Bugzilla – Bug 1225608
[Build 20240528] podman fails stopping containers
Last modified: 2024-05-31 12:42:46 UTC
## Observation [33mWARN[0m[0010] StopSignal SIGTERM failed to stop container refreshed in 10 seconds, resorting to SIGKILL Error: cannot remove container 0ad926609982c5d30942986803f1c16b5f9efdbd362c13d9a68d4bb62b5d3783 as it could not be stopped: given PID did not die within timeout 7wkFv-125- openQA test in scenario opensuse-Tumbleweed-DVD-x86_64-containers_image@64bit fails in [image_podman](https://openqa.opensuse.org/tests/4231922/modules/image_podman/steps/135) ## Test suite description Maintainer: dheidler. Extra tests about CLI software in container module 2023-08-10/dimstar: added QEMURAM=2048 (boo#1212824) ## Reproducible Fails since (at least) Build [20240527](https://openqa.opensuse.org/tests/4226902) ## Expected result Last good: [20240524](https://openqa.opensuse.org/tests/4221615) (or more recent) ## Further details Always latest result in this scenario: [latest](https://openqa.opensuse.org/tests/latest?arch=x86_64&distri=opensuse&flavor=DVD&machine=64bit&test=containers_image&version=Tumbleweed)
Known references: https://github.com/moby/moby/issues/47749 https://github.com/containers/common/issues/1898
It looks to me like we're missing the Apparmor profile for crun (https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor.d/crun). On the test system I couldn't find any apparmor rules for crun. Perhaps we're just missing those rules in the crun package? At least on Ubuntu 24.04 there is a crun profile present > root@ubuntu24-04:/etc/apparmor.d# grep -ir 'crun' . > ./crun:profile crun /usr/bin/crun flags=(unconfined) { > ./crun: include if exists <local/crun> The same profile is not present on Tumbleweed.
Created attachment 875216 [details] audit.log From audit.log. type=AVC msg=audit(1717061145.115:909): apparmor="DENIED" operation="signal" class="signal" profile="containers-default-0.58.3" pid=5576 comm="3" requested_mask="receive" denied_mask="receive" signal=term peer="podman" type=AVC msg=audit(1717061155.172:910): apparmor="DENIED" operation="signal" class="signal" profile="containers-default-0.58.3" pid=5579 comm="3" requested_mask="receive" denied_mask="receive" signal=kill peer="podman"
(In reply to Felix Niederwanger from comment #2) > It looks to me like we're missing the Apparmor profile for crun Right, that's intentionally - for now. The additional profiles require changes in containers-related profiles which didn't reach Tumbleweed yet. Basically the difference is that in the past we needed peer=unconfined (because crun didn't have a profile), and when crun has a profile, we need peer=crun. Since the "unconfined" profiles are not too useful on openSUSE (yet?) besides adding a profile name, the decision was to exclude profiles that cause trouble with peer profiles (crun, runc, and with SR 1177757 also podman) from the package for now.
This is an autogenerated message for OBS integration: This bug (1225608) was mentioned in https://build.opensuse.org/request/show/1177757 Factory / apparmor
The workaround SR was accepted. Dan, do you have an idea when the updated profile from https://github.com/containers/common/pull/2004 will reach Tumbleweed so that I can re-enable the podman, runc and crun profiles? (That's not urgent, I just want to know when I can re-enable these profiles.)
(In reply to Christian Boltz from comment #6) > The workaround SR was accepted. > > Dan, do you have an idea when the updated profile from > https://github.com/containers/common/pull/2004 will reach Tumbleweed so that > I can re-enable the podman, runc and crun profiles? The PR is part of podman 5.1.0: https://build.opensuse.org/request/show/1177691 buildah is another consumer, where it has been fixed in version 1.36 (already in Factory). I think a few other projects bundle c/common as well (e.g. skopeo), but they _shouldn't_ be actually running containers. So I hope it is fine to re-enable the profiles