To make this generic so that it will work on older and newer hosts we
should probably change the peer expression to
signal (receive) peer={runc,unconfined},
or possibly, define an @{runc} variable in the preamble and use that.
This really only is advantageous, in that it shows semantic intent,
Forgot to attach the profile. Attached here.
** Attachment added: "docker-default"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2039294/+attachment/5769855/+files/docker-default
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
As a temporary workaround, put the file I have attached to
/etc/apparmor.d/docker-default and load it with "apparmor_parser -Kr
/etc/apparmor.d/docker-default". This will make dockerd skip loading its
builtin profile and use this one instead. The only difference between
the builtin one and this
As a temporary patch on my system, I disabled the apparmor rules for
/usr/sbin/runc
Following the documentation to disable one single apparmor profile
(link: https://help.ubuntu.com/community/AppArmor#Disable_one_profile )
:
```
sudo ln -s /etc/apparmor.d/usr.sbin.runc /etc/apparmor.d/disable/
@gvarouchas, you need to be more specific. There are a couple interrelated
issues in this bug. What is the exact Denial message you are getting. The will
look something like the denial messages in comment 5. You can find them using
sudo dmesg | grep DENIED
or
journalctl -g apparmor
--
You
This issue is also affecting me, and I do not have experience with
apparmor profiles to update the correct file.
Can someone explain in more details a patch that fixes the issue ?
(more precisely: what line should I write ? in what file ?)
Obviously: it is also a pain to have this issue with