| 2023-10-25 11:11:48 |
Martin Pitt |
bug |
|
|
added bug |
| 2023-10-25 11:12:04 |
Martin Pitt |
tags |
|
mantic regression-release |
|
| 2023-10-25 11:12:27 |
Martin Pitt |
description |
Mantic's system podman containers are completely broken due to bug 2040082. However, after fixing that (rebuilding with the patch, or a *shht don't try this at home* hack [1]), the AppArmor policy still causes bugs:
podman run -it --rm docker.io/busybox
Then
podman stop -l
fails with
2023-10-25T11:06:33.873998Z: send signal to pidfd: Permission denied
and journal shows
audit: type=1400 audit(1698231993.870:92): apparmor="DENIED" operation="signal" class="signal" profile="containers-default-0.50.1" pid=4713 comm="3" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/bin/crun"
This leaves the container in a broken state:
# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
61749260f9c4 docker.io/library/busybox:latest sh 40 seconds ago Exited (-1) 29 seconds ago confident_bouman
# podman rm --all
2023-10-25T11:07:21.428701Z: send signal to pidfd: Permission denied
Error: cleaning up container 61749260f9c4c96a51dc27fdd9cb8a86d80e4f2aa14eb7ed5b271791ff8008ae: removing container 61749260f9c4c96a51dc27fdd9cb8a86d80e4f2aa14eb7ed5b271791ff8008ae from runtime: `/usr/bin/crun delete --force 61749260f9c4c96a51dc27fdd9cb8a86d80e4f2aa14eb7ed5b271791ff8008ae` failed: exit status 1
audit: type=1400 audit(1698232041.422:93): apparmor="DENIED" operation="signal" class="signal" profile="containers-default-0.50.1" pid=4839 comm="3" requested_mask="receive" denied_mask="receive" signal=kill peer="/usr/bin/crun"
[1] sed -i 's/~alpha2/0000000/' /usr/sbin/apparmor_parser
Ubuntu 23.10
i apparmor 4.0.0~alpha2-0ubuntu5 amd64 user-space parser utility for AppArmor
ii golang-github-containers-common 0.50.1+ds1-4 all Common files for github.com/containers repositories
ii podman 4.3.1+ds1-8 amd64 engine to run OCI-based containers in Pods |
Mantic's system podman containers are completely broken due to bug 2040082. However, after fixing that (rebuilding with the patch, or a *shht don't try this at home* hack [1]), the AppArmor policy still causes bugs:
podman run -it --rm docker.io/busybox
Then
podman stop -l
fails with
2023-10-25T11:06:33.873998Z: send signal to pidfd: Permission denied
and journal shows
audit: type=1400 audit(1698231993.870:92): apparmor="DENIED" operation="signal" class="signal" profile="containers-default-0.50.1" pid=4713 comm="3" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/bin/crun"
This leaves the container in a broken state:
# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
61749260f9c4 docker.io/library/busybox:latest sh 40 seconds ago Exited (-1) 29 seconds ago confident_bouman
# podman rm --all
2023-10-25T11:07:21.428701Z: send signal to pidfd: Permission denied
Error: cleaning up container 61749260f9c4c96a51dc27fdd9cb8a86d80e4f2aa14eb7ed5b271791ff8008ae: removing container 61749260f9c4c96a51dc27fdd9cb8a86d80e4f2aa14eb7ed5b271791ff8008ae from runtime: `/usr/bin/crun delete --force 61749260f9c4c96a51dc27fdd9cb8a86d80e4f2aa14eb7ed5b271791ff8008ae` failed: exit status 1
audit: type=1400 audit(1698232041.422:93): apparmor="DENIED" operation="signal" class="signal" profile="containers-default-0.50.1" pid=4839 comm="3" requested_mask="receive" denied_mask="receive" signal=kill peer="/usr/bin/crun"
[1] sed -i 's/~alpha2/0000000/' /usr/sbin/apparmor_parser
Ubuntu 23.10
ii apparmor 4.0.0~alpha2-0ubuntu5 amd64 user-space parser utility for AppArmor
ii golang-github-containers-common 0.50.1+ds1-4 all Common files for github.com/containers repositories
ii podman 4.3.1+ds1-8 amd64 engine to run OCI-based containers in Pods |
|
| 2023-11-09 07:39:25 |
Launchpad Janitor |
libpod (Ubuntu): status |
New |
Confirmed |
|
| 2023-11-23 09:19:01 |
Uwe Hey |
bug |
|
|
added subscriber Uwe Hey |
| 2023-12-04 10:04:09 |
Martin Pitt |
nominated for series |
|
Ubuntu Noble |
|
| 2023-12-04 10:04:09 |
Martin Pitt |
bug task added |
|
libpod (Ubuntu Noble) |
|
| 2023-12-04 10:04:09 |
Martin Pitt |
nominated for series |
|
Ubuntu Mantic |
|
| 2023-12-04 10:04:09 |
Martin Pitt |
bug task added |
|
libpod (Ubuntu Mantic) |
|
| 2023-12-11 05:46:09 |
Martin Pitt |
bug task added |
|
apparmor (Ubuntu) |
|
| 2023-12-11 06:05:42 |
Martin Pitt |
bug task deleted |
apparmor (Ubuntu) |
|
|
| 2023-12-11 06:05:52 |
Martin Pitt |
bug task deleted |
apparmor (Ubuntu Mantic) |
|
|
| 2023-12-11 06:05:56 |
Martin Pitt |
bug task deleted |
apparmor (Ubuntu Noble) |
|
|
| 2023-12-11 12:51:19 |
Georgia Garcia |
bug |
|
|
added subscriber Georgia Garcia |
| 2023-12-21 15:16:09 |
André Oliveira |
libpod (Ubuntu Mantic): status |
New |
Confirmed |
|
| 2024-03-11 15:09:41 |
Martin Pitt |
tags |
mantic regression-release |
cockpit-test mantic regression-release |
|
| 2024-04-23 10:10:02 |
Andrew Cloke |
bug |
|
|
added subscriber Andrew Cloke |
| 2024-04-28 20:48:09 |
Tomáš Virtus |
bug task added |
|
golang-github-containers-common (Ubuntu) |
|
| 2024-04-28 21:41:16 |
Tomáš Virtus |
merge proposal linked |
|
https://code.launchpad.net/~virtustom/ubuntu/+source/golang-github-containers-common/+git/golang-github-containers-common/+merge/465117 |
|
| 2024-04-28 23:13:36 |
Tomáš Virtus |
description |
Mantic's system podman containers are completely broken due to bug 2040082. However, after fixing that (rebuilding with the patch, or a *shht don't try this at home* hack [1]), the AppArmor policy still causes bugs:
podman run -it --rm docker.io/busybox
Then
podman stop -l
fails with
2023-10-25T11:06:33.873998Z: send signal to pidfd: Permission denied
and journal shows
audit: type=1400 audit(1698231993.870:92): apparmor="DENIED" operation="signal" class="signal" profile="containers-default-0.50.1" pid=4713 comm="3" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/bin/crun"
This leaves the container in a broken state:
# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
61749260f9c4 docker.io/library/busybox:latest sh 40 seconds ago Exited (-1) 29 seconds ago confident_bouman
# podman rm --all
2023-10-25T11:07:21.428701Z: send signal to pidfd: Permission denied
Error: cleaning up container 61749260f9c4c96a51dc27fdd9cb8a86d80e4f2aa14eb7ed5b271791ff8008ae: removing container 61749260f9c4c96a51dc27fdd9cb8a86d80e4f2aa14eb7ed5b271791ff8008ae from runtime: `/usr/bin/crun delete --force 61749260f9c4c96a51dc27fdd9cb8a86d80e4f2aa14eb7ed5b271791ff8008ae` failed: exit status 1
audit: type=1400 audit(1698232041.422:93): apparmor="DENIED" operation="signal" class="signal" profile="containers-default-0.50.1" pid=4839 comm="3" requested_mask="receive" denied_mask="receive" signal=kill peer="/usr/bin/crun"
[1] sed -i 's/~alpha2/0000000/' /usr/sbin/apparmor_parser
Ubuntu 23.10
ii apparmor 4.0.0~alpha2-0ubuntu5 amd64 user-space parser utility for AppArmor
ii golang-github-containers-common 0.50.1+ds1-4 all Common files for github.com/containers repositories
ii podman 4.3.1+ds1-8 amd64 engine to run OCI-based containers in Pods |
[ Impact ]
* On mantic and noble, when run as root, podman cannot stop any container running in background because crun is being run with a new profile introduced in AppArmor v4.0.0 that doesn't have corresponding signal receive rule container's profile.
