Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release/1.7] Update AppArmor template to better support rootlesskit #10116

Merged
merged 1 commit into from Apr 23, 2024
Merged

[release/1.7] Update AppArmor template to better support rootlesskit #10116

merged 1 commit into from Apr 23, 2024

Conversation

AkihiroSuda
Copy link
Member

@AkihiroSuda
apparmor: add signal (receive) peer=/usr/local/bin/rootlesskit,
af19e74 
Fix containerd/nerdctl issue 2730
> [Rootless] `nerdctl rm` fails when AppArmor is loaded:
> `error="unknown error after kill: runc did not terminate successfully: exit status 1:
> unable to signal init: permission denied\n: unknown"`

Caused by:
> kernel: audit: type=1400 audit(1713840662.766:122): apparmor="DENIED" operation="signal" class="signal"
> profile="nerdctl-default" pid=366783 comm="runc" requested_mask="receive" denied_mask="receive" signal=kill
> peer="/usr/local/bin/rootlesskit"

The issue is known to happen on Ubuntu 23.10 and 24.04 LTS.
Doesn't seem to happen on Ubuntu 22.04 LTS.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit eb5a0c0)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@thaJeztah
Copy link
Member

Is this needed for 1.6 as well, or only 1.7?

thaJeztah
thaJeztah approved these changes Apr 23, 2024
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SGTM

@AkihiroSuda
Copy link
Member Author

Is this needed for 1.6 as well, or only 1.7?

For nerdctl this is only needed for 1.7 regardless to the daemon version, as nerdctl imports containerd 1.7 as the library for generating the nerdctl-default AppArmor profile.

@thaJeztah
Copy link
Member

Ah, didn't consider that it was for library code! Yeah, maybe not needed

@dmcgowan dmcgowan merged commit e412ca7 into containerd:release/1.7 Apr 23, 2024
56 checks passed
@kiashok kiashok mentioned this pull request Apr 24, 2024
Merged
@dmcgowan dmcgowan changed the title [release/1.7] apparmor: add signal (receive) peer=/usr/local/bin/rootlesskit, [release/1.7] Add signal (receive) peer=/usr/local/bin/rootlesskit, to AppArmor template Apr 24, 2024
@dmcgowan dmcgowan changed the title [release/1.7] Add signal (receive) peer=/usr/local/bin/rootlesskit, to AppArmor template [release/1.7] Update AppArmor template to better support rootlesskit Apr 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmcgowan dmcgowan dmcgowan approved these changes

@thaJeztah thaJeztah thaJeztah approved these changes

Assignees
No one assigned
Labels
impact/changelog size/S
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@AkihiroSuda @thaJeztah @dmcgowan @k8s-ci-robot