Podman: Interaction with AppArmor

Created on 3 Dec 2020  路  5Comments  路  Source: containers/podman

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

I am unsure about where to file this. For context, I run a fully up-to-date Arch Linux. I installed and configured AppArmor as described in the Arch Wiki. I have not modified any AppArmor profile. This did not happen with Docker, which I last used a couple of months ago, nor when I tried podman right after. I can try with an older version if need be.

Steps to reproduce the issue:

  1. My Dockerfile:
FROM docker.io/alpine:3.12
RUN : \
    && apk --no-cache upgrade --available --latest \
    && apk --no-cache add supervisor php7-fpm
COPY ./supervisord.conf /etc/supervisord.conf

STOPSIGNAL SIGTERM
CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
  1. supervisord.conf:
[supervisord]
logfile=/dev/stdout
logfile_maxbytes=0
nodaemon=true
user=root

[program:php-fpm7]
command=/usr/sbin/php-fpm7 --nodaemonize --force-stderr
stopasgroup=true
redirect_stderr=true
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0

3.

$ podman build --tag help .
[...]
STEP 6: COMMIT help
--> 82128e62a3e
82128e62a3ef5f49619ee6da1bf794aeef87743228a396b4bc6e7ff619b42d3a
$ podman run help
2020-12-03 12:53:40,997 INFO Set uid to user 0 succeeded
2020-12-03 12:53:40,997 INFO Set uid to user 0 succeeded
2020-12-03 12:53:41,001 INFO supervisord started with pid 1
2020-12-03 12:53:41,001 INFO supervisord started with pid 1
2020-12-03 12:53:42,002 INFO spawned: 'php-fpm7' with pid 3
2020-12-03 12:53:42,002 INFO spawned: 'php-fpm7' with pid 3
[03-Dec-2020 12:53:42] ERROR: failed to open error_log (/var/log/php7/error.log): Permission denied (13)
[03-Dec-2020 12:53:42] ERROR: failed to post process the configuration
[03-Dec-2020 12:53:42] ERROR: FPM initialization failed
2020-12-03 12:53:42,039 INFO exited: php-fpm7 (exit status 78; not expected)
2020-12-03 12:53:42,039 INFO exited: php-fpm7 (exit status 78; not expected)
$ podman run --privileged=true help
[same output as before]
$ podman run --security-opt=apparmor-unconfined help
[same output as before]
$ podman run --security-opt=label=disable help
[same output as before]

Describe the results you received:

In my audit.log:

type=AVC msg=audit(1607000022.032:427): apparmor="DENIED" operation="mknod" profile="php-fpm" name="/var/log/php7/error.log" pid=103775 comm="php-fpm7" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
type=AVC msg=audit(1607000023.068:428): apparmor="DENIED" operation="mknod" profile="php-fpm" name="/var/log/php7/error.log" pid=103795 comm="php-fpm7" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
type=AVC msg=audit(1607000224.138:429): apparmor="DENIED" operation="mknod" profile="php-fpm" name="/var/log/php7/error.log" pid=107000 comm="php-fpm7" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
type=AVC msg=audit(1607000225.168:430): apparmor="DENIED" operation="mknod" profile="php-fpm" name="/var/log/php7/error.log" pid=107012 comm="php-fpm7" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
type=AVC msg=audit(1607000256.602:431): apparmor="DENIED" operation="mknod" profile="php-fpm" name="/var/log/php7/error.log" pid=107363 comm="php-fpm7" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
type=AVC msg=audit(1607000257.635:432): apparmor="DENIED" operation="mknod" profile="php-fpm" name="/var/log/php7/error.log" pid=107376 comm="php-fpm7" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

Describe the results you expected:

PHP should be able to create its log file.

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

Version:      3.0.0-dev
API Version:  3.0.0
Go Version:   go1.15.5
Git Commit:   85b412ddcdacb635e13ec67ecd2df5990dbdca02
Built:        Thu Dec  3 12:28:55 2020
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.19.0-dev
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: Unknown
    path: /usr/bin/conmon
    version: 'conmon version 2.0.21, commit: 35a2fa83022e56e18af7e6a865ba5d7165fa2a4a'
  cpus: 12
  distribution:
    distribution: arch
    version: unknown
  eventLogger: journald
  hostname: niflheim
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 10000
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 10000
  kernel: 5.9.11-arch2-1
  linkmode: dynamic
  memFree: 24892596224
  memTotal: 33567653888
  ociRuntime:
    name: crun
    package: Unknown
    path: /usr/bin/crun
    version: |-
      crun version 0.16
      commit: eb0145e5ad4d8207e84a327248af76663d4e50dd
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  rootless: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: Unknown
    version: |-
      slirp4netns version 1.1.7
      commit: e62caa08b78f3e662422bd7bfbcd2df3d12dcab1
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.1
  swapFree: 0
  swapTotal: 0
  uptime: 2h 12m 47.71s (Approximately 0.08 days)
registries: {}
store:
  configFile: /home/rzl/.config/containers/storage.conf
  containerStore:
    number: 7
    paused: 0
    running: 0
    stopped: 7
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: Unknown
      Version: |-
        fusermount3 version: 3.10.0
        fuse-overlayfs: version 1.3
        FUSE library version 3.10.0
        using FUSE kernel interface version 7.31
  graphRoot: /home/rzl/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 18
  runRoot: /run/user/1000/containers
  volumePath: /home/rzl/.local/share/containers/storage/volumes
version:
  APIVersion: 3.0.0
  Built: 1606998535
  BuiltTime: Thu Dec  3 12:28:55 2020
  GitCommit: 85b412ddcdacb635e13ec67ecd2df5990dbdca02
  GoVersion: go1.15.5
  OsArch: linux/amd64
  Version: 3.0.0-dev

Package info (e.g. output of rpm -q podman or apt list podman):

podman 2.2.0+rc2+112+g85b412ddc-1

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?

