This bug was fixed in the package containerd-app -
1.7.19+really1.7.12-0ubuntu4.2
---
containerd-app (1.7.19+really1.7.12-0ubuntu4.2) noble; urgency=medium
* Allow confined runc to kill containers. (LP: #2065423)
- d/p/Apparmor-allow-kill.patch: Update AppArmor template to allow
containerd noble verification:
Installed containerd 1.7.12-0ubuntu4.1
I could not stop the container, as described in the test plan.
Now, with the version from proposed (1.7.19+really1.7.12-0ubuntu4.2):
Before a system reboot, I could still not stop containers, although,
changing the apparmor p
Hello Sebastian, or anyone else affected,
Accepted containerd-app into noble-proposed. The package will build now
and be available at https://launchpad.net/ubuntu/+source/containerd-
app/1.7.19+really1.7.12-0ubuntu4.2 in a few hours, and then in the
-proposed repository.
Please help us by testing
** Description changed:
[ Impact ]
apparmor denies signals from runc, making stopping containers (a
basic/core feature of most container runtimes) infeasible.
[ Test Plan ]
A basic case would include
running a container and trying to stop it as described in the podman SRU
tes
** Merge proposal linked:
https://code.launchpad.net/~athos-ribeiro/ubuntu/+source/containerd-app/+git/containerd-app/+merge/477430
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065423
Title:
U
** Changed in: containerd-app (Ubuntu Noble)
Status: Fix Released => Triaged
** Changed in: containerd-app (Ubuntu Noble)
Importance: Undecided => High
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.n
Opened https://bugs.launchpad.net/ubuntu/+source/containerd-
app/+bug/2089704 to handle this regression.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065423
Title:
Update AppArmor template to allo
We stopped phasing of this earlier today after it was spotted 8was at
30%).
Now after evaluating this a bit more it is indeed wrong and this needs
to be re-done - no need to keep this update in -proposed.
The current intention, until we know better, is to move O/P to 2.0
proper (no rc3 anymore) a
** Tags added: regression-update
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065423
Title:
Update AppArmor template to allow confined runc to kill containers
To manage notifications about this b
Looks like the containerd-app doesn't contain the version it should:
$ dget -x -u
https://code.launchpad.net/ubuntu/+archive/primary/+sourcefiles/containerd-app/1.7.19-0ubuntu1\~24.04.1/containerd-app_1.7.19-0ubuntu1\~24.04.1.dsc
$ sha256sum containerd-app_1.7.19.orig.tar.gz
This bug was fixed in the package docker.io-app -
26.1.3-0ubuntu1~24.04.1
---
docker.io-app (26.1.3-0ubuntu1~24.04.1) noble; urgency=medium
* Backport from oracular to noble. (LP: #2040461)
- d/t/docker-in-lxd: workaround Apparmor/kernel bug. (LP #2067900)
- Update AppArmor
This bug was fixed in the package containerd-app -
1.7.19-0ubuntu1~24.04.1
---
containerd-app (1.7.19-0ubuntu1~24.04.1) noble; urgency=medium
* Backport from oracular to noble. (LP: #2040461)
- d/containerd.postinst: notify that a reboot is required to reload the
AppArmor
I followed the test plan for noble and got the following results:
With docker.io 24.0.7-0ubuntu4.1 and containerd 1.7.12-0ubuntu4.1, I
could not stop the container, as described in the test plan.
Installing the packages from noble-proposed, docker.io
26.1.3-0ubuntu1~24.04 and containerd 1.7.19-0u
Given the verification is complete with the verification-done-noble tag
set, what is the expected timeline for the fixed packages to transition
from noble-proposed to noble-updates so they are available to all Ubuntu
24.04 users?
--
You received this bug notification because you are a member of U
Hello Sebastian, or anyone else affected,
Accepted containerd-app into focal-proposed. The package will build now
and be available at https://launchpad.net/ubuntu/+source/containerd-
app/1.7.19-0ubuntu1~20.04.1 in a few hours, and then in the -proposed
repository.
Please help us by testing this n
Hello Sebastian, or anyone else affected,
Accepted containerd-app into jammy-proposed. The package will build now
and be available at https://launchpad.net/ubuntu/+source/containerd-
app/1.7.19-0ubuntu1~22.04.1 in a few hours, and then in the -proposed
repository.
