*** This bug is a duplicate of bug 2065423 ***
https://bugs.launchpad.net/bugs/2065423
** This bug has been marked a duplicate of bug 2065423
Update AppArmor template to allow confined runc to kill containers
--
You received this bug notification because you are a member of Ubuntu
Bugs, w
** Attachment added: "docker-default"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2039294/+attachment/5824926/+files/docker-default
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2039294
Thanks, but the pastebin gives me "You do not currently have access to
the pastebin."
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2039294
Title:
apparmor docker
To manage notifications about this
@lazka: you can use this profile:
https://pastebin.canonical.com/p/VbmH97Rhqp/
I grabbed it from upstream:
https://github.com/moby/moby/blob/master/profiles/apparmor/template.go
Note that for the rule "signal (receive) peer={{.DaemonProfile}}," in the
template I assumed the DaemonProfile is unco
Having updated to Ubuntu 24.04 and Docker failing to stop containers
now, what is the recommended workaround at the moment that I can
recommend to my co-workers?
The workaround in #11 doesn't work as that file doesn't exist on my
machine.
The workaround in #13 seems to work, but has diverged from
I think the addition of @jjohansen is a good idea. On my system (updated
from multiple older versions ;-)), the peer is not runc but
/usr/sbin/runc and apparmor denied the signal before I changed the line
to the full path. I am not sure if that is intended, but that's how it
is now working on my sy
To make this generic so that it will work on older and newer hosts we
should probably change the peer expression to
signal (receive) peer={runc,unconfined},
or possibly, define an @{runc} variable in the preamble and use that.
This really only is advantageous, in that it shows semantic intent,
Forgot to attach the profile. Attached here.
** Attachment added: "docker-default"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2039294/+attachment/5769855/+files/docker-default
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to U
As a temporary workaround, put the file I have attached to
/etc/apparmor.d/docker-default and load it with "apparmor_parser -Kr
/etc/apparmor.d/docker-default". This will make dockerd skip loading its
builtin profile and use this one instead. The only difference between
the builtin one and this one
As a temporary patch on my system, I disabled the apparmor rules for
/usr/sbin/runc
Following the documentation to disable one single apparmor profile
(link: https://help.ubuntu.com/community/AppArmor#Disable_one_profile )
:
```
sudo ln -s /etc/apparmor.d/usr.sbin.runc /etc/apparmor.d/disable/
su
@gvarouchas, you need to be more specific. There are a couple interrelated
issues in this bug. What is the exact Denial message you are getting. The will
look something like the denial messages in comment 5. You can find them using
sudo dmesg | grep DENIED
or
journalctl -g apparmor
--
You r
This issue is also affecting me, and I do not have experience with
apparmor profiles to update the correct file.
Can someone explain in more details a patch that fixes the issue ?
(more precisely: what line should I write ? in what file ?)
Obviously: it is also a pain to have this issue with the
12 matches
Mail list logo
