Ubuntu
containerd-app package

Update AppArmor template to allow confined runc to kill containers

  1. Noble (24.04)
  2. Bug #2065423
Bug #2065423 reported by Sebastian Podjasek
30
This bug affects 5 people
Affects Status Importance Assigned to Milestone
containerd-app (Ubuntu)
Fix Released
High
Lucas Kanashiro
Focal
New
Undecided
Unassigned
Jammy
New
Undecided
Unassigned
Noble
New
Undecided
Unassigned

Bug Description

Is there any chance that this PR can be implemented to current Ubuntu release?

Because as for now apparmor denies signals from runc and this results in many pods kept in Terminating state:

audit: type=1400 audit(1715342953.323:200): apparmor="DENIED" operation="signal" class="signal" profile="cri-containerd.apparmor.d" pid=741102 comm="runc" requested_mask="receive" denied_mask="receive" signal=kill peer="runc"

Tags: server-todo
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in containerd-app (Ubuntu):
status: New → Confirmed
Revision history for this message
Dmitrii Kuptsov (bcskda) wrote :

Seeing this in Noble containerd 1.7.12-0ubuntu4
Seems to be https://github.com/containerd/containerd/pull/10123

Revision history for this message
Sebastian Podjasek (sebastian-podjasek) wrote :

Forgot to paste link to PR related to issue above :/

https://github.com/containerd/containerd/pull/10129

Revision history for this message
Christopher J. Ruwe (cruwe) wrote :

I am to some extend amazed considering so few users participate in this discussion.

I'd expect every user of Kubernetes, using containerd and app_armor on an Ubuntu 24.04 to be affected. To get my clusters in a sustainable state, I deactivated app_armor for containerd as a stop-gap measure, expecting the need for bumping containerd to be high and an updated package to appear soon.

Am I in some respect wrong in my assumption? Is running K8S on 24.04 with app_armor-ed containerd an edge case?

Thanks for your consideration.

Revision history for this message
Sebastian Podjasek (sebastian-podjasek) wrote :

Apparently, that's the fate of early adopters...

I've managed to "hand-craft" following apparmor profile and place it in: /etc/apparmor.d/cri-containerd.apparmor.d as a temporary solution for this problem.

Athos Ribeiro (athos-ribeiro)
Changed in containerd-app (Ubuntu):
status: Confirmed → Triaged
tags: added: server-todo
Changed in containerd-app (Ubuntu):
importance: Undecided → High
Bryce Harrington (bryce)
Changed in containerd-app (Ubuntu):
assignee: nobody → Lucas Kanashiro (lucaskanashiro)
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

FYI: Uploaded by Lucas but atm stuck in proposed for networking issues in the test

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package containerd-app - 1.7.19-0ubuntu1

---------------
containerd-app (1.7.19-0ubuntu1) oracular; urgency=medium

  * New upstream release.
  * d/t/basic-smoke: set proxy environment variables.

 -- Lucas Kanashiro <email address hidden> Wed, 03 Jul 2024 18:52:03 -0300

Changed in containerd-app (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Christopher J. Ruwe (cruwe) wrote :

I can see the updated package in oracular, but noble is still at 1.7.12-0ubuntu4.

Well the package be updated in noble as well? Without, I wouldn't consider that fixed.

Thanks for your efforts, cheers!

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

It is fixed in the development release (when there is not specific series the default is development, in this case oracular). I am adding tasks for the supported series as well.

The backport is a follow-up work. The server team will be doing that once we find the time.

Revision history for this message
Christopher J. Ruwe (cruwe) wrote :

Thank you for the clarification and thank you for your work! Cheers!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.