Please help us by testing this n
In jammy's containerd-app upload, I'm seeing a lot of churn in the
debian patches. For example, patches 0004 and 0005 are being removed
again, but they were not being applied anyway via d/p/series. This is a
mistake in previous uploads. These two patches were added in
1.7.2-0ubuntu1[1], then first
The noble-proposed version of containerd fixed this bug for me as well
in kubernetes.
I created an nginx deployment, did 'kubectl delete pod '.
WIth the noble version, this hangs, and journal on the node running the
pod shows failure of runc to receive the signals. With noble-proposed
version, ku
The Canonical public cloud team starts to produce Noble based EKS images
and we ran into this problem, too.
I did install containerd from proposed on the EKS (version 1.31) cluster
under test and that fixed the problem.
--
You received this bug notification because you are a member of Ubuntu
Bug
Hello. I've tested the noble-proposed packages on 24.04 amd64 and
aarch64, signals are fixed after a reboot as expected, containers are
being stopped normally.
Upgrading docker.io to 26.1.3-0ubuntu1 does the job, while containerd
version doesn't seem to be a factor.
** Tags removed: verification-
Hello Sebastian, or anyone else affected,
Accepted docker.io-app into noble-proposed. The package will build now
and be available at https://launchpad.net/ubuntu/+source/docker.io-
app/26.1.3-0ubuntu1~24.04.1 in a few hours, and then in the -proposed
repository.
Please help us by testing this new
Ok, jammy and earlier not affected
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065423
Title:
Update AppArmor template to allow confined runc to kill containers
To manage notifications about this
In src:docker.io-app, why does the jammy and focal uploads not have the
same postinst snippet from noble to recommend a reboot if upgrading from
a version affected by the missing apparmor rule? Did I miss something
and we don't need it there?
--
You received this bug notification because you are
Please amend the test plan with a check for the reboot notification on
upgrading from an affected version of docker.io-app.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065423
Title:
Update AppArm
I was able to go through all the uploads that were in unapproved and
clean the duplicated ones out.
Before:
containerd-app | 1.7.19-0ubuntu1~20.04.1 | focal/unapproved/6c08773 | source
containerd-app | 1.7.19-0ubuntu1~20.04.1 | focal/unapproved/771036d | source
containerd-app | 1.7.19-0ubuntu1~20.
Packages are uploaded to unapproved, I'll try to review them off-shift,
today.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065423
Title:
Update AppArmor template to allow confined runc to kill co
Any news on this issue? I had to manually build the docker.io package
with the patch applied.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065423
Title:
Update AppArmor template to allow confined
Thanks, Andreas, Tianon.
I updated the test plan with a more straightforward approach for both
docker and containerd. I also added a snipped in both packages postinst
files to suggest a system reboot. Uploaded both to the noble queue.
--
You received this bug notification because you are a membe
Some comments about the test plan
a) this doesn't really fail:
> $ docker stop $(docker run --rm -d nginx)
ubuntu@n-docker:~$ docker stop $(docker run --rm -d nginx)
ad785200873f04a96e424fc92c467414c40df005d54ee7d16c589c3d42da4322
ubuntu@n-docker:~$ echo $?
0
But dmesg shows:
[Thu Oct 24 17:42:
You could also do something like `timeout 10s docker stop -t -1
container-name`, or even `docker kill -sTERM container-name` and then
checking whether the container actually stopped (with an appropriate
delay in case NGINX actually *does* start shutting down and just takes a
little bit).
--
You r
** Description changed:
[ Impact ]
apparmor denies signals from runc, making stopping containers (a
basic/core feature of most container runtimes) infeasible.
[ Test Plan ]
A basic case would include
- running a container and stopping it as described in the podman SRU testplan
** Changed in: containerd-app (Ubuntu Noble)
Assignee: (unassigned) => Athos Ribeiro (athos-ribeiro)
** Changed in: docker.io-app (Ubuntu Noble)
Assignee: (unassigned) => Athos Ribeiro (athos-ribeiro)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which
'docker wait' might be handy, it prints the container's exit code.
