Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Rootless] nerdctl rm fails when AppArmor is loaded: error="unknown error after kill: runc did not terminate successfully: exit status 1: unable to signal init: permission denied\n: unknown" #2730

Closed
AkihiroSuda opened this issue Jan 3, 2024 · 3 comments
Closed

[Rootless] nerdctl rm fails when AppArmor is loaded: error="unknown error after kill: runc did not terminate successfully: exit status 1: unable to signal init: permission denied\n: unknown" #2730

AkihiroSuda opened this issue Jan 3, 2024 · 3 comments
Labels
area/rootless Rootless mode bug Something isn't working kind/external priority/high
Milestone
v1.7.6

Comments

@AkihiroSuda
Copy link
Member

AkihiroSuda commented Jan 3, 2024
edited
Loading 

$ sudo nerdctl apparmor load

$ nerdctl run -d --name foo alpine sleep infinity
1ad8da3c9cccbb93f4d9cab82a77bc3092ea039a3fe7b48fb7b0ce077179be61

$ nerdctl rm -f foo
WARN[0000] failed to send SIGKILL                        error="unknown error after kill: runc did not terminate successfully: exit status 1: unable to signal init: permission denied\n: unknown
(hangs up)

nerdctl v1.7.2, containerd v1.7.11, runc v1.1.10, on Ubuntu 23.10 (kernel 6.5.0-14-generic).
The binaries are installed onto /usr/local (via Lima).

The issue doesn't seem to happen on Ubuntu 22.04 LTS.
Some apparmor stuff seems to have changed in 23.XX.

Workaround

sudo nerdctl apparmor unload

OR

nerdctl run --security-opt apparmor=unconfined ...
@AkihiroSuda AkihiroSuda added bug Something isn't working kind/external priority/high area/rootless Rootless mode labels Jan 3, 2024
@AkihiroSuda AkihiroSuda changed the title nerdctl rm fails when AppArmor is loaded: error="unknown error after kill: runc did not terminate successfully: exit status 1: unable to signal init: permission denied\n: unknown" [Rootless] nerdctl rm fails when AppArmor is loaded: error="unknown error after kill: runc did not terminate successfully: exit status 1: unable to signal init: permission denied\n: unknown" Jan 4, 2024
@AkihiroSuda
Copy link
Member Author

The audit log:

Apr 23 11:51:02 suda-ws01 kernel: audit: type=1400 audit(1713840662.766:122): apparmor="DENIED" operation="signal" class="signal" profile="nerdctl-default" pid=366783 comm="runc" requested_mask="receive" denied_mask="receive" signal=kill peer="/usr/local/bin/rootlesskit"

@AkihiroSuda AkihiroSuda mentioned this issue Apr 23, 2024
Merged
@AkihiroSuda
Copy link
Member Author

Fix:

@AkihiroSuda
Copy link
Member Author

The fix is applied to nerdctl v1.7.6, via:

@AkihiroSuda AkihiroSuda added this to the v1.7.6 milestone Apr 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/rootless Rootless mode bug Something isn't working kind/external priority/high
Projects
None yet
Milestone
v1.7.6
Development

No branches or pull requests
1 participant
@AkihiroSuda