Bug 1225608

Summary: [Build 20240528] podman fails stopping containers
Product: [openSUSE] openSUSE Tumbleweed Reporter: Dominique Leuenberger <dimstar>
Component: AppArmorAssignee: Dan Čermák <dcermak>
Status: IN_PROGRESS --- QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P5 - None CC: felix.niederwanger, guillaume.gardet, suse-beta
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://openqa.opensuse.org/tests/4231922/modules/image_podman/steps/135
Whiteboard:
Found By: openQA Services Priority:
Business Priority: Blocker: Yes
Marketing QA Status: --- IT Deployment: ---
Attachments: audit.log

Description Dominique Leuenberger 2024-05-29 12:58:22 UTC 
## Observation

[33mWARN[0m[0010] StopSignal SIGTERM failed to stop container refreshed in 10 seconds, resorting to SIGKILL 
Error: cannot remove container 0ad926609982c5d30942986803f1c16b5f9efdbd362c13d9a68d4bb62b5d3783 as it could not be stopped: given PID did not die within timeout
7wkFv-125-

openQA test in scenario opensuse-Tumbleweed-DVD-x86_64-containers_image@64bit fails in
[image_podman](https://openqa.opensuse.org/tests/4231922/modules/image_podman/steps/135)

## Test suite description
Maintainer: dheidler. Extra tests about CLI software in container module
2023-08-10/dimstar: added QEMURAM=2048 (boo#1212824)


## Reproducible

Fails since (at least) Build [20240527](https://openqa.opensuse.org/tests/4226902)


## Expected result

Last good: [20240524](https://openqa.opensuse.org/tests/4221615) (or more recent)


## Further details

Always latest result in this scenario: [latest](https://openqa.opensuse.org/tests/latest?arch=x86_64&distri=opensuse&flavor=DVD&machine=64bit&test=containers_image&version=Tumbleweed)
Comment 1 Dominique Leuenberger 2024-05-29 12:58:58 UTC 
Known references:

https://github.com/moby/moby/issues/47749
https://github.com/containers/common/issues/1898
Comment 2 Felix Niederwanger 2024-05-30 07:57:20 UTC 
It looks to me like we're missing the Apparmor profile for crun (https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor.d/crun). On the test system I couldn't find any apparmor rules for crun.

Perhaps we're just missing those rules in the crun package?

At least on Ubuntu 24.04 there is a crun profile present

> root@ubuntu24-04:/etc/apparmor.d# grep -ir 'crun' .
> ./crun:profile crun /usr/bin/crun flags=(unconfined) {
> ./crun:  include if exists <local/crun>

The same profile is not present on Tumbleweed.
Comment 3 Guillaume GARDET 2024-05-30 10:15:25 UTC 
Created attachment 875216 [details]
audit.log

From audit.log.

type=AVC msg=audit(1717061145.115:909): apparmor="DENIED" operation="signal" class="signal" profile="containers-default-0.58.3" pid=5576 comm="3" requested_mask="receive" denied_mask="receive" signal=term peer="podman"
type=AVC msg=audit(1717061155.172:910): apparmor="DENIED" operation="signal" class="signal" profile="containers-default-0.58.3" pid=5579 comm="3" requested_mask="receive" denied_mask="receive" signal=kill peer="podman"
Comment 4 Christian Boltz 2024-05-30 13:08:37 UTC 
(In reply to Felix Niederwanger from comment #2)
> It looks to me like we're missing the Apparmor profile for crun

Right, that's intentionally - for now.

The additional profiles require changes in containers-related profiles which didn't reach Tumbleweed yet. Basically the difference is that in the past we needed peer=unconfined (because crun didn't have a profile), and when crun has a profile, we need peer=crun.

Since the "unconfined" profiles are not too useful on openSUSE (yet?) besides adding a profile name, the decision was to exclude profiles that cause trouble with peer profiles (crun, runc, and with SR 1177757 also podman) from the package for now.
Comment 5 OBSbugzilla Bot 2024-05-30 13:35:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1225608) was mentioned in
https://build.opensuse.org/request/show/1177757 Factory / apparmor
Comment 6 Christian Boltz 2024-05-31 12:02:01 UTC 
The workaround SR was accepted.

Dan, do you have an idea when the updated profile from https://github.com/containers/common/pull/2004 will reach Tumbleweed so that I can re-enable the podman, runc and crun profiles?

(That's not urgent, I just want to know when I can re-enable these profiles.)
Comment 7 Dan Čermák 2024-05-31 12:42:46 UTC 
(In reply to Christian Boltz from comment #6)
> The workaround SR was accepted.
> 
> Dan, do you have an idea when the updated profile from
> https://github.com/containers/common/pull/2004 will reach Tumbleweed so that
> I can re-enable the podman, runc and crun profiles?

The PR is part of podman 5.1.0: https://build.opensuse.org/request/show/1177691

buildah is another consumer, where it has been fixed in version 1.36 (already in Factory).

I think a few other projects bundle c/common as well (e.g. skopeo), but they _shouldn't_ be actually running containers. So I hope it is fine to re-enable the profiles