Some comments about the test plan a) this doesn't really fail:
> $ docker stop $(docker run --rm -d nginx) ubuntu@n-docker:~$ docker stop $(docker run --rm -d nginx) ad785200873f04a96e424fc92c467414c40df005d54ee7d16c589c3d42da4322 ubuntu@n-docker:~$ echo $? 0 But dmesg shows: [Thu Oct 24 17:42:32 2024] audit: type=1400 audit(1729791752.362:150): apparmor="DENIED" operation="signal" class="signal" profile="docker-default" pid=13764 comm="runc" requested_mask="receive" denied_mask="receive" signal=quit peer="runc" [Thu Oct 24 17:42:34 2024] audit: type=1400 audit(1729791754.398:151): apparmor="DENIED" operation="signal" class="signal" profile="docker-default" pid=13770 comm="runc" requested_mask="receive" denied_mask="receive" signal=kill peer="runc" The delay aspect is a bit subjective also, you may want to clarify it. In my testing it took 12s to stop a container when the bug is present. But the key thing is that "docker stop" didn't exit non-zero, with the bug present, so something else (like dmesg) needs to be in the test plan. b) This bug has docker.io-app and containerd-app affected, but the test plan doesn't make it clear if that docker command alone will test both cases. I think something is missing. c) Just like with libpod/golang-github-containers-common[1], just applying the docker.io-app update won't fix the system, because the apparmor profile is named just "docker-default", and when starting a new container it checks if a profile with that name is already loaded or not, regardless if it changed or not. We will be shipping a fixed profile, but since it's still named docker-default, it won't be loaded. Here, however, we checked the code and the name "docker-default" is hardcoded in a few places, so adding a version suffix would require more changes and some extra testing. Given how this bug is high priority, I suggest: - recommend a reboot in postinst - file an issue upstream, describing the problem and suggesting the same approach as podman/golang-github-containers-common has taken, by versioning the apparmor profile name. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065423 Title: Update AppArmor template to allow confined runc to kill containers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/containerd-app/+bug/2065423/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
