[Bug 2039294] Re: apparmor docker
To make this generic so that it will work on older and newer hosts we
should probably change the peer expression to
signal (receive) peer={runc,unconfined},
or possibly, define an @{runc} variable in the preamble and use that.
This really only is advantageous, in that it shows semantic intent, if
if using the value of unconfined, or if @[runc} is used multiple times
within the profile.
@{runc}={peer,unconfined}
signal (receive) peer=@{runc},
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2039294
Title:
apparmor docker
To manage notifications about this bug go to:
https://bugs.launchpad.net/docker/+bug/2039294/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2039294] Re: apparmor docker
Forgot to attach the profile. Attached here. ** Attachment added: "docker-default" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2039294/+attachment/5769855/+files/docker-default -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2039294 Title: apparmor docker To manage notifications about this bug go to: https://bugs.launchpad.net/docker/+bug/2039294/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2039294] Re: apparmor docker
As a temporary workaround, put the file I have attached to /etc/apparmor.d/docker-default and load it with "apparmor_parser -Kr /etc/apparmor.d/docker-default". This will make dockerd skip loading its builtin profile and use this one instead. The only difference between the builtin one and this one is the following rule: # runc may send signals to container processes signal (receive) peer=runc, I've opened PRs upstream: - https://github.com/containerd/containerd/pull/10123 - https://github.com/moby/moby/pull/47749 I think I'll need to work a little bit more on them to add rules only for profiles that exist. (It works even if they don't exist though.) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2039294 Title: apparmor docker To manage notifications about this bug go to: https://bugs.launchpad.net/docker/+bug/2039294/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2039294] Re: apparmor docker
As a temporary patch on my system, I disabled the apparmor rules for /usr/sbin/runc Following the documentation to disable one single apparmor profile (link: https://help.ubuntu.com/community/AppArmor#Disable_one_profile ) : ``` sudo ln -s /etc/apparmor.d/usr.sbin.runc /etc/apparmor.d/disable/ sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.runc ``` docker can now send signals to its containers. --- re-activating is documented in the next paragraph in the page above: ``` sudo rm /etc/apparmor.d/disable/usr.sbin.runc sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.runc ``` docker stop will not be able to send a signal to its containers anymore. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2039294 Title: apparmor docker To manage notifications about this bug go to: https://bugs.launchpad.net/docker/+bug/2039294/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2039294] Re: apparmor docker
@gvarouchas, you need to be more specific. There are a couple interrelated issues in this bug. What is the exact Denial message you are getting. The will look something like the denial messages in comment 5. You can find them using sudo dmesg | grep DENIED or journalctl -g apparmor -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2039294 Title: apparmor docker To manage notifications about this bug go to: https://bugs.launchpad.net/docker/+bug/2039294/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2039294] Re: apparmor docker
This issue is also affecting me, and I do not have experience with apparmor profiles to update the correct file. Can someone explain in more details a patch that fixes the issue ? (more precisely: what line should I write ? in what file ?) Obviously: it is also a pain to have this issue with the stock system configuration, I hope this issue gets fixed sooner than later. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2039294 Title: apparmor docker To manage notifications about this bug go to: https://bugs.launchpad.net/docker/+bug/2039294/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
