[Touch-packages] [Bug 2039294] Re: apparmor docker
As a temporary workaround, put the file I have attached to /etc/apparmor.d/docker-default and load it with "apparmor_parser -Kr /etc/apparmor.d/docker-default". This will make dockerd skip loading its builtin profile and use this one instead. The only difference between the builtin one and this one is the following rule: # runc may send signals to container processes signal (receive) peer=runc, I've opened PRs upstream: - https://github.com/containerd/containerd/pull/10123 - https://github.com/moby/moby/pull/47749 I think I'll need to work a little bit more on them to add rules only for profiles that exist. (It works even if they don't exist though.) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2039294 Title: apparmor docker Status in docker: New Status in apparmor package in Ubuntu: Incomplete Bug description: No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 23.10 Release:23.10 Codename: mantic Docker version 24.0.5, build 24.0.5-0ubuntu1 Graceful shutdown doesn't work anymore due to SIGTERM and SIGKILL (maybe all signals?) doesn't reach the target process. Works when apparmor is uninstalled. [17990.085295] audit: type=1400 audit(1697213244.019:981): apparmor="DENIED" operation="signal" class="signal" profile="docker-default" pid=172626 comm="runc" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/sbin/runc" [17992.112517] audit: type=1400 audit(1697213246.043:982): apparmor="DENIED" operation="signal" class="signal" profile="docker-default" pid=172633 comm="runc" requested_mask="receive" denied_mask="receive" signal=kill peer="/usr/sbin/runc" To manage notifications about this bug go to: https://bugs.launchpad.net/docker/+bug/2039294/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2039294] Re: apparmor docker
Forgot to attach the profile. Attached here. ** Attachment added: "docker-default" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2039294/+attachment/5769855/+files/docker-default -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2039294 Title: apparmor docker Status in docker: New Status in apparmor package in Ubuntu: Incomplete Bug description: No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 23.10 Release:23.10 Codename: mantic Docker version 24.0.5, build 24.0.5-0ubuntu1 Graceful shutdown doesn't work anymore due to SIGTERM and SIGKILL (maybe all signals?) doesn't reach the target process. Works when apparmor is uninstalled. [17990.085295] audit: type=1400 audit(1697213244.019:981): apparmor="DENIED" operation="signal" class="signal" profile="docker-default" pid=172626 comm="runc" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/sbin/runc" [17992.112517] audit: type=1400 audit(1697213246.043:982): apparmor="DENIED" operation="signal" class="signal" profile="docker-default" pid=172633 comm="runc" requested_mask="receive" denied_mask="receive" signal=kill peer="/usr/sbin/runc" To manage notifications about this bug go to: https://bugs.launchpad.net/docker/+bug/2039294/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1977710] Re: /etc/adduser.conf.dpkg-save created by postinst since 3.121ubuntu1
You are right, this happens even when deboostrapping Debian. Reported against adduser' in Debian: https://bugs.debian.org/cgi- bin/bugreport.cgi?bug=1012492 ** Bug watch added: Debian Bug tracker #1012492 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012492 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/1977710 Title: /etc/adduser.conf.dpkg-save created by postinst since 3.121ubuntu1 Status in adduser package in Ubuntu: Incomplete Bug description: Since version 3.121ubuntu1 adduser's postinst script creates /etc/adduser.conf.dpkg-save file on debootstrap's root filesystem, that is, even when /etc/adduser.conf doesn't exist prior to package installation. Because of the change below the postinst script changes packaged /etc/adduser.conf and creates /etc/adduser.conf.dpkg-save as a backup: - Enable private home directories by default (LP: #48734) + Set DIR_MODE=0750 in the default adduser.conf + Change the description and default value to select private home directories by default in debconf template + Change the DIR_MODE when private home directories is configured via debconf from 0751 to 0750 to ensure files are truly private The .dpkg-save file shouldn't be present on debootstrapped system. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/1977710/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1977710] [NEW] /etc/adduser.conf.dpkg-save created by postinst since 3.121ubuntu1
Public bug reported: Since version 3.121ubuntu1 adduser's postinst script creates /etc/adduser.conf.dpkg-save file on debootstrap's root filesystem, that is, even when /etc/adduser.conf doesn't exist prior to package installation. Because of the change below the postinst script changes packaged /etc/adduser.conf and creates /etc/adduser.conf.dpkg-save as a backup: - Enable private home directories by default (LP: #48734) + Set DIR_MODE=0750 in the default adduser.conf + Change the description and default value to select private home directories by default in debconf template + Change the DIR_MODE when private home directories is configured via debconf from 0751 to 0750 to ensure files are truly private The .dpkg-save file shouldn't be present on debootstrapped system. ** Affects: adduser (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/1977710 Title: /etc/adduser.conf.dpkg-save created by postinst since 3.121ubuntu1 Status in adduser package in Ubuntu: New Bug description: Since version 3.121ubuntu1 adduser's postinst script creates /etc/adduser.conf.dpkg-save file on debootstrap's root filesystem, that is, even when /etc/adduser.conf doesn't exist prior to package installation. Because of the change below the postinst script changes packaged /etc/adduser.conf and creates /etc/adduser.conf.dpkg-save as a backup: - Enable private home directories by default (LP: #48734) + Set DIR_MODE=0750 in the default adduser.conf + Change the description and default value to select private home directories by default in debconf template + Change the DIR_MODE when private home directories is configured via debconf from 0751 to 0750 to ensure files are truly private The .dpkg-save file shouldn't be present on debootstrapped system. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/1977710/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