* Without the fix, users would have to resort to figuring out container's PID 1 and killing it as root or by other privileged and unconfined process. This is a regression from basic podman functionality.
* The fix adds signal receive rules for currently confined OCI runtimes in AppArmor v4.0.0 (runc and crun) to the profile used by podman.
[ Test Plan ]
All commands must be invoked as root.
Start container in background and then stop it:
# Run container in background (-d)
podman run -d --name foo docker.io/library/nginx:latest
# Stop the container
podman stop foo
On success, the last command should print the container name and the container running in background should be stopped (verify with "podman ps").
Additional tests:
Verify that container running in foreground TTY can be stopped.
# Terminal 1:
# Run container on this TTY
podman run -it --name bar --rm docker.io/library/ubuntu:22.04
# Terminal 2:
# Stop the container
podman stop foo
On success, the last command should print the container name, the process running in terminal 1 should stop, and the container should be removed (verify with "podman ps -a").
Verify that container running with dumb init can be killed.
# Run container in background (-d) with dumb init
podman run -d --name bar --rm --init ubuntu:22.04 sleep infinity
# Stop the container
podman stop foo
On success, the last command should print the container name and the container running in background should be stopped and removed (verify with "podman ps -a").
Verify container processes can signal each other
# Run container in foreground with processes sending signals between themselves
podman run ubuntu:22.04 sh -c 'sleep inf & sleep 1 ; kill $!'
On success, the last command should exit after cca 1 second with exit status 0.
[ Where problems could occur ]
* The fix requires a rebuild of podman that will pull in any other changes in the archive since the last build, which could potentially break some functionality.
[ Original report ]
Mantic's system podman containers are completely broken due to bug 2040082. However, after fixing that (rebuilding with the patch, or a *shht don't try this at home* hack [1]), the AppArmor policy still causes bugs:
podman run -it --rm docker.io/busybox
Then
podman stop -l
fails with
2023-10-25T11:06:33.873998Z: send signal to pidfd: Permission denied
and journal shows
audit: type=1400 audit(1698231993.870:92): apparmor="DENIED" operation="signal" class="signal" profile="containers-default-0.50.1" pid=4713 comm="3" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/bin/crun"
This leaves the container in a broken state:
# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
61749260f9c4 docker.io/library/busybox:latest sh 40 seconds ago Exited (-1) 29 seconds ago confident_bouman
# podman rm --all
2023-10-25T11:07:21.428701Z: send signal to pidfd: Permission denied
Error: cleaning up container 61749260f9c4c96a51dc27fdd9cb8a86d80e4f2aa14eb7ed5b271791ff8008ae: removing container 61749260f9c4c96a51dc27fdd9cb8a86d80e4f2aa14eb7ed5b271791ff8008ae from runtime: `/usr/bin/crun delete --force 61749260f9c4c96a51dc27fdd9cb8a86d80e4f2aa14eb7ed5b271791ff8008ae` failed: exit status 1
audit: type=1400 audit(1698232041.422:93): apparmor="DENIED" operation="signal" class="signal" profile="containers-default-0.50.1" pid=4839 comm="3" requested_mask="receive" denied_mask="receive" signal=kill peer="/usr/bin/crun"
[1] sed -i 's/~alpha2/0000000/' /usr/sbin/apparmor_parser
Ubuntu 23.10
ii apparmor 4.0.0~alpha2-0ubuntu5 amd64 user-space parser utility for AppArmor
ii golang-github-containers-common 0.50.1+ds1-4 all Common files for github.com/containers repositories
ii podman 4.3.1+ds1-8 amd64 engine to run OCI-based containers in Pods |
|
| 2024-04-29 04:51:52 |
Launchpad Janitor |
golang-github-containers-common (Ubuntu): status |
New |
Confirmed |
|
| 2024-04-29 08:34:46 |
Tomáš Virtus |
description |
[ Impact ]
* On mantic and noble, when run as root, podman cannot stop any container running in background because crun is being run with a new profile introduced in AppArmor v4.0.0 that doesn't have corresponding signal receive rule container's profile.
* Without the fix, users would have to resort to figuring out container's PID 1 and killing it as root or by other privileged and unconfined process. This is a regression from basic podman functionality.
* The fix adds signal receive rules for currently confined OCI runtimes in AppArmor v4.0.0 (runc and crun) to the profile used by podman.
[ Test Plan ]
All commands must be invoked as root.
Start container in background and then stop it:
# Run container in background (-d)
podman run -d --name foo docker.io/library/nginx:latest
# Stop the container
podman stop foo
On success, the last command should print the container name and the container running in background should be stopped (verify with "podman ps").
Additional tests:
Verify that container running in foreground TTY can be stopped.
# Terminal 1:
# Run container on this TTY
podman run -it --name bar --rm docker.io/library/ubuntu:22.04
# Terminal 2:
# Stop the container
podman stop foo
On success, the last command should print the container name, the process running in terminal 1 should stop, and the container should be removed (verify with "podman ps -a").
Verify that container running with dumb init can be killed.
# Run container in background (-d) with dumb init
podman run -d --name bar --rm --init ubuntu:22.04 sleep infinity
# Stop the container
podman stop foo
On success, the last command should print the container name and the container running in background should be stopped and removed (verify with "podman ps -a").
Verify container processes can signal each other
# Run container in foreground with processes sending signals between themselves
podman run ubuntu:22.04 sh -c 'sleep inf & sleep 1 ; kill $!'
On success, the last command should exit after cca 1 second with exit status 0.
[ Where problems could occur ]
* The fix requires a rebuild of podman that will pull in any other changes in the archive since the last build, which could potentially break some functionality.
[ Original report ]
Mantic's system podman containers are completely broken due to bug 2040082. However, after fixing that (rebuilding with the patch, or a *shht don't try this at home* hack [1]), the AppArmor policy still causes bugs:
podman run -it --rm docker.io/busybox
Then
podman stop -l
fails with
2023-10-25T11:06:33.873998Z: send signal to pidfd: Permission denied
and journal shows
audit: type=1400 audit(1698231993.870:92): apparmor="DENIED" operation="signal" class="signal" profile="containers-default-0.50.1" pid=4713 comm="3" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/bin/crun"
This leaves the container in a broken state:
# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
61749260f9c4 docker.io/library/busybox:latest sh 40 seconds ago Exited (-1) 29 seconds ago confident_bouman
# podman rm --all
2023-10-25T11:07:21.428701Z: send signal to pidfd: Permission denied
Error: cleaning up container 61749260f9c4c96a51dc27fdd9cb8a86d80e4f2aa14eb7ed5b271791ff8008ae: removing container 61749260f9c4c96a51dc27fdd9cb8a86d80e4f2aa14eb7ed5b271791ff8008ae from runtime: `/usr/bin/crun delete --force 61749260f9c4c96a51dc27fdd9cb8a86d80e4f2aa14eb7ed5b271791ff8008ae` failed: exit status 1
audit: type=1400 audit(1698232041.422:93): apparmor="DENIED" operation="signal" class="signal" profile="containers-default-0.50.1" pid=4839 comm="3" requested_mask="receive" denied_mask="receive" signal=kill peer="/usr/bin/crun"
[1] sed -i 's/~alpha2/0000000/' /usr/sbin/apparmor_parser
Ubuntu 23.10
ii apparmor 4.0.0~alpha2-0ubuntu5 amd64 user-space parser utility for AppArmor
ii golang-github-containers-common 0.50.1+ds1-4 all Common files for github.com/containers repositories
ii podman 4.3.1+ds1-8 amd64 engine to run OCI-based containers in Pods |
[ Impact ]
* On mantic and noble, when run as root, podman cannot stop any container running in background because crun is being run with a new profile introduced in AppArmor v4.0.0 that doesn't have corresponding signal receive rule container's profile.
* Without the fix, users would have to resort to figuring out container's PID 1 and killing it as root or by other privileged and unconfined process. This is a regression from basic podman functionality.
* The fix adds signal receive rules for currently confined OCI runtimes in AppArmor v4.0.0 (runc and crun) to the profile used by podman.
[ Test Plan ]
All commands must be invoked as root.
Start container in background and then stop it:
# Run container in background (-d)
podman run -d --name foo docker.io/library/nginx:latest
# Stop the container
podman stop foo
On success, the last command should print the container name and the container running in background should be stopped (verify with "podman ps").
Additional tests:
Verify that container running in foreground TTY can be stopped.
# Terminal 1:
# Run container on this TTY
podman run -it --name bar --rm docker.io/library/ubuntu:22.04
# Terminal 2:
# Stop the container
podman stop bar
On success, the last command should print the container name, the process running in terminal 1 should stop, and the container should be removed (verify with "podman ps -a").
Verify that container running with dumb init can be killed.
# Run container in background (-d) with dumb init
podman run -d --name bar --rm --init ubuntu:22.04 sleep infinity
# Stop the container
podman stop bar
On success, the last command should print the container name and the container running in background should be stopped and removed (verify with "podman ps -a").
Verify container processes can signal each other
# Run container in foreground with processes sending signals between themselves
podman run ubuntu:22.04 sh -c 'sleep inf & sleep 1 ; kill $!'
On success, the last command should exit after cca 1 second with exit status 0.
[ Where problems could occur ]
* The fix requires a rebuild of podman that will pull in any other changes in the archive since the last build, which could potentially break some functionality.
[ Original report ]
Mantic's system podman containers are completely broken due to bug 2040082. However, after fixing that (rebuilding with the patch, or a *shht don't try this at home* hack [1]), the AppArmor policy still causes bugs:
podman run -it --rm docker.io/busybox
Then
podman stop -l
fails with
2023-10-25T11:06:33.873998Z: send signal to pidfd: Permission denied
and journal shows
audit: type=1400 audit(1698231993.870:92): apparmor="DENIED" operation="signal" class="signal" profile="containers-default-0.50.1" pid=4713 comm="3" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/bin/crun"
This leaves the container in a broken state:
# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
61749260f9c4 docker.io/library/busybox:latest sh 40 seconds ago Exited (-1) 29 seconds ago confident_bouman
# podman rm --all
2023-10-25T11:07:21.428701Z: send signal to pidfd: Permission denied
Error: cleaning up container 61749260f9c4c96a51dc27fdd9cb8a86d80e4f2aa14eb7ed5b271791ff8008ae: removing container 61749260f9c4c96a51dc27fdd9cb8a86d80e4f2aa14eb7ed5b271791ff8008ae from runtime: `/usr/bin/crun delete --force 61749260f9c4c96a51dc27fdd9cb8a86d80e4f2aa14eb7ed5b271791ff8008ae` failed: exit status 1
audit: type=1400 audit(1698232041.422:93): apparmor="DENIED" operation="signal" class="signal" profile="containers-default-0.50.1" pid=4839 comm="3" requested_mask="receive" denied_mask="receive" signal=kill peer="/usr/bin/crun"
[1] sed -i 's/~alpha2/0000000/' /usr/sbin/apparmor_parser
Ubuntu 23.10
ii apparmor 4.0.0~alpha2-0ubuntu5 amd64 user-space parser utility for AppArmor
ii golang-github-containers-common 0.50.1+ds1-4 all Common files for github.com/containers repositories
ii podman 4.3.1+ds1-8 amd64 engine to run OCI-based containers in Pods |
|
| 2024-04-29 10:33:36 |
Tomáš Virtus |
description |
[ Impact ]
* On mantic and noble, when run as root, podman cannot stop any container running in background because crun is being run with a new profile introduced in AppArmor v4.0.0 that doesn't have corresponding signal receive rule container's profile.
* Without the fix, users would have to resort to figuring out container's PID 1 and killing it as root or by other privileged and unconfined process. This is a regression from basic podman functionality.
* The fix adds signal receive rules for currently confined OCI runtimes in AppArmor v4.0.0 (runc and crun) to the profile used by podman.
[ Test Plan ]
All commands must be invoked as root.
Start container in background and then stop it:
# Run container in background (-d)
podman run -d --name foo docker.io/library/nginx:latest
# Stop the container
podman stop foo
On success, the last command should print the container name and the container running in background should be stopped (verify with "podman ps").
Additional tests:
Verify that container running in foreground TTY can be stopped.
# Terminal 1:
# Run container on this TTY
podman run -it --name bar --rm docker.io/library/ubuntu:22.04
# Terminal 2:
# Stop the container
podman stop bar
On success, the last command should print the container name, the process running in terminal 1 should stop, and the container should be removed (verify with "podman ps -a").
Verify that container running with dumb init can be killed.
# Run container in background (-d) with dumb init
podman run -d --name bar --rm --init ubuntu:22.04 sleep infinity
# Stop the container
podman stop bar
On success, the last command should print the container name and the container running in background should be stopped and removed (verify with "podman ps -a").
Verify container processes can signal each other
# Run container in foreground with processes sending signals between themselves
podman run ubuntu:22.04 sh -c 'sleep inf & sleep 1 ; kill $!'
On success, the last command should exit after cca 1 second with exit status 0.
[ Where problems could occur ]
* The fix requires a rebuild of podman that will pull in any other changes in the archive since the last build, which could potentially break some functionality.
[ Original report ]
Mantic's system podman containers are completely broken due to bug 2040082. However, after fixing that (rebuilding with the patch, or a *shht don't try this at home* hack [1]), the AppArmor policy still causes bugs:
podman run -it --rm docker.io/busybox
Then
podman stop -l
fails with
2023-10-25T11:06:33.873998Z: send signal to pidfd: Permission denied
and journal shows
audit: type=1400 audit(1698231993.870:92): apparmor="DENIED" operation="signal" class="signal" profile="containers-default-0.50.1" pid=4713 comm="3" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/bin/crun"
This leaves the container in a broken state:
# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
61749260f9c4 docker.io/library/busybox:latest sh 40 seconds ago Exited (-1) 29 seconds ago confident_bouman
# podman rm --all
2023-10-25T11:07:21.428701Z: send signal to pidfd: Permission denied
Error: cleaning up container 61749260f9c4c96a51dc27fdd9cb8a86d80e4f2aa14eb7ed5b271791ff8008ae: removing container 61749260f9c4c96a51dc27fdd9cb8a86d80e4f2aa14eb7ed5b271791ff8008ae from runtime: `/usr/bin/crun delete --force 61749260f9c4c96a51dc27fdd9cb8a86d80e4f2aa14eb7ed5b271791ff8008ae` failed: exit status 1
audit: type=1400 audit(1698232041.422:93): apparmor="DENIED" operation="signal" class="signal" profile="containers-default-0.50.1" pid=4839 comm="3" requested_mask="receive" denied_mask="receive" signal=kill peer="/usr/bin/crun"
[1] sed -i 's/~alpha2/0000000/' /usr/sbin/apparmor_parser
Ubuntu 23.10
ii apparmor 4.0.0~alpha2-0ubuntu5 amd64 user-space parser utility for AppArmor
ii golang-github-containers-common 0.50.1+ds1-4 all Common files for github.com/containers repositories
ii podman 4.3.1+ds1-8 amd64 engine to run OCI-based containers in Pods |
[ Impact ]
* On mantic and noble, when run as root, podman cannot stop any container running in background because crun is being run with a new profile introduced in AppArmor v4.0.0 that doesn't have corresponding signal receive rule container's profile.
* Without the fix, users would have to resort to figuring out container's PID 1 and killing it as root or by other privileged and unconfined process. This is a regression from basic podman functionality.
* The fix adds signal receive rules for currently confined OCI runtimes in AppArmor v4.0.0 (runc and crun) to the profile used by podman.
[ Test Plan ]
All commands must be invoked as root.
Run tests below with both crun and runc OCI runtimes. For crun, nothing has to be changed (it's installed and used by default). For runc, first install the runc pakcage, and then insert "--runtime /usr/sbin/runc" arguments after "podman run".
Start container in background and then stop it:
# Run container in background (-d)
podman run -d --name foo docker.io/library/nginx:latest
# Stop the container
podman stop foo
On success, the last command should print the container name and the container running in background should be stopped (verify with "podman ps").
Additional tests:
Verify that container running in foreground TTY can be stopped.
# Terminal 1:
# Run container on this TTY
podman run -it --name bar --rm docker.io/library/ubuntu:22.04
# Terminal 2:
# Stop the container
podman stop bar
On success, the last command should print the container name, the process running in terminal 1 should stop, and the container should be removed (verify with "podman ps -a").
Verify that container running with dumb init can be killed.
# Run container in background (-d) with dumb init
podman run -d --name bar --rm --init ubuntu:22.04 sleep infinity
# Stop the container
podman stop bar
On success, the last command should print the container name and the container running in background should be stopped and removed (verify with "podman ps -a").
Verify container processes can signal each other
# Run container in foreground with processes sending signals between themselves
podman run ubuntu:22.04 sh -c 'sleep inf & sleep 1 ; kill $!'
On success, the last command should exit after cca 1 second with exit status 0.
[ Where problems could occur ]
* The fix requires a rebuild of podman that will pull in any other changes in the archive since the last build, which could potentially break some functionality.
[ Original report ]
Mantic's system podman containers are completely broken due to bug 2040082. However, after fixing that (rebuilding with the patch, or a *shht don't try this at home* hack [1]), the AppArmor policy still causes bugs:
podman run -it --rm docker.io/busybox
Then
podman stop -l
fails with
2023-10-25T11:06:33.873998Z: send signal to pidfd: Permission denied
and journal shows
audit: type=1400 audit(1698231993.870:92): apparmor="DENIED" operation="signal" class="signal" profile="containers-default-0.50.1" pid=4713 comm="3" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/bin/crun"
This leaves the container in a broken state:
# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
61749260f9c4 docker.io/library/busybox:latest sh 40 seconds ago Exited (-1) 29 seconds ago confident_bouman
# podman rm --all
2023-10-25T11:07:21.428701Z: send signal to pidfd: Permission denied
Error: cleaning up container 61749260f9c4c96a51dc27fdd9cb8a86d80e4f2aa14eb7ed5b271791ff8008ae: removing container 61749260f9c4c96a51dc27fdd9cb8a86d80e4f2aa14eb7ed5b271791ff8008ae from runtime: `/usr/bin/crun delete --force 61749260f9c4c96a51dc27fdd9cb8a86d80e4f2aa14eb7ed5b271791ff8008ae` failed: exit status 1
audit: type=1400 audit(1698232041.422:93): apparmor="DENIED" operation="signal" class="signal" profile="containers-default-0.50.1" pid=4839 comm="3" requested_mask="receive" denied_mask="receive" signal=kill peer="/usr/bin/crun"
[1] sed -i 's/~alpha2/0000000/' /usr/sbin/apparmor_parser
Ubuntu 23.10
ii apparmor 4.0.0~alpha2-0ubuntu5 amd64 user-space parser utility for AppArmor
ii golang-github-containers-common 0.50.1+ds1-4 all Common files for github.com/containers repositories
ii podman 4.3.1+ds1-8 amd64 engine to run OCI-based containers in Pods |
|
| 2024-05-03 10:02:48 |
John Leach |
bug |
|
|
added subscriber John Leach |
| 2024-05-07 10:40:16 |
Neil Wilson |
bug |
|
|
added subscriber Neil Wilson |
| 2024-05-10 13:48:02 |
cobraxium |
bug |
|
|
added subscriber cobraxium |
| 2024-05-13 12:31:16 |
Neil Wilson |
merge proposal linked |
|
https://code.launchpad.net/~neil-aldur/ubuntu/+source/golang-github-containers-common/+git/golang-github-containers-common/+merge/465970 |
|
| 2024-05-15 14:58:06 |
Neil Wilson |
bug watch added |
|
https://github.com/containers/common/issues/1898 |
|
| 2024-05-17 04:34:02 |
Uwe Hey |
removed subscriber Uwe Hey |
|
|
|
| 2024-05-21 08:58:36 |
kompas |
bug |
|
|
added subscriber kompas |
