AppArmor denies crun sending signals to containers (stop, kill)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
golang-github-containers-common (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
libpod (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Mantic |
Confirmed
|
Undecided
|
Unassigned | ||
Noble |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
[ Impact ]
* On mantic and noble, when run as root, podman cannot stop any container running in background because crun is being run with a new profile introduced in AppArmor v4.0.0 that doesn't have corresponding signal receive rule container's profile.
* Without the fix, users would have to resort to figuring out container's PID 1 and killing it as root or by other privileged and unconfined process. This is a regression from basic podman functionality.
* The fix adds signal receive rules for currently confined OCI runtimes in AppArmor v4.0.0 (runc and crun) to the profile used by podman.
[ Test Plan ]
All commands must be invoked as root.
Run tests below with both crun and runc OCI runtimes. For crun, nothing has to be changed (it's installed and used by default). For runc, first install the runc pakcage, and then insert "--runtime /usr/sbin/runc" arguments after "podman run".
Start container in background and then stop it:
# Run container in background (-d)
podman run -d --name foo docker.
# Stop the container
podman stop foo
On success, the last command should print the container name and the container running in background should be stopped (verify with "podman ps").
Additional tests:
Verify that container running in foreground TTY can be stopped.
# Terminal 1:
# Run container on this TTY
podman run -it --name bar --rm docker.
# Terminal 2:
# Stop the container
podman stop bar
On success, the last command should print the container name, the process running in terminal 1 should stop, and the container should be removed (verify with "podman ps -a").
Verify that container running with dumb init can be killed.
# Run container in background (-d) with dumb init
podman run -d --name bar --rm --init ubuntu:22.04 sleep infinity
# Stop the container
podman stop bar
On success, the last command should print the container name and the container running in background should be stopped and removed (verify with "podman ps -a").
Verify container processes can signal each other
# Run container in foreground with processes sending signals between themselves
podman run ubuntu:22.04 sh -c 'sleep inf & sleep 1 ; kill $!'
On success, the last command should exit after cca 1 second with exit status 0.
[ Where problems could occur ]
* The fix requires a rebuild of podman that will pull in any other changes in the archive since the last build, which could potentially break some functionality.
[ Original report ]
Mantic's system podman containers are completely broken due to bug 2040082. However, after fixing that (rebuilding with the patch, or a *shht don't try this at home* hack [1]), the AppArmor policy still causes bugs:
podman run -it --rm docker.io/busybox
Then
podman stop -l
fails with
2023-
and journal shows
audit: type=1400 audit(169823199
This leaves the container in a broken state:
# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
61749260f9c4 docker.
# podman rm --all
2023-
Error: cleaning up container 61749260f9c4c96
audit: type=1400 audit(169823204
[1] sed -i 's/~alpha2/
Ubuntu 23.10
ii apparmor 4.0.0~alpha2-
ii golang-
ii podman 4.3.1+ds1-8 amd64 engine to run OCI-based containers in Pods
Related branches
- Ubuntu Sponsors: Pending requested
-
Diff: 138 lines (+72/-32)5 files modifieddebian/changelog (+7/-0)
debian/control (+2/-1)
debian/patches/apparmor-Allow-confined-runc-crun-to-kill-containers.patch (+62/-0)
debian/patches/series (+1/-1)
dev/null (+0/-30)
- Ubuntu Sponsors: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 106 lines (+76/-1)4 files modifieddebian/changelog (+7/-0)
debian/control (+2/-1)
debian/patches/apparmor-Allow-confined-runc-crun-to-kill-containers.patch (+66/-0)
debian/patches/series (+1/-0)
tags: | added: cockpit-test |
description: | updated |
description: | updated |
description: | updated |
FTR, after calling `aa-teardown` the stopping and removing works.