[Bug 2040483] Re: AppArmor denies crun sending signals to containers (stop, kill)

Lucas Kanashiro Mon, 07 Oct 2024 12:51:38 -0700

Thanks everyone for testing the package in noble-proposed, appreciated!

For completeness, I followed the whole Test Plan section to make sure we
covered everything.


Running all the scenarios below with the podman package from noble-
proposed:

root@podman-verification:~# dpkg -l | grep podman
ii  podman                          4.9.3+ds1-1ubuntu0.2                    
amd64        tool to manage containers and pods

# Start container in background and then stop it:

root@podman-verification:~# podman run -d --name foo 
docker.io/library/nginx:latest
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob 5b8e768fb22d done   | 
Copying blob 302e3ee49805 done   | 
Copying blob d07412f52e9d done   | 
Copying blob 9ab66c386e9c done   | 
Copying blob 4b563e5e980a done   | 
Copying blob 55af3c8febf2 done   | 
Copying blob 85177e2c6f39 done   | 
Copying config 7f553e8bbc done   | 
Writing manifest to image destination
daba6bb236b4028b5a01a8c80e2dbd7be7bc0a4fba38824894223aab5c6afc9a
root@podman-verification:~# podman stop foo
foo
root@podman-verification:~# podman run --runtime /usr/sbin/runc -d --name 
foo-runc docker.io/library/nginx:latest
6943b725e32579eb1db0fc00a5f0b5a6492023e89f473263cc742ad11785dc22
root@podman-verification:~# podman stop foo-runc
foo-runc

# Verify that container running in foreground TTY can be stopped

## Terminal 1

root@podman-verification:~# podman run -it --name bar --rm 
docker.io/library/ubuntu:22.04
Trying to pull docker.io/library/ubuntu:22.04...
Getting image source signatures
Copying blob 6414378b6477 done   | 
Copying config 97271d29cb done   | 
Writing manifest to image destination
root@a0e2ed1682b8:/# root@podman-verification:~#

## Terminal 2

root@podman-verification:~# podman stop bar
bar
root@podman-verification:~# podman ps -a
CONTAINER ID  IMAGE       COMMAND     CREATED     STATUS      PORTS       NAMES
root@podman-verification:~# 

# Verify that container running with dumb init can be killed

root@podman-verification:~# podman run -d --name bar --rm --init ubuntu:22.04 
sleep infinity
810d36c6d8623c5a1cf07ff1b1797037adcc380885d768e63097d3f6d8efa818
root@podman-verification:~# podman stop bar
bar

# Verify container processes can signal each other

root@podman-verification:~# podman run ubuntu:22.04 sh -c 'sleep inf & sleep 1 
; kill $!'
root@podman-verification:~# echo $?
0
root@podman-verification:~# podman ps -a
CONTAINER ID  IMAGE                           COMMAND               CREATED     
    STATUS                     PORTS       NAMES
7578c38fd653  docker.io/library/ubuntu:22.04  sh -c sleep inf &...  16 seconds 
ago  Exited (0) 15 seconds ago              angry_bell

# Verify the AppArmor profile contains the -apparmor1 suffix

root@podman-verification:~# podman run -d --name foo 
docker.io/library/nginx:latest
ad9c49e187264b7285a1537c3593524d76a578b63748e0d29462ff9bf891e4d0
root@podman-verification:~# dmesg | grep apparmor1
[  246.075749] audit: type=1400 audit(1728329479.178:253): apparmor="STATUS" 
operation="profile_load" profile="podman" 
name="containers-default-0.57.4-apparmor1" pid=13424 comm="apparmor_parser"

# Verify that podman was included in the reboot required notification if
there are running containers

root@podman-verification:~# dpkg -l | grep podman
ii  podman                          4.9.3+ds1-1ubuntu0.1                    
amd64        tool to manage containers and pods
root@podman-verification:~# podman run -d -e "POSTGRES_HOST_AUTH_METHOD=trust" 
docker.io/library/postgres
Trying to pull docker.io/library/postgres:latest...
Getting image source signatures
Copying blob 302e3ee49805 skipped: already exists  
Copying blob a75b6bd68f08 done   | 
Copying blob db123f79d191 done   | 
Copying blob 0f8c00fde6b5 done   | 
Copying blob faa7319453cb done   | 
Copying blob db22d52fa3c2 done   | 
Copying blob 3bbfa3446e21 done   | 
Copying blob 0b62c3405bb7 done   | 
Copying blob 2b20a8c7ce41 done   | 
Copying blob e7c88e163985 done   | 
Copying blob e5a700d882eb done   | 
Copying blob 28b27d53d86b done   | 
Copying blob bfc263366b3f done   | 
Copying blob e5ff51eeda62 done   | 
Copying config f0dfc903a6 done   | 
Writing manifest to image destination
5b6006d68d9cd76cdf87330512ab6ed432c85ee55c8b9dc3025de79bdd54cece
root@podman-verification:~# podman ps
CONTAINER ID  IMAGE                              COMMAND     CREATED         
STATUS         PORTS       NAMES
5b6006d68d9c  docker.io/library/postgres:latest  postgres    40 seconds ago  Up 
40 seconds              youthful_merkle

[... Upgrade podman to the fixed version in noble-proposed ...]

root@podman-verification:~# dpkg -l | grep podman
ii  podman                          4.9.3+ds1-1ubuntu0.2                    
amd64        tool to manage containers and pods
root@podman-verification:~# cat /var/run/reboot-required.pkgs | grep podman
podman


All the test cases passed as expected. So indeed, we are good to land this to 
noble-updates.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2040483

Title:
  AppArmor denies crun sending signals to containers (stop, kill)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-github-containers-common/+bug/2040483/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2040483] Re: AppArmor denies crun sending signals to containers (stop, kill)

Reply via email to