apparmor: clobber docker-default profile on start #41954
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Seems as though it has the same failures as before, so I'll need to look into those... |
cyphar
force-pushed
the
apparmor-clobber-profile-on-start
branch
from
ab01b9a
to
e08d45e
Compare
|
@cyphar needs a rebase |
cyphar
force-pushed
the
apparmor-clobber-profile-on-start
branch
from
e08d45e
to
24e2cde
Compare
tianon
approved these changes
Jun 9, 2021
| // DefaultApparmorProfile returns the name of the default apparmor profile | ||
| func DefaultApparmorProfile() string { | ||
| // DefaultAppArmorProfile returns the name of the default apparmor profile | ||
| func DefaultAppArmorProfile() string { | ||
| if apparmor.HostSupports() { |
There was a problem hiding this comment.
For the benefit of other reviewers, I was slightly concerned about this getting invoked in so many places (especially nested, as below), but the underlying implementation uses a sync.Once + cached bool so it's really efficient. 👍
|
(Although noting the CI failures are the same consistent failures from the last two PRs, so very likely related 😩) |
|
Yeah I haven't had a chance to debug the PR failure. Will figure that out sometime next week (we've been running with this patch in production for more than a year or two, so it's a bit strange that CI is failing in weird places). |
thaJeztah
added
the
status/failing-ci
cyphar
force-pushed
the
apparmor-clobber-profile-on-start
branch
from
24e2cde
to
40112f4
Compare
cyphar
force-pushed
the
apparmor-clobber-profile-on-start
branch
from
40112f4
to
3d3af96
Compare
In the process of making docker-default reloading far less expensive, 567ef8e ("daemon: switch to 'ensure' workflow for AppArmor profiles") mistakenly made the initial profile load at dockerd start-up lazy. As a result, if you have a running Docker daemon and upgrade it to a new one with an updated AppArmor profile the new profile will not take effect (because the old one is still loaded). The fix for this is quite trivial, and just requires us to clobber the profile on start-up. Fixes: 567ef8e ("daemon: switch to 'ensure' workflow for AppArmor profiles") Signed-off-by: Aleksa Sarai <asarai@suse.de>
cyphar
force-pushed
the
apparmor-clobber-profile-on-start
branch
from
3d3af96
to
a11305b
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In the process of making docker-default reloading far less expensive,
567ef8e ("daemon: switch to 'ensure' workflow for AppArmor
profiles") mistakenly made the initial profile load at dockerd start-up
lazy. As a result, if you have a running Docker daemon and upgrade it to
a new one with an updated AppArmor profile the new profile will not take
effect (because the old one is still loaded). The fix for this is quite
trivial, and just requires us to clobber the profile on start-up.
Carries #40615 and #37353
Fixes: 567ef8e ("daemon: switch to 'ensure' workflow for AppArmor profiles")
Signed-off-by: Aleksa Sarai asarai@suse.de