The default apparmour profile doesn't allow for processes within pods to be traced by other processes within the container. This means that diagnostic facilities in processes can't easily collect crash/hang dumps. A usual workflow used by solutions like crashpad and similar projects is that the process that's unresponsive will spawn a process to collect diagnostic data using ptrace. The current profile allows processes to call ptrace and to read files under /proc//*, but it doesn't allow processes within the container to be traced. It would be enough to add the tracedby and readby perms to the default profile generation here:
|
ptrace (trace,read) peer={{.Name}}, |
I'd be happy to create the PR to do this, but it seemed better to discuss this on an issue before. Would this be something reasonable?
The default apparmour profile doesn't allow for processes within pods to be traced by other processes within the container. This means that diagnostic facilities in processes can't easily collect crash/hang dumps. A usual workflow used by solutions like crashpad and similar projects is that the process that's unresponsive will spawn a process to collect diagnostic data using ptrace. The current profile allows processes to call ptrace and to read files under /proc//*, but it doesn't allow processes within the container to be traced. It would be enough to add the
tracedbyandreadbyperms to the default profile generation here:containerd/contrib/apparmor/template.go
Line 87 in b9db567
I'd be happy to create the PR to do this, but it seemed better to discuss this on an issue before. Would this be something reasonable?