apostasie commented 3 months ago

Description

sudo nerdctl run --rm --privileged alpine cat /proc/self/attr/apparmor/current
unconfined

nerdctl run --rm --privileged alpine cat /proc/self/attr/apparmor/current
/usr/local/bin/rootlesskit (unconfined)

Is this expected?

This is making tests fail locally on my rig - as TestRunApparmor does AssertOutExactly("unconfined\n") (and that test technically is not restricted to rootful)

Steps to reproduce the issue

No response

Describe the results you received and expected

na

What version of nerdctl are you using?

main

Are you using a variant of nerdctl? (e.g., Rancher Desktop)

None

Host information

No response

AkihiroSuda commented 3 months ago

I guess this is expected, as Ubuntu 24.04 began to apply AppArmor to rootlesskit?

apostasie commented 3 months ago

I guess this is expected, as Ubuntu 24.04 began to apply AppArmor to rootlesskit?

Ok, I see.

3402 should fix the test to pass then.

AkihiroSuda commented 3 months ago

But why don't we hit this issue on GHA?

apostasie commented 3 months ago

But why don't we hit this issue on GHA?

Because on github the test is skipped, as apparmorutil.CanApplySpecificExistingProfile returns false. On local (latest) lima, it returns true though.

apostasie commented 3 months ago

As to "why" does aa-exec...

containerd / nerdctl

rootlesskit / apparmor output inconsistent w/wo root? #3403

Description

Steps to reproduce the issue

Describe the results you received and expected

What version of nerdctl are you using?

Are you using a variant of nerdctl? (e.g., Rancher Desktop)

Host information

3402 should fix the test to pass then.