New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update apparmor to allow confined runc to kill containers #10123
Conversation
Hi @woky. Thanks for your PR. I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/ok-to-test |
# runc may send signals to container processes. | ||
signal (receive) peer=runc, | ||
# crun may send signals to container processes. | ||
signal (receive) peer=crun, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be set only when the corresponding profile exist?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, what about youki, gvisor, kata, etc ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be set only when the corresponding profile exist?
I will update the template to check for known profiles.
Also, what about youki, gvisor, kata, etc ?
These currently don't have any default profiles, see https://gitlab.com/apparmor/apparmor/-/tree/master/profiles/apparmor.d.
I don't know much about gVisor and kata runtimes, but I think those run containers in virtual machines, so their kill
shouldn't involve sending signals (to container processes).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@AkihiroSuda What is the deadline for this change to be approved and merged to make it into v1.7.16?
I'm not sure what method would you recommend to conditionally add the signal receive rules. I can think of 4 ways:
- Abuse
macroExists(profile)
to check if/etc/apparmor.d/$profile
exists for each profile in a hardcoded list of OCI runtime profiles known to exist in latest AppArmor - Use
isLoaded(profile)
to check if the profile is loaded for each profile as above. - Bring back
parseVersion
that was removed here contrib/apparmor: remove code related to apparmor_parser version #8069 and conditionally add profiles based on known OCI runtime profiles in the parsed AppArmor version. - Keep it as it is, rely on the fact that it's regular expression and it won't match profiles that are not loaded. This is almost like option 2.
Which option would you go with or do you know of a better way?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you can confirm that signal (receive) peer=crun,
does not cause an error when the crun
profile is missing, I think we can just leave it as is and call it for a day.
If it causes an error, checking /etc/apparmor.d/$profile
seems good
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you can confirm that signal (receive) peer=crun, does not cause an error when the crun profile is missing, I think we can just leave it as is and call it for a day.
You can call it a day ;-) - the rule will just sit there and do nothing if the crun
profile doesn't exist.
/usr/sbin/runc is confined with "runc" profile[1] introduced in AppArmor v4.0.0. This change breaks stopping of containers, because the profile assigned to containers doesn't accept signals from the "runc" peer. AppArmor >= v4.0.0 is currently part of Ubuntu Mantic (23.10) and later. The issue is reproducible both with nerdctl and ctr clients. In the case of ctr, the --apparmor-default-profile flag has to be specified, otherwise the container processes would inherit the runc profile, which behaves as unconfined, and so the subsequent runc process invoked to stop it would be able to signal it. Test commands: root@cloudimg:~# nerdctl run -d --name foo nginx:latest 3d1e74bfe6e7b2912d9223050ae8a81a8f4b73de0846e6d9c956c1e411cdd95a root@cloudimg:~# nerdctl stop foo FATA[0000] 1 errors: unknown error after kill: runc did not terminate successfully: exit status 1: unable to signal init: permission denied : unknown or root@cloudimg:~# ctr pull docker.io/library/nginx:latest ... root@cloudimg:~# ctr run -d --apparmor-default-profile ctr-default docker.io/library/nginx:latest foo root@cloudimg:~# ctr task kill foo ctr: unknown error after kill: runc did not terminate successfully: exit status 1: unable to signal init: permission denied : unknown Relevant syslog messages (with long lines wrapped): Apr 23 22:03:12 cloudimg kernel: audit: type=1400 audit(1713909792.064:262): apparmor="DENIED" operation="signal" class="signal" profile="nerdctl-default" pid=13483 comm="runc" requested_mask="receive" denied_mask="receive" signal=quit peer="runc" or Apr 23 22:05:32 cloudimg kernel: audit: type=1400 audit(1713909932.106:263): apparmor="DENIED" operation="signal" class="signal" profile="ctr-default" pid=13574 comm="runc" requested_mask="receive" denied_mask="receive" signal=quit peer="runc" This change extends the default profile with rules that allow receiving signals from processes that run confined with either runc or crun profile (crun[2] is an alternative OCI runtime that's also confined in AppArmor >= v4.0.0, see [1]). It is backward compatible because the peer value is a regular expression (AARE) so the referenced profile doesn't have to exist for this profile to successfully compile and load. [1] https://gitlab.com/apparmor/apparmor/-/commit/2594d936 [2] https://github.com/containers/crun Signed-off-by: Tomáš Virtus <nechtom@gmail.com>
I can't reproduce this failure with ctr on a Mantic system. Is there something I need to do to enable the new AppArmor profile? |
Did you run |
Coming back from moby/moby#47749 (comment): It seems like this is either a bug in AppArmor or in the packaging that Ubuntu is doing for runc, rather than a containerd-specific bug. I don't object to taking this here, but it should also be fixed in either the upstream AppArmor repo or in Ubuntu's runc package. |
/cherrypick release/1.7 |
@samuelkarp: once the present PR merges, I will cherry-pick it on top of release/1.7 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/cherrypick release/1.6 |
@samuelkarp: once the present PR merges, I will cherry-pick it on top of release/1.6 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Yes, I have no strong objections, if this is urgently needed, but ultimately this would only affect containerd packages as packaged by Ubuntu / Debian, so could be a patch on their side. I've written a longer comment on the Moby ticket; moby/moby#47749 (comment) (quote below)
I guess (if possible);
|
@samuelkarp: new pull request created: #10129 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@samuelkarp: new pull request created: #10130 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@AkihiroSuda @woky is this needed for containerd/1.7 ? If so, @woky could you cherry-pick and send a PR out? |
Yes, the bot has already opened cherry-picks: |
sounds good thanks! I think its good two sign offs - could we merge them? |
having packaging ship and maintain profiles is nice but doesn't actually fix the issue here. Some rules to communicate with those applications in the profile they ship still would be needed. Note having these run unconfined is no longer a viable option with the user namespace restrictions.
