** Changed in: runc-app (Ubuntu Noble)
Status: Confirmed => Invalid
** Description changed:
- Is there any chance that this PR can be implemented to current Ubuntu
- release?
+ [ Impact ]
- Because as for now apparmor denies signals from runc and this results in
- many pods kept in Terminating state:
+ apparmor denies signals from runc, making stopping containers (a
+ basic/core feature of most container runtimes) infeasible.
- audit: type=1400 audit(1715342953.323:200): apparmor="DENIED"
- operation="signal" class="signal" profile="cri-containerd.apparmor.d"
- pid=741102 comm="runc" requested_mask="receive" denied_mask="receive"
- signal=kill peer="runc"
+ [ Test Plan ]
+
+ A basic case would include
+ running a container and stopping it:
+ $ docker stop $(docker run --rm -d nginx)
+
+ In a fixed scenario, this should finish quickly with a success.
+ In a broken one, this should fail and take longer to complete.
+
+ A thorough test would include installing and affected package, starting
+ a container, upgrading the package, and only then trying to stop the
+ container. If it behaves as an affected system would, this should be
+ documented: users should know a refresh is needed.
+
+
+ [ Where problems could occur ]
+
+ The fixes here are bundled in new upstream releases as per the
+ exceptions in place. There are risks of regression which should be dealt
+ with in a case-by-case fashion.
+
+ [ Other Info ]
+
+ This is part of the regular container stack MREs as described in
+ https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2028418
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065423
Title:
Update AppArmor template to allow confined runc to kill containers
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/containerd-app/+bug/2065423/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
