*** This bug is a duplicate of bug 2065423 ***
https://bugs.launchpad.net/bugs/2065423
** This bug has been marked a duplicate of bug 2065423
Update AppArmor template to allow confined runc to kill containers
--
You received this bug notification because you are a member of Ubuntu
Touch s
** Attachment added: "docker-default"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2039294/+attachment/5824926/+files/docker-default
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bu
Thanks, but the pastebin gives me "You do not currently have access to
the pastebin."
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2039294
Title:
apparmor docker
Statu
@lazka: you can use this profile:
https://pastebin.canonical.com/p/VbmH97Rhqp/
I grabbed it from upstream:
https://github.com/moby/moby/blob/master/profiles/apparmor/template.go
Note that for the rule "signal (receive) peer={{.DaemonProfile}}," in the
template I assumed the DaemonProfile is unco
Having updated to Ubuntu 24.04 and Docker failing to stop containers
now, what is the recommended workaround at the moment that I can
recommend to my co-workers?
The workaround in #11 doesn't work as that file doesn't exist on my
machine.
The workaround in #13 seems to work, but has diverged from
To make this generic so that it will work on older and newer hosts we
should probably change the peer expression to
signal (receive) peer={runc,unconfined},
or possibly, define an @{runc} variable in the preamble and use that.
This really only is advantageous, in that it shows semantic intent,
As a temporary workaround, put the file I have attached to
/etc/apparmor.d/docker-default and load it with "apparmor_parser -Kr
/etc/apparmor.d/docker-default". This will make dockerd skip loading its
builtin profile and use this one instead. The only difference between
the builtin one and this one
Forgot to attach the profile. Attached here.
** Attachment added: "docker-default"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2039294/+attachment/5769855/+files/docker-default
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which i
As a temporary patch on my system, I disabled the apparmor rules for
/usr/sbin/runc
Following the documentation to disable one single apparmor profile
(link: https://help.ubuntu.com/community/AppArmor#Disable_one_profile )
:
```
sudo ln -s /etc/apparmor.d/usr.sbin.runc /etc/apparmor.d/disable/
su
@gvarouchas, you need to be more specific. There are a couple interrelated
issues in this bug. What is the exact Denial message you are getting. The will
look something like the denial messages in comment 5. You can find them using
sudo dmesg | grep DENIED
or
journalctl -g apparmor
--
You r
This issue is also affecting me, and I do not have experience with
apparmor profiles to update the correct file.
Can someone explain in more details a patch that fixes the issue ?
(more precisely: what line should I write ? in what file ?)
Obviously: it is also a pain to have this issue with the
Ideally yes. It will become
profile runc /usr/sbin/runc flags=(default_allow) { }
Ubuntu will have to distro patch for awhile.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bu
Slightly related:
> /usr/sbin/runc flags=(unconfined) {
Shouldn't that nowadays be(come)
profile runc /usr/sbin/runc flags=(unconfined) {
Ideally please fix this now, so that the upstream docker profile can use
peer=runc
--
You received this bug notification because you are a member of Ubuntu
I have added docker to this report, and we will need to report this to
upstream docker, it likely for the time look at distro patching docker.
Locally you should be able to add the rule you need and use
apparmor_parser -r to replace the profile until the bug is fixed. To
allow all signals you can
Great job, just to be clear copied the same dmesg line from earlier as
it was a bit time consuming to move from virtual machine.
runc needs to be able to send any signal.
[35885.316617] audit: type=1400 audit(1700335230.173:423510): apparmor="DENIED"
operation="signal" class="signal" profile="d
the docker-default profile is shipped with/part of docker. It is generated and
loaded by docker, you can see the docker apparmor code here
https://github.com/moby/moby/tree/master/profiles/apparmor
and the docker-default profile in particular is in
https://github.com/moby/moby/blob/master/profil
Hi,
Just did a fresh minimal install of ubuntu-23.10.1-desktop-amd64.iso
apt install -y docker.io
docker run -d --name=nginx nginx
docker kill -s sigint nginx
Error response from daemon: Cannot kill container: nginx: Cannot kill container
3590b8a55fa29e5df34b1ad7444100652ba9912d42e877c475b181
Are you perhaps mixing Docker packages from one source with Docker
AppArmor profiles from another source?
AppArmor policy around signals is a bit more involved than around files:
- The sending process must have permission to send the signal to the recipient
- The receiving process must have permi
Applies to all signals.
# docker kill -s sigusr1 dynamodb-local
Error response from daemon: Cannot kill container: dynamodb-local: Cannot kill
container fe323ad3ca9648f2e8b59debd22a2439f4709c5fafe3dbf46a0a06f67ba65204:
unknown error after kill: runc did not terminate successfully: exit status 1:
19 matches
Mail list logo
