Installed, and can confirm the problem is now fixed. Thank you.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2040483
Title:
AppArmor denies crun sending signals to containers (stop, kill)
To manag
This bug was fixed in the package golang-github-containers-common -
0.57.4+ds1-2ubuntu0.1
---
golang-github-containers-common (0.57.4+ds1-2ubuntu0.1) noble; urgency=medium
* d/p/0002-Update-apparmor-profile-to-support-v4.0.0.patch: allow sending
signals to containers (LP: #20404
This bug was fixed in the package libpod - 4.9.3+ds1-1ubuntu0.2
---
libpod (4.9.3+ds1-1ubuntu0.2) noble; urgency=medium
* Fix apparmor profile that was blocking containers from being stopped
cleanly (LP: #2040483).
- Rebuild with fixed golang-github-containers-common to pick
I can confirm the update in noble-proposed fixed my issues as well
(quadlets and manually created systemd services running podman failed to
stop due to app armor blocking signals).
Basically just installed podman/noble-proposed, rebooted (to get all
containers restarted) and everything just seemed
Thanks everyone for testing the package in noble-proposed, appreciated!
For completeness, I followed the whole Test Plan section to make sure we
covered everything.
Running all the scenarios below with the podman package from noble-
proposed:
root@podman-verification:~# dpkg -l | grep podman
ii
The tests are successful with both the crun and runc runtimes.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2040483
Title:
AppArmor denies crun sending signals to containers (stop, kill)
To manage
As above, the tests specified for the SRU complete successfully with the
new packages installed.
** Tags removed: verification-needed verification-needed-noble
** Tags added: verification-done verification-done-noble
** Tags removed: mantic server-todo
--
You received this bug notification bec
Hey tested the the patch with the following setup.
- run live Ubuntu 24.04.1 from USB stick
- installed podman and golang-github-containers-common=0.57.4+ds1-2ubuntu0.1
- created a podman pod and with a single container running nginx as root
- create systemd file from the pod (`sudo podman generat
Hey folks, I've managed to test the new packages (installing
podman/noble-proposed and golang-github-containers-common/noble-
proposed) and can confirm everything is now working.
I used this command to test:
```
$ sudo podman run --rm -d --name nginx nginx
```
Originally when trying to stop this
Hello Martin, or anyone else affected,
Accepted libpod into noble-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/libpod/4.9.3+ds1-1ubuntu0.2 in a
few hours, and then in the -proposed repository.
Please help us by testing this new package. See
https:
@ahasenack I just added the two test cases you mentioned in comment #54
to the Test Plan.
** Description changed:
[ Impact ]
* On mantic and noble, when run as root, podman cannot stop any
container running in background because crun is being run with a new
profile introduced in AppAr
This SRU cannot yet be verified, because the updated golang-github-
containers-common upload is a build-dependency for src:libpod, which is
what contains podman and shows the bug.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https:/
@lucaskanashiro, please add another test to the test plan where we check for
the changes we did to these packages since the bug was first filed. Namely, I
can think of:
- that the new apparmor profile has the ApparmorSuffix in it (the new name can
be seen in dmesg when it's first loaded)
- for p
** Description changed:
[ Impact ]
* On mantic and noble, when run as root, podman cannot stop any
container running in background because crun is being run with a new
profile introduced in AppArmor v4.0.0 that doesn't have corresponding
signal receive rule container's profile.
Note for the SRU team: let's make sure to first accept golang-github-
containers-common and, once it is built, we can accept libpod.
Otherwise, the fix will not be applied to podman.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
http
> There's a possible additional issue with runc apparmor in
> https://bugs.launchpad.net/ubuntu/+source/runc/+bug/2072452
Thank you, I flagged it
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2040483
There's a possible additional issue with runc apparmor in
https://bugs.launchpad.net/ubuntu/+source/runc/+bug/2072452
that is affecting k8s in Noble. May be worth testing the fixed package
to see if it corrects that as well.
