Bugzilla – Bug 1190271
cni-plugin-dnsname needs modifications to the dnsmasq AppArmor profile
Last modified: 2021-09-16 21:23:44 UTC
As specified here <https://github.com/containers/dnsname/blob/820a3ca575c6ee4f0168985d30b8904e4a23f79c/README_PODMAN.md>, the dnsname plugin for Podman requires granting dnsmasq some permissions to be able to assign and resolve network names to containers. Without this, a container added to a network which runs the dnsname plugin, doesn't start and displays: > Error loading cached network config: network "podman" not found in CNI cache Then tries to read /run/containers/cni/dnsname/server/dnsmasq.conf and gets permission denied.
I love it if people document a workaround upstream instead of just asking for a profile update ;-) Before I submit the patch from Podman upstream to AppArmor upstream, I have a few questions: You mentioned /run/containers/cni/dnsname/server/, but the Podman documentation says /run/containers/cni/dnsname/*/. Did you only see these denials for "server", or also for other directory names (so that "*" makes sense)? Did you also see denials for the "addnhosts" and "pidfile" files?
> You mentioned /run/containers/cni/dnsname/server/, but the Podman > documentation says /run/containers/cni/dnsname/*/. Did you only see these > denials for "server", or also for other directory names (so that "*" makes > sense)? Excuse me, "server" is the name of the network I created (likewise, the error thrown is actually "network 'server' not found it CNI cache"). No other errors reported for addnhosts and pidfile, although I did not try adding one line at a time to the profile and see if something changes each time.
Thanks for the additional reply - it confirms that the "*" as proposed in the upstream documentation makes sense. I've submitted the additional rules to upstream AppArmor as https://gitlab.com/apparmor/apparmor/-/merge_requests/800 I also noticed that the podman documentation needs a security fix, see https://github.com/containers/dnsname/issues/82