removing docker snap leaves apparmor misconfigured
Bug #1841001 reported by
Robert Collins
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| snapd |
Triaged
|
Medium
|
Unassigned | ||
Bug Description
I removed the docker snap after the showstopper bug with its private /tmp; after that I installed docker via apt but runc was getting apparmor denying signal delivery; this was due to stale snap docker profiles; cleaning those up solved it but they should have been cleaned up by removing the snap in the first place.
sudo aa-remove-unknown
Removing 'docker-default'
Removing 'snap-update-
Removing 'snap.docker.
Removing 'snap.docker.
Removing 'snap.docker.
Removing 'snap.docker.help'
Removing 'snap.docker.
Removing 'snap.docker.
Removing 'snap.docker.
Revision history for this message
| Zygmunt Krynicki (zyga) wrote | #1 |
| Changed in snappy: | |
| status: | New → Triaged |
| importance: | Undecided → Medium |
| affects: | snappy → snapd |
To post a comment you must log in.
There are two separate issues here:
- removing snap.* apparmor profiles
- removing docker apparmor profile
For the second issue, it is a bug in the snap, it should be handling that in its pre-remove hook. I will report this internally
For the first issue, it's a hard problem. We remove the profiles from disk but we cannot remove them from the kernel easily without removing confinement from running processes. There is ongoing work to track processes better and perform cleanup on cgroup becoming empty but it is not close to release yet.