$ CT=$(docker run -d nginx); docker stop $CT > /dev/null && docker wait
$CT; docker rm $CT > /dev/null
Would print 0 (graceful exit) when the signals are coming through, and
137 (killed with SIGKILL) on a buggy distro
root@noble
** Description changed:
[ Impact ]
apparmor denies signals from runc, making stopping containers (a
basic/core feature of most container runtimes) infeasible.
[ Test Plan ]
A basic case would include
running a container and stopping it:
$ docker stop $(docker run --rm -d ngi
** Changed in: runc-app (Ubuntu Noble)
Status: Confirmed => Invalid
** Description changed:
- Is there any chance that this PR can be implemented to current Ubuntu
- release?
+ [ Impact ]
- Because as for now apparmor denies signals from runc and this results in
- many pods kept in Term
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: docker.io-app (Ubuntu Noble)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065423
** Also affects: runc-app (Ubuntu)
Importance: Undecided
Status: New
** Changed in: runc-app (Ubuntu)
Status: New => Fix Released
** No longer affects: runc-app (Ubuntu Focal)
** No longer affects: runc-app (Ubuntu Jammy)
** No longer affects: containerd-app (Ubuntu Focal)
**
Important to note that this bug is a sure way to corrupt user data in
production environments.
E.g. databases running in Docker containers have no clue that they're
being asked to shut down gracefully, because of blocked signals. When
under load, a database would be forcefully killed with SIGKILL
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: runc-app (Ubuntu Noble)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065423
Titl
Any updates for this on Ubuntu 24.04? It's been quite a while, this is
really daunting.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065423
Title:
Update AppArmor template to allow confined runc t
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: containerd-app (Ubuntu Noble)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065423
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: containerd-app (Ubuntu Jammy)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065423
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: containerd-app (Ubuntu Focal)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065423
Thank you for the clarification and thank you for your work! Cheers!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065423
Title:
Update AppArmor template to allow confined runc to kill containers
It is fixed in the development release (when there is not specific
series the default is development, in this case oracular). I am adding
tasks for the supported series as well.
The backport is a follow-up work. The server team will be doing that
once we find the time.
** Also affects: containerd
I can see the updated package in oracular, but noble is still at
1.7.12-0ubuntu4.
Well the package be updated in noble as well? Without, I wouldn't
consider that fixed.
Thanks for your efforts, cheers!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subsc
This bug was fixed in the package containerd-app - 1.7.19-0ubuntu1
---
containerd-app (1.7.19-0ubuntu1) oracular; urgency=medium
* New upstream release.
* d/t/basic-smoke: set proxy environment variables.
-- Lucas Kanashiro Wed, 03 Jul 2024 18:52:03
-0300
** Changed in: conta
FYI: Uploaded by Lucas but atm stuck in proposed for networking issues
in the test
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065423
Title:
Update AppArmor template to allow confined runc to kil
** Changed in: containerd-app (Ubuntu)
Assignee: (unassigned) => Lucas Kanashiro (lucaskanashiro)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065423
Title:
Update AppArmor template to allow
** Changed in: containerd-app (Ubuntu)
Status: Confirmed => Triaged
** Tags added: server-todo
** Changed in: containerd-app (Ubuntu)
Importance: Undecided => High
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bug
Apparently, that's the fate of early adopters...
I've managed to "hand-craft" following apparmor profile and place it in:
/etc/apparmor.d/cri-containerd.apparmor.d as a temporary solution for
this problem.
** Attachment added: "Temporary working profile for apparmor"
https://bugs.launchpad.n
I am to some extend amazed considering so few users participate in this
discussion.
I'd expect every user of Kubernetes, using containerd and app_armor on
an Ubuntu 24.04 to be affected. To get my clusters in a sustainable
state, I deactivated app_armor for containerd as a stop-gap measure,
expect
Forgot to paste link to PR related to issue above :/
https://github.com/containerd/containerd/pull/10129
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065423
Title:
Update AppArmor template to all
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: containerd-app (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065423
Titl
Seeing this in Noble containerd 1.7.12-0ubuntu4
Seems to be https://github.com/containerd/containerd/pull/10123
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065423
Title:
Update AppArmor template
55 matches
Mail list logo
