Problem with Supervised install and apparmor

baz123 · April 23, 2020, 5:07pm

I’m getting regular issues with my Supervised HA, installed on Raspbian on an RPi4-4Gb SD boot with the rootfs on an SSD. It seems a soft reboot fails to load the rootfs properly - I say ‘seems’. I think this mornings crash was due to the supervisor update. syslog extract;

Apr 23 02:40:54 hassio systemd[1]: Stopped Hass.io AppArmor.
Apr 23 02:40:54 hassio systemd[1]: Stopping Hass.io AppArmor...
Apr 23 02:40:54 hassio systemd[1]: Starting Hass.io AppArmor...
Apr 23 02:40:54 hassio hassio-apparmor[26405]: Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
Apr 23 02:40:54 hassio hassio-apparmor[26405]: Use --subdomainfs to override.
Apr 23 02:40:54 hassio hassio-apparmor[26405]: [Error]: Can't load profile /usr/share/hassio/apparmor/hassio-supervisor
Apr 23 02:40:54 hassio systemd[1]: Started Hass.io AppArmor.

What is hassio-apparmor looking for in /proc/mounts that it cannot find? A hard reboot is fine - and on that occasion there are no log messages about apparmor at all.

Digging around. The last part of this bug report may offer a clue. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921667

[edit]
apparmor is installed but

$ aa-enabled
No - not available on this system.

and

$ sudo apparmor_status
apparmor module is not loaded.

It would seem that on first boot, hassio checks successfully, but on a soft reboot forces the service which fails.

[edit]
Doing some more research, I find that apparmor is not compiled into the kernel of Raspbian - explains the messages above and why it fails . https://www.raspberrypi.org/forums/viewtopic.php?t=257495

I would think that supervisor should check, not for the presence of apparmor, but its availability for use.

HWiese1980 · October 31, 2021, 7:16am

Any chance we’ll get a response here?

francisp · October 31, 2021, 9:19am

If you run a supervised on raspbian, switch to debian.

baz123 · October 31, 2021, 10:36am

This is quite old and things have moved on (notably to Raspberry OS).

However, I did propose a change to core that would not just check to see if apparmour was installed, but actually usable, but I got the ‘not a supported system’ response even though it could happen on any system. I did also suggest a note for the docs which got a similar response.

github.com/home-assistant/home-assistant.io

Include note re Raspbian and apparmour

home-assistant:current ← borpin:patch-1

opened 09:39AM - 26 Apr 20 UTC

borpin

+1 -1

## Proposed change  Add note for Raspbian users not to install apparmour as it is not supported by the kernel. I raise an issue https://github.com/home-assistant/supervisor/issues/1679 that the script call by the service file does not check if apparmour is active, just if it is installed. This causes an error on loading. The suggestion to adjust the service file was rejected so it seems reasonable to tell Raspbian users not to install the package. ## Type of change  - [ ] Spelling, grammar or other readability improvements (`current` branch). - [X] Adjusted missing or incorrect information in the current documentation (`current` branch). - [ ] Added documentation for a new integration I'm adding to Home Assistant (`next` branch). - [ ] I've opened up a PR to add logo's and icons in [Brands repository](https://github.com/home-assistant/brands). - [ ] Added documentation for a new feature I'm adding to Home Assistant (`next` branch). - [ ] Removed stale or deprecated documentation. ## Additional information  - Link to parent pull request in the codebase: - Link to parent pull request in the Brands repository: - This PR fixes or closes issue: ## Checklist  - [X] This PR uses the correct branch, based on one of the following: - I made a change to the existing documentation and used the `current` branch. - I made a change that is related to an upcoming version of Home Assistant and used the `next` branch. - [ ] The documentation follows the Home Assistant documentation [standards][]. [standards]: https://developers.home-assistant.io/docs/documentation_standards.html

francisp · October 31, 2021, 10:55am

I don’t know when it changed, but these days Supervisor actually checks if apparmor is enabled on your system.

baz123 · October 31, 2021, 4:00pm

I think what I discovered is that the current test can show that apparmor exists, without it actually being available to use as it checks for the parser, not if it is complied into the kernel. As you can see from the associated issue I raised, there is an alternative check that can be used to confirm if apparmor is available for use.

Current test

github.com

home-assistant/supervised-installer/blob/f844eb1cf8d4ff86beff5ed400a24dca6d107e77/homeassistant-supervised/usr/sbin/hassio-apparmor#L13-L16

    
      
          # Exists AppArmor
          if ! command -v apparmor_parser > /dev/null 2>&1; then
              echo "[Warning]: No apparmor_parser on host system!"
              exit 0

My test;

# Available for use?
if ! aa-enabled --quiet 2>/dev/null; then
    echo "[Warning]: apparmor not available on host system!"
    exit 0
fi

But the suggestion was rejected.