PR opened upstream: https://github.com/containers/common/pull/2004
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2040483
Title:
AppArmor denies crun sending signals to containers (stop, kill)
To
Thanks Neil, I'll let you handle the upstream. I think what you have in
the MP is fine.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2040483
Title:
AppArmor denies crun sending signals to
I've pushed the changes based on your comments to the MP above. I've
left the signal set for podman as (int, quit, term, kill).
Do you think that signal set should be tighter, or is that a good
compromise?
If that seems ok with you, I'll happily handle the PR upstream at
GitHub.
--
You
Sorry, I missed the conmon-podman denial. Would you mind making a PR to
the upstream with your changes with issue you posted linked? I think
Lucas will not have time until end of week.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
The debdiff is in the MP above.
Podman does try to kill the container itself, as the error trace above
testifies.
May 14 11:14:41 srv-omzr6 kernel: audit: type=1400
audit(1715685281.392:118): apparmor="DENIED" operation="signal"
class="signal" profile="containers-default-0.57.4" pid=7458
Also, thanks for linking the podman issue. I'll try to merge patch
upstream similar to moby and containerd.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2040483
Title:
AppArmor denies crun sending
@neil-aldur, did you forget to attach the debdiff?
By restricting the signal set you also restrict what $SIG you can put to
"podman kill --signal $SIG".
I did not realize that there's a podman reference profile as well, but
since podman doesn't try to kill the container by itself, I wonder if it
Adding the podman signal line, and building a libpod that overrides the
default packages eliminates the errors I was getting.
All the tests in this ticket pass with the updated packages.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
I've built a backported 4.9.4 libpod for noble based on an updated
golang-github-containers-common including the above patch.
It's available from ppa:brightbox/experimental
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
The debdiff I've put together for oracular updates the patch to be a bit
more general and cover all the signals I've seen so far in testing. (As
well as dropping the other patch that has been incorporated upstream).
# Allow certain signals from OCI runtimes (podman, runc and crun)
signal
@lucaskanashiro: This patch is for golang-github-containers-common
source package. This source package produces golang-github-containers-
common-dev binary package, which is just source code on filesystem. But
podman binary package, which is produced from libpod source package, has
The patch above doesn't work as it stands. We are still getting signal
filters in the audit log
May 14 11:13:06 srv-omzr6 kernel: audit: type=1400 audit(1715685186.296:112):
apparmor="DENIED" operation="signal" class="signal"
profile="containers-default-0.57.4" pid=8031 comm="3"
To move this on a bit more rapidly as it is a blocking issue for me.
It's the same version in Oracular at present. I've pushed the changes as
an MP against ubuntu/devel.
What needs to happen next?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
** Merge proposal linked:
https://code.launchpad.net/~neil-aldur/ubuntu/+source/golang-github-containers-common/+git/golang-github-containers-common/+merge/465970
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
I also see that you are patching golang-github-containers-common. Does
that mean that no patch in libpod is needed? If the answer is yes, we
need to mark the libpod tasks as Invalid.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Hi Tomáš,
Thanks for investigating this issue and providing the patch (MP) to fix
it in Noble. However, before fixing it in Noble, we need to fix it in
Oracular (development release). Would you like to provide a patch or MP
targeting Oracular?
--
You received this bug notification because you
** Description changed:
[ Impact ]
* On mantic and noble, when run as root, podman cannot stop any
container running in background because crun is being run with a new
profile introduced in AppArmor v4.0.0 that doesn't have corresponding
signal receive rule container's profile.
** Description changed:
[ Impact ]
- * On mantic and noble, when run as root, podman cannot stop any
+ * On mantic and noble, when run as root, podman cannot stop any
container running in background because crun is being run with a new
profile introduced in AppArmor v4.0.0 that doesn't
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: golang-github-containers-common (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Description changed:
- Mantic's system podman containers are completely broken due to bug
- 2040082. However, after fixing that (rebuilding with the patch, or a
- *shht don't try this at home* hack [1]), the AppArmor policy still
- causes bugs:
+ [ Impact ]
+
+ * On mantic and noble, when
** Merge proposal linked:
https://code.launchpad.net/~virtustom/ubuntu/+source/golang-github-containers-common/+git/golang-github-containers-common/+merge/465117
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Also affects: golang-github-containers-common (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2040483
Title:
AppArmor denies crun sending
There's a similar issue with runc (and containerd and docker) reported
here https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2039294
I've opened PRs with a fix upstream:
- https://github.com/containerd/containerd/pull/10123
- https://github.com/moby/moby/pull/47749
I think I'll need to
** Tags added: cockpit-test
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2040483
Title:
AppArmor denies crun sending signals to containers (stop, kill)
To manage notifications about this bug go
24 matches
Mail list logo