Yes a more generic way is possible. They could each define the oci-runtime profile, but this would cause issues if they were both installed at the same time. There could also be a variable defined
which could be updated locally. It can even support having multiple values. eg crun, and runc
however the best way for packaging to update it would be to setup the definition of oci_runtime to be extended by files in a subdir, and have the packaging drop a file into the policy with the extension
and the generated profile would need to include the variable define, then proposed rule could use that instead.
Ubuntu/the upstream apparmor other packaging would need to carry the base variable define
yes removing unconfined would be good, or at least hiding it behind a variable when it is used so at least the semantics of who you want to allow are preserved. On systems with the user namespace restrictions unconfined isn't even a viable peer any more. Support for unconfined in some form has to stay atm for systems that are still using it for the peer. Short term I am fine with the idea of Ubuntu distro patching their fix in. I am more concerned right now with getting this right so containerd et al, only have to be patched once and it works going forward. |
…op, kill)") This makes projects using AppArmor bits from golang-github-containers-common (notably podman) work with AppArmor v4.0.0. There is a similar issue with containerd clients and docker. The fix to containerd was merged in upstream[1]. The fix to moby (docker) was submitted but seems to have stalled[2]. Upstream notes we should fix regressions we introduced in Ubuntu or perhaps at least introduce a generic way to refer to OCI runtimes under a single peer name. I suspect we would get similar objections in containers/common. That's why I haven't yet submitted a patch to upstream. In the meantime, patch this library so that podman can work with OCI runtimes we currently confine. [1] containerd/containerd#10123 [2] moby/moby#47749 Bug: https://bugs.launchpad.net/ubuntu/+source/libpod/+bug/2040483
…op, kill)") This makes projects using AppArmor bits from golang-github-containers-common (notably podman) work with AppArmor v4.0.0. There is a similar issue with containerd clients and docker. The fix was merged to the containerd upstream[1]. The fix to moby (docker) was submitted but seems to have stalled[2]. Upstream notes we should fix regressions we introduced in Ubuntu or perhaps at least introduce a generic way to refer to OCI runtimes under a single peer name. I suspect we would get similar objections in containers/common. That's why I haven't yet submitted the patch to the upstream. In the meantime, patch this library so that podman can work with OCI runtimes we currently confine. [1] containerd/containerd#10123 [2] moby/moby#47749 Bug: https://bugs.launchpad.net/ubuntu/+source/libpod/+bug/2040483
…op, kill)") This makes projects using AppArmor bits from golang-github-containers-common (notably podman) work with AppArmor v4.0.0. There is a similar issue with containerd clients and docker. The fix was merged to the containerd upstream[1]. The fix to moby (docker) was submitted but seems to have stalled[2]. Upstream notes we should fix regressions we introduced in Ubuntu or perhaps at least introduce a generic way to refer to OCI runtimes under a single peer name. I suspect we would get similar objections in containers/common. That's why I haven't yet submitted the patch to the upstream. In the meantime, patch this library so that podman can work with OCI runtimes we currently confine. [1] containerd/containerd#10123 [2] moby/moby#47749 Bug: https://bugs.launchpad.net/ubuntu/+source/libpod/+bug/2040483
/usr/sbin/runc is confined with "runc" profile[1] introduced in AppArmor v4.0.0. This change breaks stopping of containers, because the profile assigned to containers doesn't accept signals from the "runc" peer. AppArmor >= v4.0.0 is currently part of Ubuntu Mantic (23.10) and later.
The issue is reproducible both with nerdctl and ctr clients. In the case of ctr, the --apparmor-default-profile flag has to be specified, otherwise the container processes would inherit the runc profile, which behaves as unconfined, and so the subsequent runc process invoked to stop it would be able to signal it.
Test commands:
Relevant syslog messages (with long lines wrapped):
This change extends the default profile with rules that allow receiving signals from processes that run confined with either runc or crun profile (crun[2] is an alternative OCI runtime that's also confined in AppArmor >= v4.0.0, see [1]). It is backward compatible because the peer value is a regular expression (AARE) so the referenced profile doesn't have to exist for this profile to successfully compile and load.
[1] https://gitlab.com/apparmor/apparmor/-/commit/2594d936
[2] https://github.com/containers/crun