apparmor: add `signal (receive) peer=/usr/local/bin/rootlesskit,` #10111

AkihiroSuda · 2024-04-23T03:23:51Z

Fix:

[Rootless] nerdctl rm fails when AppArmor is loaded: error="unknown error after kill: runc did not terminate successfully: exit status 1: unable to signal init: permission denied\n: unknown" nerdctl#2730

Caused by:

kernel: audit: type=1400 audit(1713840662.766:122): apparmor="DENIED" operation="signal" class="signal"
profile="nerdctl-default" pid=366783 comm="runc" requested_mask="receive" denied_mask="receive" signal=kill
peer="/usr/local/bin/rootlesskit"

The issue is known to happen on Ubuntu 23.10 and 24.04 LTS. Doesn't seem to happen on Ubuntu 22.04 LTS.

Fix containerd/nerdctl issue 2730 > [Rootless] `nerdctl rm` fails when AppArmor is loaded: > `error="unknown error after kill: runc did not terminate successfully: exit status 1: > unable to signal init: permission denied\n: unknown"` Caused by: > kernel: audit: type=1400 audit(1713840662.766:122): apparmor="DENIED" operation="signal" class="signal" > profile="nerdctl-default" pid=366783 comm="runc" requested_mask="receive" denied_mask="receive" signal=kill > peer="/usr/local/bin/rootlesskit" The issue is known to happen on Ubuntu 23.10 and 24.04 LTS. Doesn't seem to happen on Ubuntu 22.04 LTS. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

AkihiroSuda added the cherry-pick/1.7.x Change to be cherry picked to release/1.7 branch label Apr 23, 2024

k8s-ci-robot added the size/S label Apr 23, 2024

AkihiroSuda mentioned this pull request Apr 23, 2024

[Rootless] nerdctl rm fails when AppArmor is loaded: error="unknown error after kill: runc did not terminate successfully: exit status 1: unable to signal init: permission denied\n: unknown" containerd/nerdctl#2730

Closed

dmcgowan approved these changes Apr 23, 2024

View reviewed changes

fuweid approved these changes Apr 23, 2024

View reviewed changes

fuweid added this pull request to the merge queue Apr 23, 2024

Merged via the queue into containerd:main with commit 2dd6fa3 Apr 23, 2024
47 checks passed

AkihiroSuda mentioned this pull request Apr 23, 2024

[release/1.7] Update AppArmor template to better support rootlesskit #10116

Merged

AkihiroSuda added cherry-picked/1.7.x PR commits are cherry-picked into release/1.7 branch and removed cherry-pick/1.7.x Change to be cherry picked to release/1.7 branch labels Apr 23, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

apparmor: add `signal (receive) peer=/usr/local/bin/rootlesskit,` #10111

apparmor: add `signal (receive) peer=/usr/local/bin/rootlesskit,` #10111

AkihiroSuda commented Apr 23, 2024 •

edited

apparmor: add signal (receive) peer=/usr/local/bin/rootlesskit, #10111

apparmor: add signal (receive) peer=/usr/local/bin/rootlesskit, #10111

Conversation

AkihiroSuda commented Apr 23, 2024 • edited

apparmor: add `signal (receive) peer=/usr/local/bin/rootlesskit,` #10111

apparmor: add `signal (receive) peer=/usr/local/bin/rootlesskit,` #10111

AkihiroSuda commented Apr 23, 2024 •

edited