[Touch-packages] [Bug 1371310] Re: docker.io doesn't work with 3.0 RC1 kernel

** Tags added: kernel-da-key -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1371310 Title: docker.io doesn't work with 3.0 RC1 kernel Status in “apparmor” package in

[Touch-packages] [Bug 1371310] Re: docker.io doesn't work with 3.0 RC1 kernel

This is being caused by a bug fix in apparmor that places tighter requirements on the use of change_onexec from a multi-threaded application. How to best resolve this issue on the apparmor side is being investigated. It is very likely that docker is not using the change_profile api correctly, and

[Touch-packages] [Bug 1371310] Re: docker.io doesn't work with 3.0 RC1 kernel

After discussing on IRC, we will revert the patch enabling stricter requirements to restore previous behavior while we investigate the best approach to resolve the issue properly. ** Changed in: linux (Ubuntu) Status: Confirmed = Triaged ** Changed in: apparmor (Ubuntu) Status: New

[Touch-packages] [Bug 1371310] Re: docker.io doesn't work with 3.0 RC1 kernel

Oh can we also test against the distro kernel that the RC1 patches are based on to ensure that there aren't other changes in play -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu.

[Touch-packages] [Bug 1371310] Re: docker.io doesn't work with 3.0 RC1 kernel

a failure in change_profile from unconfined is NOT expected to log a message. Can you please verify that the target profile is loaded. The only reason apparmor rejects change_profile for unconfined is that the profile could not be found. -- You received this bug notification because you are a

[Touch-packages] [Bug 1371310] Re: docker.io doesn't work with 3.0 RC1 kernel

Installing auditd does not help. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1371310 Title: docker.io doesn't work with 3.0 RC1 kernel Status in “apparmor” package

[Touch-packages] [Bug 1371310] Re: docker.io doesn't work with 3.0 RC1 kernel

The target profile is loaded: $ sudo aa-status|grep docker docker-default I tried this on the 3.16.0-9.14 and 3.16.0-16.22 distro kernels. The 'docker run' command succeeds. If I do this: $ sudo docker run -i -t ubuntu:trusty /bin/sh I can verify the container is launched under confinement

[Touch-packages] [Bug 1371310] Re: docker.io doesn't work with 3.0 RC1 kernel

Adding the following to /etc/apparmor.d/docker does not help: audit unix, audit signal, audit ptrace, change_profile - *, -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu.

[Touch-packages] [Bug 1371310] Re: docker.io doesn't work with 3.0 RC1 kernel

** Changed in: apparmor (Ubuntu) Importance: Undecided = High ** Changed in: linux (Ubuntu) Importance: Undecided = High -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu.