Podman: Error: invalid config provided: AppArmorProfile and privileged are mutually exclusive options

Created on 10 Jul 2020 · 21Comments · Source: containers/podman

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

sudo podman run --privileged hello-world leads to

Error: invalid config provided: AppArmorProfile and privileged are mutually exclusive options

when using Ubuntu 20.04.

I was informed by a colleague of mine about this problem, when he tried to use an image of us, and could not get it to work.

Using Arch Linux, I could not reproduce the problem.

Steps to reproduce the issue:

To reproduce it, I installed Ubuntu 20.04 in a VirtualBox VM where the error appears, too.

Download the latest Ubuntu 20.04 image from https://releases.ubuntu.com/20.04/ and install Ubuntu 20.04 in a VirtualBox VM
Update the system and install curl: sudo apt-get update && sudo apt-get dist-upgrade && sudo apt-get install curl
Install Podman

source /etc/os-release
sudo sh -c "echo 'deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list"
curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/Release.key | sudo apt-key add -
sudo apt-get update
sudo apt-get install podman

Run the command sudo podman run --privileged hello-world and get the error.

I want to explicitly state at this point, that I did nothing else, besides updating the system, installing curl and installing Podman.

Describe the results you received:

I could not run the hello-world image when using sudo and --privileged.

Describe the results you expected:

I want to be able to run the hello-world image, even when using sudo and --privileged.

Output of podman version:

Version:      2.0.2
API Version:  1
Go Version:   go1.14.2
Built:        Thu Jan  1 01:00:00 1970
OS/Arch:      linux/amd64

Output of sudo podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.15.0
  cgroupVersion: v1
  conmon:
    package: 'conmon: /usr/libexec/podman/conmon'
    path: /usr/libexec/podman/conmon
    version: 'conmon version 2.0.18, commit: '
  cpus: 1
  distribution:
    distribution: ubuntu
    version: "20.04"
  eventLogger: file
  hostname: jonny-ubuntu-vm
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 5.4.0-40-generic
  linkmode: dynamic
  memFree: 2601410560
  memTotal: 4127621120
  ociRuntime:
    name: runc
    package: 'runc: /usr/sbin/runc'
    path: /usr/sbin/runc
    version: 'runc version spec: 1.0.1-dev'
  os: linux
  remoteSocket:
    path: /run/podman/podman.sock
  rootless: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 1426522112
  swapTotal: 1469710336
  uptime: 1h 25m 6.08s (Approximately 0.04 days)
registries:
  search:
  - docker.io
  - quay.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 1
  runRoot: /var/run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 1
  Built: 0
  BuiltTime: Thu Jan  1 01:00:00 1970
  GitCommit: ""
  GoVersion: go1.14.2
  OsArch: linux/amd64
  Version: 2.0.2

Package info (e.g. output of rpm -q podman or apt list podman):

Listing... Done
podman/unknown,now 2.0.2~1 amd64 [installed]
podman/unknown 2.0.2~1 arm64
podman/unknown 2.0.2~1 armhf
podman/unknown 2.0.2~1 s390x

Additional environment details (AWS, VirtualBox, physical, etc.):

Has already been described.

kinbug

Source

polygamma

👍1

Most helpful comment

I used OBS to build podman v1.9.3 packages. Feel free to use it until a proper solution arrives.

euh2 on 19 Jul 2020

👍3

All 21 comments

This is reproduced on ubuntu by ceph users.

#

Hi,

Using the repo suggested for Ubuntu 18 (
https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_18.04/
) podman 2.0.2~1 is installed. However, when attempting to use cephadm to
bootstrap a cluster, we see an error when attempting to start the mon
container:

"Error: invalid config provided: AppArmorProfile and privileged are
mutually exclusive options"

From the bit of reading we've done, this looks to be an issue with Podman
v2 compatibility, and it appears to break with Ceph 15.2.4.

Has anybody else run into this/been able to workaround it? We'll have to
downgrade podman, but unfortunately, that repo does not keep previous
versions.

alitvak69 on 11 Jul 2020

Correct, that was my post, and it does occur on Ubuntu 18.

ormandj on 11 Jul 2020

Is the expectation that the apparmor profile will be applied and used, or discarded? With SELinux + --privileged we will honor the --security-opt request for a specific label, so I lean towards doing that, but Podman 1.9 compatibility is more important.

mheon on 11 Jul 2020

@mheon I am not sure if any policy specific to podman is configured in many cases.
Containers.conf has default entry commented out:

# Used to change the name of the default AppArmor profile of container engine.
#
# apparmor_profile = "container-default"

And 1.9.3 and below just run --privileged without any --security-opt. Podman 2.0.2 exibits the same error with --security-opt

# podman run --privileged --security-opt=apparmor=unconfined hello-world
Error: invalid config provided: AppArmorProfile and privileged are mutually exclusive options

alitvak69 on 11 Jul 2020

--privileged should not enable apparmor. containers.conf is showing you the defaults. It is built into the code. If you want to change the default you can uncomment and change that line, otherwise it will apply apparmor policy on systems that support apparmor.