Yes

Buildah kinbug
Source
picture rzlourenco

All 5 comments

So --privileged did not help? Can you try --security-opt apparmor=unconfined (note the = and not - between them).

@vrothberg @saschagrunert PTAL

mheon picture mheon on 3 Dec 2020
👀1

Indeed, --privileged does not help. With the proper argument:

$ podman run --security-opt apparmor=unconfined help
2020-12-03 14:34:37,743 INFO Set uid to user 0 succeeded
2020-12-03 14:34:37,743 INFO Set uid to user 0 succeeded
2020-12-03 14:34:37,746 INFO supervisord started with pid 1
2020-12-03 14:34:37,746 INFO supervisord started with pid 1
2020-12-03 14:34:38,748 INFO spawned: 'nginx' with pid 3
2020-12-03 14:34:38,748 INFO spawned: 'nginx' with pid 3
2020-12-03 14:34:38,750 INFO spawned: 'php-fpm7' with pid 4
2020-12-03 14:34:38,750 INFO spawned: 'php-fpm7' with pid 4
[03-Dec-2020 14:34:38] ERROR: failed to open error_log (/var/log/php7/error.log): Permission denied (13)
[03-Dec-2020 14:34:38] ERROR: failed to post process the configuration
[03-Dec-2020 14:34:38] ERROR: FPM initialization failed
2020-12-03 14:34:38,787 INFO exited: php-fpm7 (exit status 78; not expected)
2020-12-03 14:34:38,787 INFO exited: php-fpm7 (exit status 78; not expected)
rzlourenco picture rzlourenco on 3 Dec 2020

In another Arch installation, this time with cgroupsv1 because of Docker and the official podman package:

podman version:

Version:      2.2.0
API Version:  2.1.0
Go Version:   go1.15.5
Git Commit:   db1d2ff111ee9b012779ff3a5279a982520ccda4
Built:        Tue Dec  1 22:59:35 2020
OS/Arch:      linux/amd64

podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.18.0
  cgroupManager: cgroupfs
  cgroupVersion: v1
  conmon:
    package: Unknown
    path: /usr/bin/conmon
    version: 'conmon version 2.0.21, commit: 35a2fa83022e56e18af7e6a865ba5d7165fa2a4a'
  cpus: 8
  distribution:
    distribution: arch
    version: unknown
  eventLogger: journald
  hostname: batata
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 165536
      size: 4096
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 165536
      size: 4096
  kernel: 5.9.11-arch2-1
  linkmode: dynamic
  memFree: 10373345280
  memTotal: 16465002496
  ociRuntime:
    name: runc
    package: Unknown
    path: /usr/bin/runc
    version: |-
      runc version 1.0.0-rc92
      commit: ff819c7e9184c13b7c2607fe6c30ae19403a7aff
      spec: 1.0.2-dev
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  rootless: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: Unknown
    version: |-
      slirp4netns version 1.1.7
      commit: e62caa08b78f3e662422bd7bfbcd2df3d12dcab1
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.1
  swapFree: 17179865088
  swapTotal: 17179865088
  uptime: 12m 22.89s
registries: {}
store:
  configFile: /home/rzl/.config/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 0
    stopped: 1
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: Unknown
      Version: |-
        fusermount3 version: 3.10.0
        fuse-overlayfs: version 1.3
        FUSE library version 3.10.0
        using FUSE kernel interface version 7.31
  graphRoot: /home/rzl/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 5
  runRoot: /run/user/1000/containers
  volumePath: /home/rzl/.local/share/containers/storage/volumes
version:
  APIVersion: 2.1.0
  Built: 1606863575
  BuiltTime: Tue Dec  1 22:59:35 2020
  GitCommit: db1d2ff111ee9b012779ff3a5279a982520ccda4
  GoVersion: go1.15.5
  OsArch: linux/amd64
  Version: 2.2.0

This is what I am getting with docker-1:19.03.14-1 containerd-1.4.3-1:

$ docker build .
[...]
 ---> 5fad615350a3
Successfully built 5fad615350a3
$ docker run 5fad615350a3
2020-12-03 14:41:48,126 INFO Set uid to user 0 succeeded
2020-12-03 14:41:48,126 INFO Set uid to user 0 succeeded
2020-12-03 14:41:48,131 INFO supervisord started with pid 1
2020-12-03 14:41:48,131 INFO supervisord started with pid 1
2020-12-03 14:41:49,136 INFO spawned: 'php-fpm7' with pid 7
2020-12-03 14:41:49,136 INFO spawned: 'php-fpm7' with pid 7
2020-12-03 14:41:50,191 INFO success: php-fpm7 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2020-12-03 14:41:50,191 INFO success: php-fpm7 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
rzlourenco picture rzlourenco on 3 Dec 2020

So disabling AppArmor (via unconfined) does not solve the issue? Makes me wonder if the AppArmor profile is really the root cause of the issue.

saschagrunert picture saschagrunert on 3 Dec 2020

It works if I disable AppArmor globally via aa-teardown.

rzlourenco picture rzlourenco on 3 Dec 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

juansuerogit picture juansuerogit  路  5Comments
dmesser picture dmesser  路  3Comments
SergeyBear picture SergeyBear  路  4Comments
floating-cat picture floating-cat  路  5Comments
runlevel5 picture runlevel5  路  4Comments