I’ve found an incompatibility with running my Docker container with Snapcraft on top of a Snapd-enabled host (e.g. Ubuntu) if AppArmor is enabled. The rules for /usr/lib/snapd/snap-confine.real
prevent the Docker-contained snap-confine.real
from executing snaps, like snapcraft
. A workaround that isn’t very nice because it breaks snap execution on the host until reverted is to disable the /etc/apparmor.d/usr.lib.snapd.snap-confine.real
profile on the host temporarily.
@jdstrand, @tianon, Is there anything that can be changed in Snapd to support this, or anything that can be fixed Docker-side?
I guess I can’t say I’m surprised that this is happening, it is the sort of issue that we have with snaps and docker containers.
I have not used this at all myself, but AppArmor supports namespaces for it’s policies, so perhaps you can have your docker container transition to a different, new namespace so that any apparmor confinement happens using that new namespace instead of the host’s. I believe LXD does this, and there is some rough outline of how to do this explained here: https://gitlab.com/apparmor/apparmor/-/wikis/how-to-setup-a-policy-namespace-for-containers#no-host-policy-on-container-1
1 Like
Thanks, that’s really helpful information. I’ll have a dig to see what I can come up with. hugs @ijohnson!
So AppArmor can work with containers but it will depend on how the container is setup. AppArmor supports both policy namespaces and policy stacking to make working with containers possible, but each has its limitations.
The above reference
https://gitlab.com/apparmor/apparmor/-/wikis/how-to-setup-a-policy-namespace-for-containers#no-host-policy-on-container-1
unfortunately is not very good, its more a skeleton for documentation to be written than actual documentation. Part of this is because the LSM stacking kernel patches are still a wip and changes are still happening. With that said I don’t believe your question needs LSM stacking but can probably addressed with
policy namespaces https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorNamespaces
and maybe policy stacking https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking
1 Like
Yeehaa! this is the magic incantation:
sudo mkdir /sys/kernel/security/apparmor/policy/namespaces/docker-snapcraft
docker run --rm --tty --privileged --security-opt "apparmor=:docker-snapcraft:unconfined" -v $PWD:/data -w /data diddledan/snapcraft:core18
sudo rmdir /sys/kernel/security/apparmor/policy/namespaces/docker-snapcraft
3 Likes
I’ve updated snapcraft-multiarch-action and snapcraft-container to match this new discovery.