[Rootless] `nerdctl rm` fails when AppArmor is loaded: `error="unknown error after kill: runc did not terminate successfully: exit status 1: unable to signal init: permission denied\n: unknown"`

AkihiroSuda commented 8 months ago

$ sudo nerdctl apparmor load

$ nerdctl run -d --name foo alpine sleep infinity
1ad8da3c9cccbb93f4d9cab82a77bc3092ea039a3fe7b48fb7b0ce077179be61

$ nerdctl rm -f foo
WARN[0000] failed to send SIGKILL                        error="unknown error after kill: runc did not terminate successfully: exit status 1: unable to signal init: permission denied\n: unknown
(hangs up)

nerdctl v1.7.2, containerd v1.7.11, runc v1.1.10, on Ubuntu 23.10 (kernel 6.5.0-14-generic). The binaries are installed onto /usr/local (via Lima).

The issue doesn't seem to happen on Ubuntu 22.04 LTS. Some apparmor stuff seems to have changed in 23.XX.

Workaround

sudo nerdctl apparmor unload

OR

nerdctl run --security-opt apparmor=unconfined ...

AkihiroSuda commented 4 months ago

The audit log:

Apr 23 11:51:02 suda-ws01 kernel: audit: type=1400 audit(1713840662.766:122): apparmor="DENIED" operation="signal" class="signal" profile="nerdctl-default" pid=366783 comm="runc" requested_mask="receive" denied_mask="receive" signal=kill peer="/usr/local/bin/rootlesskit"

AkihiroSuda commented 4 months ago

Fix:

https://github.com/containerd/containerd/pull/10111

AkihiroSuda commented 4 months ago

The fix is applied to nerdctl v1.7.6, via:

2958

containerd / nerdctl

[Rootless] `nerdctl rm` fails when AppArmor is loaded: `error="unknown error after kill: runc did not terminate successfully: exit status 1: unable to signal init: permission denied\n: unknown"` #2730

Workaround

2958