Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

disable cri-containerd.apparmor.d on ubuntu 24.04 #5354

Merged
merged 4 commits into from
Aug 23, 2024
Merged

disable cri-containerd.apparmor.d on ubuntu 24.04 #5354

merged 4 commits into from
Aug 23, 2024

Conversation

laverya
Copy link
Member

@laverya laverya commented Aug 22, 2024
edited
Loading

What this PR does / why we need it:

Before this, pod deletions failed with errors like:

  Warning  FailedKillPod  27s                kubelet            error killing pod: [failed to "KillContainer" for "nginx" with KillContainerError: "rpc error: code = Unknown desc = failed to stop container \"157877bc5dee679db8a98ccd4218fb578ae0e2ba4fc0375f32fd09d63731195c\": unknown error after kill: runc did not terminate successfully: exit status 1: unable to signal init: permission denied\n: unknown", failed to "KillPodSandbox" for "db2b7b76-df63-433f-a2b4-ee9214edac21" with KillPodSandboxError: "rpc error: code = Unknown desc = failed to stop container \"157877bc5dee679db8a98ccd4218fb578ae0e2ba4fc0375f32fd09d63731195c\": failed to kill container \"157877bc5dee679db8a98ccd4218fb578ae0e2ba4fc0375f32fd09d63731195c\": unknown error after kill: runc did not terminate successfully: exit status 1: unable to signal init: permission denied\n: unknown"]

This was accompanied by dmesg logs like

[ 1007.442002] audit: type=1400 audit(1724363147.546:131): apparmor="DENIED" operation="signal" class="signal" profile="cri-containerd.apparmor.d" pid=12114 comm="runc" requested_mask="receive" denied_mask="receive" signal=term peer="runc"

Turning off cri-containerd.apparmor.d entirely is a very blunt solution to this problem.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Steps to reproduce

Does this PR introduce a user-facing change?

Does this PR require documentation?

@github-actions GitHub Actions
Copy link
Contributor

Testgrid Run(s) Executing @ https://testgrid.kurl.sh/run/pr-5354-7c51e6b-containerd-1.6.33-k8s-ctrd-2024-08-22T22:16:47Z

laverya
laverya commented Aug 23, 2024
View reviewed changes
addons/containerd/1.6.33/install.sh
Comment on lines +198 to +201
if is_ubuntu_2404 ; then
# we need to disable apparmor on ubuntu 24.04 to allow pods to be deleted
sed -i 's/disable_apparmor = false/disable_apparmor = true/' /etc/containerd/config.toml
fi
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not LIKE this solution
I think there is probably a better solution
I will keep looking for a better solution
This allows installations to complete in my testing

@laverya laverya marked this pull request as ready for review August 23, 2024 01:10
@laverya laverya requested a review from a team as a code owner August 23, 2024 01:10
@laverya laverya enabled auto-merge (squash) August 23, 2024 01:10
@laverya laverya changed the title disable apparmor on ubuntu 24.04 disable cri-containerd.apparmor.d on ubuntu 24.04 Aug 23, 2024
@github-actions GitHub Actions
Copy link
Contributor

Testgrid Run(s) Executing @ https://testgrid.kurl.sh/run/pr-5354-6e9e8d5-containerd-1.6.33-k8s-ctrd-2024-08-23T01:15:16Z

@github-actions GitHub Actions
Copy link
Contributor

Testgrid Run(s) Executing @ https://testgrid.kurl.sh/run/pr-5354-e2cb549-containerd-1.6.33-k8s-ctrd-2024-08-23T01:31:43Z

@laverya laverya merged commit b775878 into main Aug 23, 2024
9 checks passed
@laverya laverya deleted the laverya/sc-105470/fix-ubuntu-2404-containerd-apparmor branch August 23, 2024 13:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sgalsaleh sgalsaleh sgalsaleh approved these changes

Assignees
No one assigned
Labels
type::chore
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@laverya @sgalsaleh