.host.Host ansible://app-staging>
    
        def test_aa_no_denies_in_syslog(host):
            """ Ensure that there are no apparmor denials in syslog """
            with host.sudo():
                f = host.file("/var/log/syslog")
    >           assert 'apparmor="DENIED"' not in f.content_string
    E           assert 'apparmor="DENIED"' not in 'May 21 15:5...ution (-3)\n'
    E             'apparmor="DENIED"' is contained here:
    E               May 21 15:50:44 vagrant systemd[742]: dev-vgvagrant-swap_1.swap: Succeeded.
    E               May 21 15:50:44 vagrant systemd[1]: dev-disk-by\x2did-dm\x2dname\x2dvgvagrant\x2dswap_1.swap: Succeeded.
    E               May 21 15:50:44 vagrant systemd[742]: dev-mapper-vgvagrant\x2dswap_1.swap: Succeeded.
    E               May 21 15:50:44 vagrant systemd[742]: dev-disk-by\x2duuid-2ddc3e3f\x2de53e\x2d4c34\x2db2ed\x2dc209ede45b6c.swap: Succeeded.
    E               May 21 15:50:44 vagrant systemd[742]: dev-disk-by\x2did-dm\x2dname\x2dvgvagrant\x2dswap_1.swap: Succeeded.
    E               May 21 15:50:44 vagrant systemd[742]: dev-...
    E             
    E             ...Full output truncated (6010 lines hidden), use '-vv' to show
    
    ../testinfra/app/test_apparmor.py:134: AssertionError

[emkll]

The full error is:

Nov 26 14:17:53 app-staging kernel: [   98.280181] audit: type=1400 audit(1606400272.996:20): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/proc/sys/kernel/random/boot_id" pid=1891 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

The error occurs at the time the task common: Ensure the system clock is set accurately is run, ntpdate returns with an error that the NTP socket is in use, which happens before packages are updated.

The version of the box in CI is bento/ubuntu-20.04 (libvirt, 202005.21.0)

After downloading the same version on my local machine:

vagrant box add bento/ubuntu-20.04 --provider virtualbox --box-version 202005.21.0
vagrant box mutate bento/ubuntu-20.04 libvirt

I can observe the same test failure locally. It seems like this is due to a package version discrepancy between vagrant boxes.

@kushaldas I am assuming you have a different version here? Which version do you have when you run vagrant box list ?

We can update the CI image to use a more recent version to resolve these issues. It's unclear yet how this will affect the ISO installs on hardware, as 20.04.1 was release late July.

[kushaldas]

Ah, I have an newer version it seems on my box:

bento/ubuntu-20.04        (virtualbox, 202008.16.0)

[emkll]

Closed via #5658 (see https://app.circleci.com/pipelines/github/freedomofpress/securedrop/1450/workflows/8846205f-055d-4b9c-84e3-efcf4f2a76a9/jobs/47377, the single failure is expected in that branch)