daemon: switch to 'ensure' workflow for AppArmor profiles#29130
Merged
vieux merged 2 commits intomoby:masterfrom Dec 12, 2016
Merged
daemon: switch to 'ensure' workflow for AppArmor profiles#29130vieux merged 2 commits intomoby:masterfrom
vieux merged 2 commits intomoby:masterfrom
Conversation
Signed-off-by: Aleksa Sarai <[email protected]>
Contributor
Author
cyphar
force-pushed
the
29097-dynamically-reload-apparmor
branch
3 times, most recently
from
a1985a2 to
6eaf934
Compare
vdemeester
added
process/cherry-pick
status/2-code-review
and removed
status/0-triage
labels
Contributor
Author
|
Note that my test case for this was: Which I think is sufficient to check that the reloading works as expected. |
tonistiigi
reviewed
Dec 6, 2016
daemon/oci_linux.go
Outdated
Member
There was a problem hiding this comment.
Do this later with if appArmorProfile == defaultApparmorProfile condition to load it also if c.AppArmorProfile equals docker-default.
cyphar
force-pushed
the
29097-dynamically-reload-apparmor
branch
from
6eaf934 to
9f22d1d
Compare
In certain cases (unattended upgrades), system services can disable loaded AppArmor profiles. However, since /etc being read-only is a supported setup we cannot just write a copy of the profile to /etc/apparmor.d. Instead, dynamically load the docker-default AppArmor profile if a container is started with that profile set. This code will short-cut if the profile is already loaded. Fixes: 2f7596a ("apparmor: do not save profile to /etc/apparmor.d") Signed-off-by: Aleksa Sarai <[email protected]>
cyphar
force-pushed
the
29097-dynamically-reload-apparmor
branch
from
9f22d1d to
567ef8e
Compare
Member
|
LGTM |
Contributor
Author
|
/ping @justincormack |
This was referenced Dec 10, 2016
justincormack
approved these changes
Dec 12, 2016
Contributor
|
I guess there is a very short race still, but that seems to be the fault of other code removing our profile, and this is much better. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In certain cases (unattended upgrades), system services can disable
loaded AppArmor profiles. However, since /etc being read-only is a
supported setup we cannot just write a copy of the profile to
/etc/apparmor.d.
Instead, dynamically load the docker-default AppArmor profile if a
container is started with that profile set. This code will short-cut if
the profile is already loaded.
Fixes: #29097
Fixes: 2f7596a ("apparmor: do not save profile to /etc/apparmor.d")
Signed-off-by: Aleksa Sarai [email protected]