Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rootless: allow loading an existing AppArmor profile #508

Merged
merged 1 commit into from
Nov 18, 2021
Merged

rootless: allow loading an existing AppArmor profile #508

merged 1 commit into from
Nov 18, 2021

Conversation

AkihiroSuda
Copy link
Member

nerdctl run

Rootless nerdctl now applies the nerdctl-default profile to containers by default, if it is already loaded with sudo nerdctl apparmor load.

Still defaults to "unconfined" when the profile is not loaded.

nerdctl info

Now nerdctl info shows "apparmor" when the AppArmor kernel module is enabled, regardless to whether the nerdctl-default profile is loaded or not.
When the profile is not available, nerdctl info shows a warning message.

Fix #507

@AkihiroSuda AkihiroSuda added this to the v0.14.0 milestone Nov 10, 2021
@AkihiroSuda AkihiroSuda mentioned this pull request Nov 10, 2021
Closed
@AkihiroSuda
Copy link
Member Author

This PR is ready to review, but merging this PR will cause conflict with the Windows PR #197.

I'm planning to merge the Windows PR #197 before this one if possible.

@AkihiroSuda AkihiroSuda mentioned this pull request Nov 16, 2021
Open
@AkihiroSuda AkihiroSuda marked this pull request as ready for review November 17, 2021 07:11
@AkihiroSuda
rootless: allow loading an existing AppArmor profile
e8ac71b 
nerdctl run
---
Rootless nerdctl now applies the `nerdctl-default` profile to containers by default,
if it is already loaded with `sudo nerdctl apparmor load`.

Still defaults to "unconfined" when the profile is not loaded.

nerdctl info
---
Now `nerdctl info` shows "apparmor" when the AppArmor kernel module is enabled,
regardless to whether the `nerdctl-default` profile is loaded or not.
When the profile is not available, `nerdctl info` shows a warning message.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda AkihiroSuda merged commit 2d7645f into containerd:master Nov 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ktock ktock ktock approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.14.0
Development

Successfully merging this pull request may close these issues.

Support rootless AppArmor with sudo nerdctl apparmor load
2 participants
@AkihiroSuda @ktock