Revert apparmor_parser regression
#8086
Merged
+12
−10
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This reverts commit 1acca8b. As stated in the Godoc, this function is intended to check for presence of `apparmor_parser`. Changing this regressed the public API of containerd, and directly contradicts the way that this function is consumed inside of containerd itself: * https://github.com/containerd/containerd/blob/fdfdc9bfc0f865a43c88171110615d1510fad3bc/pkg/apparmor/apparmor.go#L20 * https://github.com/containerd/containerd/blob/fdfdc9bfc0f865a43c88171110615d1510fad3bc/pkg/cri/sbserver/helpers_linux.go#L85 * https://github.com/containerd/containerd/blob/fdfdc9bfc0f865a43c88171110615d1510fad3bc/pkg/cri/server/helpers_linux.go#L144 This has lead to a number of painful regressions and attempted fixes in Moby: * moby/moby#44900 * moby/moby#44902 * moby/moby#44970 While reverting this late into the life of 1.6 and at the start of the life of 1.7 is likely painful, I think this is ultimately the best path to take, as containerd is subject to the same failure to start containers with an AppArmor kernel when `apparmor_parser` is missing as Moby. Signed-off-by: Bjorn Neergaard <[email protected]>
|
Hi @neersighted. Thanks for your PR. I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
neersighted
force-pushed
the
apparmor_parser_regression
branch
from
876cd2f to
c58b2ae
Compare
Signed-off-by: Bjorn Neergaard <[email protected]>
neersighted
force-pushed
the
apparmor_parser_regression
branch
from
c58b2ae to
d33a43c
Compare
cpuguy83
approved these changes
Feb 10, 2023
dmcgowan
approved these changes
Feb 10, 2023
samuelkarp
approved these changes
Feb 10, 2023
Member
|
/ok-to-test |
AkihiroSuda
approved these changes
Feb 10, 2023
fuweid
approved these changes
Feb 11, 2023
fuweid
added
cherry-picked/1.6.x
This was referenced Feb 11, 2023
16 tasks
lmbarros
added a commit
to balena-os/balena-engine
that referenced
this pull request
Aug 30, 2023
This commit updates balena-containerd to a new version in which we cherry-picked the change from here: containerd/containerd#8086 This change avoids enabling AppArmor if the `/sbin/apparmor_parser` binary is not found in the system. Signed-off-by: Leandro Motta Barros <[email protected]> Change-type: patch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This reverts commit 1acca8b.
As stated in the Godoc, this function is intended to check for presence of
apparmor_parser. Changing this regressed the public API of containerd, and directly contradicts the way that this function is consumed inside of containerd itself:containerd/pkg/apparmor/apparmor.go
Line 20 in fdfdc9b
containerd/pkg/cri/sbserver/helpers_linux.go
Line 85 in fdfdc9b
containerd/pkg/cri/server/helpers_linux.go
Line 144 in fdfdc9b
This has lead to a number of painful regressions and attempted fixes in Moby:
While reverting this late into the life of 1.6 and at the start of the life of 1.7 is likely painful, I think this is ultimately the best path to take, as containerd is subject to the same failure to start containers with an AppArmor kernel when
apparmor_parseris missing as Moby.