If a user says --privileged --security-opt apparmor=/etc/myapparmor
Then the my apparmor policy should be applied and everything else be privileged. We just fixed this issue with SELinux as @mheon pointed out.

rhatdan on 11 Jul 2020

Based on

A privileged container turns off the security features that isolate the container from the host. Dropped Capabilities, limited devices, read-only mount points, Apparmor/SELinux separation, and Seccomp filters are all disabled.

Source: http://docs.podman.io/en/latest/markdown/podman-run.1.html

would I assume, that AppArmor profiles would be discarded. Sounds like you want to change that now, so that you can use AppArmor and privileged together?

Should one really do that, change the meaning of privileged so drastically? Sounds more like one wanted to introduce a new option for that e. g. privileged-drop that allows dropping of security features to be deactivated.

And for my understanding: As it seems to be implemented now, the default AppArmor profile is container-default when not having touched any config like containers.conf and thus conflicts with privileged and does not allow starting of a container.

What exactly should I do now, to get privileged as it is being described in the Podman documentation, meaning that ALL security features get deactivated, including AppArmor, so that I can start a container like a few weeks ago with just sudo podman run --privileged hello-world?

polygamma on 11 Jul 2020

What we're talking about here is a case where both flags are specified.

If I call podman run -t -i --privileged --security-opt apparmor=$PATH ... we've been given two flags that are in conflict in what they request (remove all security for the container, but also use the specified apparmor profile). With SELinux (and I believe seccomp) we will honor the privileged flag by removing all security from the container, but then re-add the specific security feature that the user requested.

mheon on 11 Jul 2020

@mheon But the problem is, the error appears even without --security-opt specified. It affects deployment of ceph containers that uses privileged option for example. So something changed in podman 2 vs 1.93

alitvak69 on 11 Jul 2020

I experience the same behavior on Ubuntu 20.04:

podman run --rm -it --privileged --security-opt apparmor=unconfined  debian /bin/bash
Error: invalid config provided: AppArmorProfile and privileged are mutually exclusive options

The podman man page tells me:

apparmor=unconfined : Turn off apparmor confinement for the container

Which was the behavior before on Ubuntu 18.04.

TomHutter on 11 Jul 2020

I could successfully run this

podman run --privileged --security-opt label=disable hello-world

alitvak69 on 12 Jul 2020

👍1

Yes, this works for me also. Thanks @alitvak69 . Seems I got the documentation wrong. Nevertheless podman behaves different in Ubuntu 20.04, or at least 18.04 accepted --security-opt apparmor=unconfined.

TomHutter on 12 Jul 2020

It is actually confusing, disabling label in config file (label = false) systemwide has no effect. Still I would like to preserve compatibility if possible, and clarify documentation.

alitvak69 on 12 Jul 2020

I agree with preserving compatibility, this is a 'breaking' change in behavior. The default behavior shouldn't change drastically enough to break existing software without release notes/documentation updates and time to remediate if necessary.

ormandj on 14 Jul 2020

👍1

Yes no one is arguing this is not a bug. It is definitely a big bug.

rhatdan on 15 Jul 2020

I also believe the fix has been merged several days ago.

alitvak69 on 15 Jul 2020

If people with knowledge of AppArmor could take the PR for a spin, It would be appreciated. I think this is correct, but I am too lazy to setup a AppArmor machine to test it out. :^(

rhatdan on 16 Jul 2020

relates to https://tracker.ceph.com/issues/46429

sebastian-philipp on 17 Jul 2020

This comment is slightly unrelated to a topic but perhaps it makes sense to have a separate repo on OBS, call it old for example. This repo would contain latest 1.x podman packages. This way people will continue reporting issues with 2.x but can revert their production to 1.x. This is not ideal but may be a work around for now.

alitvak69 on 17 Jul 2020

I used OBS to build podman v1.9.3 packages. Feel free to use it until a proper solution arrives.

euh2 on 19 Jul 2020

👍3

Should be fixed in master now, will be in 2.0.3

mheon on 22 Jul 2020

👍1

For anyone who is constrained in getting the updated version, instead of --privileged, I was able to work around this with the hack: