or alternatively (without apparmor-utils, which isn't on the default cloud image):
sed -i '/flags=/ s/unconfined/complain/' /etc/apparmor.d/usr.bin.crun
but for some reason that breaks podman entirely:
# podman run -it --rm docker.io/busybox
Failed to re-execute libcrun via memory file descriptor ERRO[0000] Removing container 7c3c938f8e356a9834de6a114ad8b8353ffac7508c8aac131d588e1358ba2f30 from runtime after creation failed
Error: OCI runtime error: crun: Failed to re-execute libcrun via memory file descriptor
I just noticed that neither podman nor crun ship their own AppArmor profiles, /etc/apparmor.d/usr.bin.crun is shipped by apparmor. So adding a package task, but leaving libpod as "affected", so that it is easier to find.
I tried a more targeted workaround, with
aa-complain /etc/apparmor. d/usr.bin. crun
or alternatively (without apparmor-utils, which isn't on the default cloud image):
sed -i '/flags=/ s/unconfined/ complain/ ' /etc/apparmor. d/usr.bin. crun
but for some reason that breaks podman entirely:
# podman run -it --rm docker.io/busybox
ERRO[ 0000] Removing container 7c3c938f8e356a9 834de6a114ad8b8 353ffac7508c8aa c131d588e1358ba 2f30 from runtime after creation failed
Failed to re-execute libcrun via memory file descriptor
Error: OCI runtime error: crun: Failed to re-execute libcrun via memory file descriptor
I just noticed that neither podman nor crun ship their own AppArmor profiles, /etc/apparmor. d/usr.bin. crun is shipped by apparmor. So adding a package task, but leaving libpod as "affected", so that it is easier to find.