Description

I'm running k3s (v1.32.5+k3s1) on Debian 13, with containerd 1.7.24~ds1-6+deb13u1. With the 6.17 kernel installed (6.17.4-1-pve, from Proxmox) I noticed that argocd-repo-server was unable to create unix domain sockets due to an apparmor policy denial:

apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="cri-containerd.apparmor.d" pid=138752 comm=2E4E455420545020576F726B6572 family="unix" sock_type="dgram" protocol=0 requested="create" denied="create" addr=none

Turning off appArmorPolicy in Kubernetes made this error message go away, pointing to a defect in the containerd apparmor policy itself. I looked at https://github.com/containerd/containerd/blob/main/contrib/apparmor/template.go which hasn't changed in policy terms, and noticed that it allows network, which in theory should allow unix domain sockets. I hacked up the apparmor test suite, and found that in fact network, implied network unix, on vanilla Debian kernels (6.12.57+deb13-amd64).

Doing some additional research, I found https://gitlab.com/apparmor/apparmor/-/issues/561 upstream which clarified that the apparmor ABI has changed, and network no longer includes network unix, and the recommendation is to either pin to abi <abi/4.0>, in the policy or to update it to use the newer syntax.

In the meantime, I've corrected this at the system level by adding the following line to /etc/apparmor/parser.conf:

# Force pre-kernel 6.17 ABI
override-policy-abi=/etc/apparmor.d/abi/4.0

Steps to reproduce the issue

1. Install Proxmox 9.1.2 (kernel: 6.17.4-1-pve)
2. Install k3s per their instructions https://docs.k3s.io/quick-start
3. Install argocd per their instructions https://argo-cd.readthedocs.io/en/stable/getting_started/

Describe the results you received and expected

Expected result: all argocd components are running and healthy
Actual result: argocd-repo-server is unable to start and errors out on a unix domain socket. apparmor denials present in dmesg.

What version of containerd are you using?

containerd github.com/containerd/containerd 1.7.24~ds1 1.7.24~ds1-6+deb13u1

Any other relevant information

# uname -a
Linux large-format 6.17.4-1-pve #1 SMP PREEMPT_DYNAMIC PMX 6.17.4-1 (2025-12-03T15:42Z) x86_64 GNU/Linux
# lsb_release -a
No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 13 (trixie)
Release:	13
Codename:	trixie
# pveversion 
pve-manager/9.1.2/9d436f37a0ac4172 (running kernel: 6.17.4-1-pve)
# dpkg -l apparmor
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version      Architecture Description
+++-==============-============-============-======================================
ii  apparmor       4.1.1-pmx1   amd64        user-space parser utility for AppArmor

Show configuration if it is related to CRI plugin.

No response