Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide mechanism to opt-out of app armor #22

Merged
merged 1 commit into from
Feb 17, 2017
Merged

Provide mechanism to opt-out of app armor #22

merged 1 commit into from
Feb 17, 2017

Conversation

sykesm
Copy link
Contributor

@sykesm sykesm commented Jan 10, 2017

I'm attempting to use garden-runc in an environment that does not have app armor enabled. This change allows deployments to explicitly set garden.apparmor_profile to an empty string so garden-runc does not attempt activate the app armor policy paths. By default, the app armor policy is still used.

Note: Regardless of these changes, the job spec allows users to change the policy name but the start script hard-coded garden-default. It's also strange that the policy is a release template but there's no way to customize it. A nice feature would be to provide a mechanism for deployments to include a custom policy definition.

@sykesm
Provide mechanism to opt-out of app armor
0b6c4b7 
Explicitly setting garden.apparmor_profile to '' will disable app armor.
@cfdreddbot
Copy link

Hey sykesm!

Thanks for submitting this pull request! I'm here to inform the recipients of the pull request that you and the commit authors have already signed the CLA.

@garden-gnome
Copy link

Hi there!

We use Pivotal Tracker to provide visibility into what our team is working on. A story for this issue has been automatically created.

The current status is as follows:

  • #137384493 Provide mechanism to opt-out of app armor

This comment, as well as the labels on the issue, will be automatically updated as the status in Tracker changes.

@ghost ghost mentioned this pull request Jan 13, 2017
Closed
@craigfurman craigfurman merged commit 0b6c4b7 into cloudfoundry:develop Feb 17, 2017
@craigfurman
Copy link
Contributor

Thanks @sykesm

image

barthy1 pushed a commit to barthy1/garden-runc-release that referenced this pull request Mar 9, 2017
@teddyking @georgethebeatle
bump go-patricia
7ba6fb1 
[finishes #135205219]

Submodule src/github.com/tchap/go-patricia 42daf53..666120d:
  > Improve remove() in the sparse mode
  > Fix remove() in the sparse children mode
  > Merge pull request cloudfoundry#25 from aristanetworks/master
  > Fix Delete memory leak and other bugs found
  > Merge pull request cloudfoundry#23 from dmitris/issue20
  > Merge pull request cloudfoundry#22 from dmitris/showmemory
  > Fix a panic when deleting

Signed-off-by: Georgi Sabev <georgethebeatle@gmail.com>
@loewenstein
Copy link

From what I have seen the original problems remains, i.e. minikube does not have app armor enabled. There is no /sys/kernel/security, so

mount -t securityfs securityfs /sys/kernel/security

in https://github.com/cloudfoundry/garden-runc-release/blob/v1.5.0/jobs/garden/templates/garden_ctl.erb#L70 fails with

mount: mount point /sys/kernel/security does not exist

The same is true for

apparmor_parser -a $CONFIG_DIR/$default_policy

in https://github.com/cloudfoundry/garden-runc-release/blob/v1.5.0/jobs/garden/templates/garden_ctl.erb#L74.
It fails with

apparmor module is not loaded.
Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
Use --subdomainfs to override.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement scheduled
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@sykesm @cfdreddbot @garden-gnome @craigfurman @loewenstein