[Rootless] `nerdctl rm` fails when AppArmor is loaded: `error="unknown error after kill: runc did not terminate successfully: exit status 1: unable to signal init: permission denied\n: unknown"`

[AkihiroSuda]

$ sudo nerdctl apparmor load

$ nerdctl run -d --name foo alpine sleep infinity
1ad8da3c9cccbb93f4d9cab82a77bc3092ea039a3fe7b48fb7b0ce077179be61

$ nerdctl rm -f foo
WARN[0000] failed to send SIGKILL                        error="unknown error after kill: runc did not terminate successfully: exit status 1: unable to signal init: permission denied\n: unknown
(hangs up)

nerdctl v1.7.2, containerd v1.7.11, runc v1.1.10, on Ubuntu 23.10 (kernel 6.5.0-14-generic).
The binaries are installed onto /usr/local (via Lima).

The issue doesn't seem to happen on Ubuntu 22.04 LTS.
Some apparmor stuff seems to have changed in 23.XX.

Workaround

sudo nerdctl apparmor unload

OR

nerdctl run --security-opt apparmor=unconfined ...

[AkihiroSuda]

The audit log:

Apr 23 11:51:02 suda-ws01 kernel: audit: type=1400 audit(1713840662.766:122): apparmor="DENIED" operation="signal" class="signal" profile="nerdctl-default" pid=366783 comm="runc" requested_mask="receive" denied_mask="receive" signal=kill peer="/usr/local/bin/rootlesskit"

[AkihiroSuda]

Fix:

• apparmor: add signal (receive) peer=/usr/local/bin/rootlesskit, containerd#10111

[AkihiroSuda]

The fix is applied to nerdctl v1.7.6, via:

• [release/1.7] Prepare v1.7.6 #2958

[cyxinda]

There are the same problem in the version v2.0.2 of nerdctl.

  ~/download ❯ nerdctl run \                                                                                                                                                      took  10s at  11:27:02
 -p 12345:3306 \
 --name mysql \
 -v /data/mysql/conf:/etc/mysql/conf.d \
 -v /data/mysql/logs:/logs \
 -v /data/mysql/data:/var/lib/mysql \
 -e MYSQL_ROOT_PASSWORD=123456 \
--rm mysql:8.0.40
2025-01-10 03:27:20+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.0.40-1.el9 started.
2025-01-10 03:27:24+00:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql'
2025-01-10 03:27:24+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.0.40-1.el9 started.
2025-01-10T03:27:25.266322Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.40) starting as process 1
2025-01-10T03:27:25.266393Z 0 [ERROR] [MY-010338] [Server] Can't find error-message file '/usr/share/mysql-8.0/errmsg.sys'. Check error-message file location and 'lc-messages-dir' configuration directive.
2025-01-10T03:27:25.449975Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
2025-01-10T03:27:29.382184Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
2025-01-10T03:27:32.064946Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
2025-01-10T03:27:32.065041Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel.
2025-01-10T03:27:32.921962Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Bind-address: '::' port: 33060, socket: /var/run/mysqld/mysqlx.sock
2025-01-10T03:27:32.922065Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '8.0.40'  socket: '/var/lib/mysql/mysql.sock'  port: 3306  MySQL Community Server - GPL.
^CERRO[0058] forward signal interrupt                      error="unknown error after kill: runc did not terminate successfully: exit status 1: unable to signal init: permission denied\n"
ERRO[0058] forward signal child exited                   error="unknown error after kill: runc did not terminate successfully: exit status 1: unable to signal init: permission denied\n"

The OS version:

  ~/download ❯ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 24.04.1 LTS
Release:        24.04
Codename:       noble
  ~/download ❯ uname -a
Linux oldsix 6.8.0-51-generic #52-Ubuntu SMP PREEMPT_DYNAMIC Thu Dec  5 13:09:44 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
  ~/download ❯ apparmor_parser --version
AppArmor parser version 4.0.1
Copyright (C) 1999-2008 Novell Inc.
Copyright 2009-2018 Canonical Ltd.
  ~/download ❯ nerdctl --version                                                                                                                                                             at  13:19:43
nerdctl version 2.0.2
  ~/download ❯ containerd --version                                                                                                                                                          at  13:22:25
containerd github.com/containerd/containerd/v2 v2.0.0 207ad711eabd375a01713109a8a197d197ff6542