Ubuntu
containerd-app package

Update AppArmor template to allow confined runc to kill containers

Bug #2065423 reported by Sebastian Podjasek
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
containerd-app (Ubuntu)
Triaged
High
Unassigned

Bug Description

Is there any chance that this PR can be implemented to current Ubuntu release?

Because as for now apparmor denies signals from runc and this results in many pods kept in Terminating state:

audit: type=1400 audit(1715342953.323:200): apparmor="DENIED" operation="signal" class="signal" profile="cri-containerd.apparmor.d" pid=741102 comm="runc" requested_mask="receive" denied_mask="receive" signal=kill peer="runc"

Tags: server-todo
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in containerd-app (Ubuntu):
status: New → Confirmed
Revision history for this message
Dmitrii Kuptsov (bcskda) wrote :

Seeing this in Noble containerd 1.7.12-0ubuntu4
Seems to be https://github.com/containerd/containerd/pull/10123

Revision history for this message
Sebastian Podjasek (sebastian-podjasek) wrote :

Forgot to paste link to PR related to issue above :/

https://github.com/containerd/containerd/pull/10129

Revision history for this message
Christopher J. Ruwe (cruwe) wrote :

I am to some extend amazed considering so few users participate in this discussion.

I'd expect every user of Kubernetes, using containerd and app_armor on an Ubuntu 24.04 to be affected. To get my clusters in a sustainable state, I deactivated app_armor for containerd as a stop-gap measure, expecting the need for bumping containerd to be high and an updated package to appear soon.

Am I in some respect wrong in my assumption? Is running K8S on 24.04 with app_armor-ed containerd an edge case?

Thanks for your consideration.

Revision history for this message
Sebastian Podjasek (sebastian-podjasek) wrote :

Apparently, that's the fate of early adopters...

I've managed to "hand-craft" following apparmor profile and place it in: /etc/apparmor.d/cri-containerd.apparmor.d as a temporary solution for this problem.

Athos Ribeiro (athos-ribeiro)
Changed in containerd-app (Ubuntu):
status: Confirmed → Triaged
tags: added: server-todo
Changed in containerd-app (Ubuntu):
importance: Undecided → High
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.