New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
apparmor: clobber docker-default profile on start #41954
base: master
Are you sure you want to change the base?
Conversation
Seems as though it has the same failures as before, so I'll need to look into those... |
ab01b9a
to
e08d45e
Compare
@cyphar needs a rebase |
e08d45e
to
24e2cde
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
// DefaultApparmorProfile returns the name of the default apparmor profile | ||
func DefaultApparmorProfile() string { | ||
// DefaultAppArmorProfile returns the name of the default apparmor profile | ||
func DefaultAppArmorProfile() string { | ||
if apparmor.HostSupports() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the benefit of other reviewers, I was slightly concerned about this getting invoked in so many places (especially nested, as below), but the underlying implementation uses a sync.Once
+ cached bool
so it's really efficient. 👍
(Although noting the CI failures are the same consistent failures from the last two PRs, so very likely related 😩) |
Yeah I haven't had a chance to debug the PR failure. Will figure that out sometime next week (we've been running with this patch in production for more than a year or two, so it's a bit strange that CI is failing in weird places). |
24e2cde
to
40112f4
Compare
40112f4
to
3d3af96
Compare
In the process of making docker-default reloading far less expensive, 567ef8e ("daemon: switch to 'ensure' workflow for AppArmor profiles") mistakenly made the initial profile load at dockerd start-up lazy. As a result, if you have a running Docker daemon and upgrade it to a new one with an updated AppArmor profile the new profile will not take effect (because the old one is still loaded). The fix for this is quite trivial, and just requires us to clobber the profile on start-up. Fixes: 567ef8e ("daemon: switch to 'ensure' workflow for AppArmor profiles") Signed-off-by: Aleksa Sarai <asarai@suse.de>
3d3af96
to
a11305b
Compare
In the process of making docker-default reloading far less expensive,
567ef8e ("daemon: switch to 'ensure' workflow for AppArmor
profiles") mistakenly made the initial profile load at dockerd start-up
lazy. As a result, if you have a running Docker daemon and upgrade it to
a new one with an updated AppArmor profile the new profile will not take
effect (because the old one is still loaded). The fix for this is quite
trivial, and just requires us to clobber the profile on start-up.
Carries #40615 and #37353
Fixes: 567ef8e ("daemon: switch to 'ensure' workflow for AppArmor profiles")
Signed-off-by: Aleksa Sarai asarai@suse.de