[pkg-apparmor] Bug#1100135: Conflict between Podman Profile and Pasta profile breaks rootless network shutdown

[Reinhard Tartler]

Control: Tag -1 upstream

The full context of this conversation is archived at https://bugs.debian.org/1100135

Sam Hartman <hartmans at debian.org> writes:

> package: apparmor
> version: 4.1.0~beta5-3
> severity: important
> x-debbugs-cc: podman at packages.debian.org, pasta at packages.debian.org, golang-github-containers-common at packages.debian.org, tim.miller at hadronindustries.com
>
> Recently I started running into the following error shutting down
> containers with podman stop:
>
> 	* rootless netns: kill network process: permission denied
>         This error is produced by
>         golang-github-containers-common/libnetwork/internal/rootlessnetns/netns_linux.go
>         in the cleanup function:
>         	if err := n.cleanupRootlessNetns(); err != nil {
> 		multiErr = multierror.Append(multiErr, wrapError("kill network process", err))
> 	}
>
> And that function effectively just finds and kills the pasta or
> slirp4netns process:
> 	if err == nil {
> 		// kill the slirp/pasta process so we do not leak it
> 		err = unix.Kill(pid, unix.SIGTERM)
> 		if err == unix.ESRCH {
> 			err = nil
> 		}
>

Sam, I think your analyis makes sense. I see that you have now re-assigned this to
the golang-github-containers-common package, which does contain the code above.

May I ask you to file this bug at
https://github.com/containers/common/issues/new?template=BLANK_ISSUE and
tag me and dwalsh to it? I'd make sure that we make the right decision
here. As a heads-up, I've CC'ed Dan and Paul to this email.

Thanks!

-rt