AppArmor rules don't allow podman kill -s HUP container to succeed
#2321
Comments
|
Looks like this was already reported on the Ubuntu side in https://bugs.launchpad.net/ubuntu/+source/libpod/+bug/2089664 and a proposed fix in #2228 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
AppArmor 4.0 added new profiles for crun, runc, and podman which required extra AppArmor rules be created. This was originally reported in #1898 and fixed by @NeilW in #2004. This fix was sufficient for common tasks like shutting down containers, but commands like
podman kill -s HUP containercontinue to fail with errors like:Inspecting AppArmor logs we see DENIED messages like:
In the discussion for #2004 it seems like it was acknowledged that
podman killcould send any signal; however, my read on that PR was that the rules were set to allow this to succeed. I'm filing this bug since experimentally this seems to not be the case.Some other notes: I am using Ubuntu Noble's podman package (version 4.9.3+ds1-1ubuntu0.2). The prior issue was raised in https://bugs.launchpad.net/ubuntu/+source/libpod/+bug/2040483 and fixed upstream as part of the distro fixups to correct the original problem which is why I'm reporting the issue here first. Using
kill(1)against the pid reported bypodman inspect --format '{{ .State.Pid }}' containerseems to work. And finally, we've got podman set up as the backend fordocker composeusingDOCKER_HOSTset to the podman socket path. When we issue adocker compose downI also see kernel audit logs recording a DENIEDsignal=usr1message (the rest of the message appears equivalent to the HUP message above). Thedocker compose downdoes eventually successfully stop and remove the container, but there may be other affected signals.The text was updated successfully, but these errors were encountered: