fix apparmor default profile for version 2.8.* #20270
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit moby@6480feb added a ptrace rule to the default apparmor profile However, ptrace is not supported until version 2.9 See release notes: http://wiki.apparmor.net/index.php/ReleaseNotes_2_9_0 and the specific commit: http://bazaar.launchpad.net/~apparmor-dev/apparmor/2.9/revision/2480 The confusion came because Ubuntu has version 2.8.95 of apparmor in Ubuntu 14.04 LTS (The Trusty Tahr) version 2.8.95 is a beta version for 2.9, that is why it has support for the ptrace rule, but this is not the general case for 2.8.*. I've checked the version of apparmor in Ubuntu: https://launchpad.net/ubuntu/+source/apparmor and there is no other 2.8.* version other than 2.8.95 Thanks to Christian Boltz for his help Signed-off-by: Jordi Massaguer Pla <[email protected]> Fixes moby#20269
Contributor
|
The windows testing servers appear to be broken, and attempting to rebuild doesn't help. @jhowardmsft, do you know what's going on? |
Member
|
Will look in a bit when in the office |
thaJeztah
added
area/security/apparmor
status/2-code-review
and removed
status/0-triage
labels
| {{if ge .MajorVersion 2}}{{if ge .MinorVersion 8}} | ||
| {{if ge .MajorVersion 2}}{{if ge .MinorVersion 8}}{{if ge .PatchLevel 95}} | ||
| # apparmor-2.8.95 is Ubuntu 14.04 LTS (Trusty Tahr) | ||
| # apparmor-2.8.95 is apparmor-2.9 beta, which supports ptrace rule |
Contributor
There was a problem hiding this comment.
indentation looks super weird
Contributor
|
thanks for digging into this, wish the package managers would just ship the same version numbers |
Contributor
|
you need to rebase on master, your pkg is out of date and adding code to the wrong place, then you can even update the unit test as well |
Member
|
@mikedougherty - I think I know why this is failing. Will ping you offline. |
|
Job: Docker-PRs-WoW-TP4 FAILED: ---
12T21:41:35Z" level=error msg="hcsshim::DestroyLayer - Win32 API call returned error r1=0x80070020 err=The process cannot access the file because it is being used by another process.id=CI flavour=0"
ERROR: hcsshim::DestroyLayer - Win32 API call returned error r1=0x80070020 err=The process cannot access the file because it is being used by another process.id=CI flavour=0
INFO: End of cleanup
INFO: Ended at Fri Feb 12 21:41:35 CUT 2016 (0m 1s)
Build step 'Execute shell' marked build as failure
[PostBuildScript] - Execution post build scripts.
[docker] $ sh -xe C:\Users\jenkins\AppData\Local\Temp\hudson2513021672682763461.sh
+ set +e
+ set +x
INFO: Nuking /d/CI
time="2016-02-12T21:41:41Z" level=error msg="hcsshim::DestroyLayer - Win32 API call returned error r1=0x80070020 err=The process cannot access the file because it is being used by another process.id=CI flavour=0"
ERROR: hcsshim::DestroyLayer - Win32 API call returned error r1=0x80070020 err=The process cannot access the file because it is being used by another process.id=CI
---
|
Member
|
Scrub above comment. The reason this is failing is you're trying to merge into 1.10.1, not master. WindowsTP4 context needs 1.11 to run successfully as dockerfile.Windows (and other PRs) are not present in 1.10 |
Contributor
|
you need to open this PR against master, closing |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit
6480feb
added a ptrace rule to the default apparmor profile
However, ptrace is not supported until version 2.9
See release notes:
http://wiki.apparmor.net/index.php/ReleaseNotes_2_9_0
and the specific commit:
http://bazaar.launchpad.net/~apparmor-dev/apparmor/2.9/revision/2480
The confusion came because Ubuntu has version 2.8.95 of apparmor in
Ubuntu 14.04 LTS (The Trusty Tahr)
version 2.8.95 is a beta version for 2.9, that is why it has support for
the ptrace rule, but this is not the general case for 2.8.*.
I've checked the version of apparmor in Ubuntu:
https://launchpad.net/ubuntu/+source/apparmor
and there is no other 2.8.* version other than 2.8.95
Thanks to Christian Boltz for his help
Signed-off-by: Jordi Massaguer Pla [email protected]
Fixes #20269