** Description changed: [ Impact ] apparmor denies signals from runc, making stopping containers (a basic/core feature of most container runtimes) infeasible. [ Test Plan ] A basic case would include running a container and stopping it: $ docker stop $(docker run --rm -d nginx) In a fixed scenario, this should finish quickly with a success. In a broken one, this should fail and take longer to complete. A thorough test would include installing and affected package, starting a container, upgrading the package, and only then trying to stop the container. If it behaves as an affected system would, this should be documented: users should know a refresh is needed. - [ Where problems could occur ] The fixes here are bundled in new upstream releases as per the exceptions in place. There are risks of regression which should be dealt with in a case-by-case fashion. [ Other Info ] This is part of the regular container stack MREs as described in https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2028418 + + This is the docker/containerd counterpart of the fix released for podman + in LP: #2040483
** Description changed: [ Impact ] apparmor denies signals from runc, making stopping containers (a basic/core feature of most container runtimes) infeasible. [ Test Plan ] A basic case would include - running a container and stopping it: + running a container and stopping it as described in the podman SRU testplan in LP: #2040483. For docker, an example would would be: + $ docker stop $(docker run --rm -d nginx) In a fixed scenario, this should finish quickly with a success. In a broken one, this should fail and take longer to complete. A thorough test would include installing and affected package, starting a container, upgrading the package, and only then trying to stop the container. If it behaves as an affected system would, this should be documented: users should know a refresh is needed. [ Where problems could occur ] The fixes here are bundled in new upstream releases as per the exceptions in place. There are risks of regression which should be dealt with in a case-by-case fashion. [ Other Info ] This is part of the regular container stack MREs as described in https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2028418 This is the docker/containerd counterpart of the fix released for podman in LP: #2040483 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065423 Title: Update AppArmor template to allow confined runc to kill containers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/containerd-app/+bug/2065423/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
