Use containerd's apparmor package to detect if apparmor can be used #42276
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…f9c13994bf68 This patch picks the first commit in containerd that exports the AppArmor package functions to keep the vendor diff small (there are some updates to that package after this, but those will be included in other patches). full diff: containerd/containerd@fbf1a72...55eda46 Signed-off-by: Sebastiaan van Stijn <[email protected]>
The runc/libcontainer apparmor package on master no longer checks if apparmor_parser is enabled, or if we are running docker-in-docker. While those checks are not relevant to runc (as it doesn't load the profile), these checks _are_ relevant to us (and containerd). So switching to use the containerd apparmor package, which does include the needed checks. Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
force-pushed
the
apparmor_detect_fix
branch
from
261868f to
2834f84
Compare
Contributor
|
|
tiborvass
approved these changes
Apr 9, 2021
thaJeztah
added a commit
to thaJeztah/docker
that referenced
this pull request
Nov 9, 2021
Possibly more dependencies need to be updated, and instead of this we should cherry-pick. This is just a quick check "what would it look like if we bumped the version in this branch"; Updating to containerd 1.5 Last containerd update in 20.10 is moby@1f88736 (moby#41688) - moby@ab1dd80 moby#42274 - moby@5761fca moby#42274 - moby@42ef2c5 moby#42276 - moby@6202322 moby#42254 - moby@7c1c123 moby#42249 - moby@84df737 moby#42636 - moby@4fc2d4d moby#42656 - moby@3d58d13 moby#42697 - moby@582ef29 moby#42994 Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
added a commit
to thaJeztah/docker
that referenced
this pull request
Nov 9, 2021
Possibly more dependencies need to be updated, and instead of this we should cherry-pick. This is just a quick check "what would it look like if we bumped the version in this branch"; Updating to containerd 1.5 Last containerd update in 20.10 is moby@1f88736 (moby#41688) - moby@ab1dd80 moby#42274 - moby@5761fca moby#42274 - moby@42ef2c5 moby#42276 - moby@6202322 moby#42254 - moby@7c1c123 moby#42249 - moby@84df737 moby#42636 - moby@4fc2d4d moby#42656 - moby@3d58d13 moby#42697 - moby@582ef29 moby#42994 Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
added a commit
to thaJeztah/docker
that referenced
this pull request
Mar 18, 2022
Possibly more dependencies need to be updated, and instead of this we should cherry-pick. This is just a quick check "what would it look like if we bumped the version in this branch"; Updating to containerd 1.5 Last containerd update in 20.10 is moby@1f88736 (moby#41688) - moby@ab1dd80 moby#42274 - moby@5761fca moby#42274 - moby@42ef2c5 moby#42276 - moby@6202322 moby#42254 - moby@7c1c123 moby#42249 - moby@84df737 moby#42636 - moby@4fc2d4d moby#42656 - moby@3d58d13 moby#42697 - moby@582ef29 moby#42994 - moby@458b4aa moby#43025 Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
added a commit
to thaJeztah/docker
that referenced
this pull request
Mar 18, 2022
Possibly more dependencies need to be updated, and instead of this we should cherry-pick. This is just a quick check "what would it look like if we bumped the version in this branch"; Updating to containerd 1.5 Last containerd update in 20.10 is moby@1f88736 (moby#41688) - moby@ab1dd80 moby#42274 - moby@5761fca moby#42274 - moby@42ef2c5 moby#42276 - moby@6202322 moby#42254 - moby@7c1c123 moby#42249 - moby@84df737 moby#42636 - moby@4fc2d4d moby#42656 - moby@3d58d13 moby#42697 - moby@582ef29 moby#42994 - moby@458b4aa moby#43025 Signed-off-by: Sebastiaan van Stijn <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
relates to #42181, which fixes a test that was revealed by libcontainer no longer performing the same check
Use containerd's apparmor package to detect if apparmor can be used
The runc/libcontainer apparmor package on master no longer checks if apparmor_parser
is enabled, or if we are running docker-in-docker.
While those checks are not relevant to runc (as it doesn't load the profile), these
checks are relevant to us (and containerd). So switching to use the containerd
apparmor package, which does include the needed checks.
vendor: github.com/containerd/containerd b9092fae15f1814a5402bea1ceb0fa21ce1c785c
This patch picks the first commit in containerd that exports the AppArmor package
functions to keep the vendor diff small (there are some updates to that package
after this, but those will be included in other patches).
full diff: containerd/containerd@fbf1a72...55eda46