[Bug 1225608] New: [Build 20240528] podman fails stopping containers
https://bugzilla.suse.com/show_bug.cgi?id=1225608 Bug ID: 1225608 Summary: [Build 20240528] podman fails stopping containers Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other URL: https://openqa.opensuse.org/tests/4231922/modules/imag e_podman/steps/135 OS: Other Status: NEW Severity: Major Priority: P5 - None Component: AppArmor Assignee: suse-beta@cboltz.de Reporter: dimstar@opensuse.org QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: openQA Blocker: Yes ## Observation [33mWARN[0m[0010] StopSignal SIGTERM failed to stop container refreshed in 10 seconds, resorting to SIGKILL Error: cannot remove container 0ad926609982c5d30942986803f1c16b5f9efdbd362c13d9a68d4bb62b5d3783 as it could not be stopped: given PID did not die within timeout 7wkFv-125- openQA test in scenario opensuse-Tumbleweed-DVD-x86_64-containers_image@64bit fails in [image_podman](https://openqa.opensuse.org/tests/4231922/modules/image_podman/steps/135) ## Test suite description Maintainer: dheidler. Extra tests about CLI software in container module 2023-08-10/dimstar: added QEMURAM=2048 (boo#1212824) ## Reproducible Fails since (at least) Build [20240527](https://openqa.opensuse.org/tests/4226902) ## Expected result Last good: [20240524](https://openqa.opensuse.org/tests/4221615) (or more recent) ## Further details Always latest result in this scenario: [latest](https://openqa.opensuse.org/tests/latest?arch=x86_64&distri=opensuse&flavor=DVD&machine=64bit&test=containers_image&version=Tumbleweed) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1225608 https://bugzilla.suse.com/show_bug.cgi?id=1225608#c1 --- Comment #1 from Dominique Leuenberger <dimstar@opensuse.org> --- Known references: https://github.com/moby/moby/issues/47749 https://github.com/containers/common/issues/1898 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1225608 Felix Niederwanger <felix.niederwanger@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |felix.niederwanger@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1225608 https://bugzilla.suse.com/show_bug.cgi?id=1225608#c2 --- Comment #2 from Felix Niederwanger <felix.niederwanger@suse.com> --- It looks to me like we're missing the Apparmor profile for crun (https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor.d/crun). On the test system I couldn't find any apparmor rules for crun. Perhaps we're just missing those rules in the crun package? At least on Ubuntu 24.04 there is a crun profile present
root@ubuntu24-04:/etc/apparmor.d# grep -ir 'crun' . ./crun:profile crun /usr/bin/crun flags=(unconfined) { ./crun: include if exists <local/crun>
The same profile is not present on Tumbleweed. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1225608 Guillaume GARDET <guillaume.gardet@arm.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |guillaume.gardet@arm.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1225608 https://bugzilla.suse.com/show_bug.cgi?id=1225608#c3 --- Comment #3 from Guillaume GARDET <guillaume.gardet@arm.com> --- Created attachment 875216 --> https://bugzilla.suse.com/attachment.cgi?id=875216&action=edit audit.log From audit.log. type=AVC msg=audit(1717061145.115:909): apparmor="DENIED" operation="signal" class="signal" profile="containers-default-0.58.3" pid=5576 comm="3" requested_mask="receive" denied_mask="receive" signal=term peer="podman" type=AVC msg=audit(1717061155.172:910): apparmor="DENIED" operation="signal" class="signal" profile="containers-default-0.58.3" pid=5579 comm="3" requested_mask="receive" denied_mask="receive" signal=kill peer="podman" -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1225608 https://bugzilla.suse.com/show_bug.cgi?id=1225608#c4 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS --- Comment #4 from Christian Boltz <suse-beta@cboltz.de> --- (In reply to Felix Niederwanger from comment #2)
It looks to me like we're missing the Apparmor profile for crun
Right, that's intentionally - for now. The additional profiles require changes in containers-related profiles which didn't reach Tumbleweed yet. Basically the difference is that in the past we needed peer=unconfined (because crun didn't have a profile), and when crun has a profile, we need peer=crun. Since the "unconfined" profiles are not too useful on openSUSE (yet?) besides adding a profile name, the decision was to exclude profiles that cause trouble with peer profiles (crun, runc, and with SR 1177757 also podman) from the package for now. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1225608 https://bugzilla.suse.com/show_bug.cgi?id=1225608#c5 --- Comment #5 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1225608) was mentioned in https://build.opensuse.org/request/show/1177757 Factory / apparmor -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1225608 https://bugzilla.suse.com/show_bug.cgi?id=1225608#c6 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |suse-beta@cboltz.de Assignee|suse-beta@cboltz.de |dcermak@suse.com --- Comment #6 from Christian Boltz <suse-beta@cboltz.de> --- The workaround SR was accepted. Dan, do you have an idea when the updated profile from https://github.com/containers/common/pull/2004 will reach Tumbleweed so that I can re-enable the podman, runc and crun profiles? (That's not urgent, I just want to know when I can re-enable these profiles.) -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com