mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 23:50:03 -06:00
72adb3279a
The security option 'apparmor:unconfined' tells Docker to not apply AppArmor profiles for containers at all. This will not replace or remove any existing profile. For example, this happens on Ubuntu 20.04 which switched to chrony and brings its AppArmor profile. Container's chronyd get blocked by AppArmor: fv-az26-252 audit[11304]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/chronyd" pid=11304 comm="chronyd" capability=2 capname="dac_read_search" fv-az26-252 audit[11304]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/chronyd" pid=11304 comm="chronyd" capability=1 capname="dac_override" So, any of AppArmor profiles can block container's processes by matching executable name. There are two ways: 1) prepare custom AppArmor unconfined profile, load it on Host and reference it in container's configuration. This requires the knowledge of profile syntax at least, not to difficult, but potentially hard to maintain. 2) disable conflicting profile on Host; Azure will warn about AVC in either case. The second one was chosen as more simple. Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> |
||
---|---|---|
.. | ||
azure | ||
man | ||
prci_definitions | ||
pytest_ipa | ||
test_cmdline | ||
test_install | ||
test_integration | ||
test_ipaclient | ||
test_ipalib | ||
test_ipaplatform | ||
test_ipapython | ||
test_ipaserver | ||
test_ipatests_plugins | ||
test_webui | ||
test_xmlrpc | ||
__init__.py | ||
conftest.py | ||
create_external_ca.py | ||
data.py | ||
i18n.py | ||
ipa-run-tests | ||
ipa-test-config | ||
ipa-test-task | ||
Makefile.am | ||
setup.cfg | ||
setup.py | ||
test_util.py | ||
util.py |