--
You received this bug notification because you are a member of Ubunt
This is being actively worked on now, please see the linked PR[1] for
details.
1. https://code.launchpad.net/~lucaskanashiro/ubuntu/+source/golang-
github-containers-common/+git/golang-github-containers-
common/+merge/473683
--
You received this bug notification because you are a member of Ubunt
** Merge proposal linked:
https://code.launchpad.net/~lucaskanashiro/ubuntu/+source/golang-github-containers-common/+git/golang-github-containers-common/+merge/473683
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.lau
** Tags added: server-todo
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2040483
Title:
AppArmor denies crun sending signals to containers (stop, kill)
To manage notifications about this bug go to:
You are all very welcome to use the version in the Brightbox
Experimental PPA
(https://launchpad.net/~brightbox/+archive/ubuntu/experimental), which
has a Noble update with the fix in it.
Bear in mind the title of the PPA: "Here be dragons"
--
You received this bug notification because you are a
Currently, the only way to make it work is to uninstall apparmor on
Noble. Which is a nogo for prod.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2040483
Title:
AppArmor denies crun sending signals
Is there any way to fix this locally for podman while we wait for a fix?
I've tried changing profiles in /etc/apparmor.d but to no avail.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2040483
Title:
Sorry for pinging, but is there any news on the fix for 24.04?
I do believe this is a blocker for quite a lot of companies. Taking into
account that this is the current LTS version and one of a major tool, I would
really hope the fix will arrive soon.
--
You received this bug notification becau
** Merge proposal linked:
https://code.launchpad.net/~zhsj/ubuntu/+source/golang-github-containers-common/+git/golang-github-containers-common/+merge/471325
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net
Ubuntu 23.10 (Mantic Minotaur) has reached end of life, so this bug will
not be fixed for that specific release.
** Changed in: libpod (Ubuntu Mantic)
Status: Confirmed => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubunt
Sory ,I forgot to paste the URL. hope this info can make some help.
https://github.com/moby/moby/pull/47749/files#diff-4a7aa58be335398fb04f9f1634143e158146b57c6256a2d605f9eb3c3c53d840
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
ht
My k8s cluster faces the same problem on Ubuntu 24.04 with containerd 1.7.12. I
searched the
web and found some info:
1, containerd codes its apparmor profile in go source code.
2, containerd has fixed this issue in recent releases, 1.7.19 or even earlier
version. The profile template file now
Thanks for covering the topic.
Unfortunately I have no idea about developing with app armor. I'm only a
user but I'm fine with waiting a few weeks. At the moment, it only
breaks automatic container updates for me. Therefore I need to it by
hand.
--
You received this bug notification because you
I can work on this after I finish a couple of other work items I have on
my plate right now. I think an estimation would be next month.
If anyone else is willing to fix this before I have the time, I'd
happily hand it over to you :)
--
You received this bug notification because you are a member
Please back port the fix to Ubuntu 24.04. It is essential feature of
podman to stop container.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2040483
Title:
AppArmor denies crun sending signals to co
Is there any chance the fix will be released for 24.04 as well?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2040483
Title:
AppArmor denies crun sending signals to containers (stop, kill)
To manag
This bug was fixed in the package libpod - 4.9.4+ds1-1build1
---
libpod (4.9.4+ds1-1build1) oracular; urgency=medium
* No change rebuild with new golang-github-containers-common, to pick up
apparmor fix (LP: #2040483)
-- Andreas Hasenack Mon, 17 Jun 2024 15:43:41
-0300
** C
Ok, now it's uploaded to oracular:
Uploading libpod_4.9.4+ds1-1build1.dsc
Uploading libpod_4.9.4+ds1-1build1.debian.tar.xz
Uploading libpod_4.9.4+ds1-1build1_source.buildinfo
Uploading libpod_4.9.4+ds1-1build1_source.changes
--
You received this bug notification because you are a member of Ubuntu
For future SRUs, and uploads, also consider:
https://github.com/containers/common/issues/2023
And I filed https://github.com/containers/common/issues/2054 upstream for
consideration about the upgrade scenario where the apparmor profile was
changed, but the upstream version wasn't.
** Bug watch
Hm, where is my libpod upload? It needs a rebuild after golang-github-
containers-common
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2040483
Title:
AppArmor denies crun sending signals to containe
This bug was fixed in the package golang-github-containers-common -
0.57.4+ds1-2ubuntu1
---
golang-github-containers-common (0.57.4+ds1-2ubuntu1) oracular; urgency=medium
* d/p/apparmor-Allow-confined-runc-crun-to-kill-containers.patch: patch to
fix apparmor signal filtering (LP
It may be more useful to generate a synthetic replacement definition from
the go file, and then `apparmor_parser -r` the definition if the definition
exists.
On Fri, 14 Jun 2024 at 21:30, Andreas Hasenack <2040...@bugs.launchpad.net>
wrote:
> ** Also affects: libpod (Ubuntu Oracular)
>Import
For some reason I can't assign mantic and noble tasks to golang-github-
containers-common, but it also needs fixing there.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2040483
Title:
AppArmor denie
** Also affects: libpod (Ubuntu Oracular)
Importance: Undecided
Status: Confirmed
** Also affects: golang-github-containers-common (Ubuntu Oracular)
Importance: Undecided
Status: Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
I started a pod with the old podman, which loaded the profile
containers-default-0.57.4 as expected:
[Fri Jun 14 20:12:06 2024] audit: type=1400 audit(1718395926.298:139):
apparmor="STATUS" operation="profile_load" profile="podman"
name="containers-default-0.57.4" pid=1241 comm="apparmor_parser"
Preempting an SRU analysis of this bug, for noble, I would ask for more
clarification:
- make it clearer that while bin:podman has the apparmor profile bits that need
fixing, they come from src:golang-github-containers-common. In other words,
both packages need to be SRUed, and src:golang-github
This worked to remove the profile:
# echo -n containers-default-0.57.4 >
/sys/kernel/security/apparmor/.remove
Then of course all running podman containers become unconfined. You can
at least stop them, and any new ones you start from now on, the first
one will trigger the load of the updated a
I tested the fix, it's actually ready to sponsor, but I don't know how
real deployments out there could use this fix once it's available.
The profile is not a file on disk, it's inside the podman binary. There
is nothing reloading the fixed profile when the package is upgraded or
installed, it's o
I'm going over this bug in my patch pilot shift, trying to understand
all the back and forth that happened.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2040483
Title:
AppArmor denies crun sending
PR accepted upstream. I've backported the patch the oracular MP above.
What needs to be done now to get this into an SRU for noble?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2040483
Title:
AppA
PR opened upstream: https://github.com/containers/common/pull/2004
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2040483
Title:
AppArmor denies crun sending signals to containers (stop, kill)
To ma
Thanks Neil, I'll let you handle the upstream. I think what you have in
the MP is fine.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2040483
Title:
AppArmor denies crun sending signals to container
I've pushed the changes based on your comments to the MP above. I've
left the signal set for podman as (int, quit, term, kill).
Do you think that signal set should be tighter, or is that a good
compromise?
If that seems ok with you, I'll happily handle the PR upstream at
GitHub.
--
You received
Sorry, I missed the conmon-podman denial. Would you mind making a PR to
the upstream with your changes with issue you posted linked? I think
Lucas will not have time until end of week.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
ht
The debdiff is in the MP above.
Podman does try to kill the container itself, as the error trace above
testifies.
May 14 11:14:41 srv-omzr6 kernel: audit: type=1400
audit(1715685281.392:118): apparmor="DENIED" operation="signal"
class="signal" profile="containers-default-0.57.4" pid=7458
comm="co
Also, thanks for linking the podman issue. I'll try to merge patch
upstream similar to moby and containerd.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2040483
Title:
AppArmor denies crun sending
@neil-aldur, did you forget to attach the debdiff?
By restricting the signal set you also restrict what $SIG you can put to
"podman kill --signal $SIG".
I did not realize that there's a podman reference profile as well, but
since podman doesn't try to kill the container by itself, I wonder if it
Adding the podman signal line, and building a libpod that overrides the
default packages eliminates the errors I was getting.
All the tests in this ticket pass with the updated packages.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
I've built a backported 4.9.4 libpod for noble based on an updated
golang-github-containers-common including the above patch.
It's available from ppa:brightbox/experimental
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.
The debdiff I've put together for oracular updates the patch to be a bit
more general and cover all the signals I've seen so far in testing. (As
well as dropping the other patch that has been incorporated upstream).
# Allow certain signals from OCI runtimes (podman, runc and crun)
signal (r
@lucaskanashiro: This patch is for golang-github-containers-common
source package. This source package produces golang-github-containers-
common-dev binary package, which is just source code on filesystem. But
podman binary package, which is produced from libpod source package, has
golang-github-co
The patch above doesn't work as it stands. We are still getting signal
filters in the audit log
May 14 11:13:06 srv-omzr6 kernel: audit: type=1400 audit(1715685186.296:112):
apparmor="DENIED" operation="signal" class="signal"
profile="containers-default-0.57.4" pid=8031 comm="3" requested_mask="
To move this on a bit more rapidly as it is a blocking issue for me.
It's the same version in Oracular at present. I've pushed the changes as
an MP against ubuntu/devel.
What needs to happen next?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed
** Merge proposal linked:
https://code.launchpad.net/~neil-aldur/ubuntu/+source/golang-github-containers-common/+git/golang-github-containers-common/+merge/465970
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchp
I also see that you are patching golang-github-containers-common. Does
that mean that no patch in libpod is needed? If the answer is yes, we
need to mark the libpod tasks as Invalid.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
http
Hi Tomáš,
Thanks for investigating this issue and providing the patch (MP) to fix
it in Noble. However, before fixing it in Noble, we need to fix it in
Oracular (development release). Would you like to provide a patch or MP
targeting Oracular?
--
You received this bug notification because you ar
** Description changed:
[ Impact ]
* On mantic and noble, when run as root, podman cannot stop any
container running in background because crun is being run with a new
profile introduced in AppArmor v4.0.0 that doesn't have corresponding
signal receive rule container's profile.
** Description changed:
[ Impact ]
- * On mantic and noble, when run as root, podman cannot stop any
+ * On mantic and noble, when run as root, podman cannot stop any
container running in background because crun is being run with a new
profile introduced in AppArmor v4.0.0 that doesn't
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: golang-github-containers-common (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/b
** Description changed:
- Mantic's system podman containers are completely broken due to bug
- 2040082. However, after fixing that (rebuilding with the patch, or a
- *shht don't try this at home* hack [1]), the AppArmor policy still
- causes bugs:
+ [ Impact ]
+
+ * On mantic and noble, when run
** Merge proposal linked:
https://code.launchpad.net/~virtustom/ubuntu/+source/golang-github-containers-common/+git/golang-github-containers-common/+merge/465117
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpa
** Also affects: golang-github-containers-common (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2040483
Title:
AppArmor denies crun sending signal
There's a similar issue with runc (and containerd and docker) reported
here https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2039294
I've opened PRs with a fix upstream:
- https://github.com/containerd/containerd/pull/10123
- https://github.com/moby/moby/pull/47749
I think I'll need to wor
** Tags added: cockpit-test
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2040483
Title:
AppArmor denies crun sending signals to containers (stop, kill)
To manage notifications about this bug go to
70 matches
Mail list logo
