Revert "Don't check for apparmor_parser to be present"

This reverts commit 1acca8bba3. As stated in the Godoc, this function is intended to check for presence of `apparmor_parser`. Changing this regressed the public API of containerd, and directly contradicts the way that this function is consumed inside of containerd itself: * fdfdc9bfc0/pkg/apparmor/apparmor.go (L20) * fdfdc9bfc0/pkg/cri/sbserver/helpers_linux.go (L85) * fdfdc9bfc0/pkg/cri/server/helpers_linux.go (L144) This has lead to a number of painful regressions and attempted fixes in Moby: * https://github.com/moby/moby/issues/44900 * https://github.com/moby/moby/pull/44902 * https://github.com/moby/moby/issues/44970 While reverting this late into the life of 1.6 and at the start of the life of 1.7 is likely painful, I think this is ultimately the best path to take, as containerd is subject to the same failure to start containers with an AppArmor kernel when `apparmor_parser` is missing as Moby. Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
2023-02-10 10:05:56 -07:00 · 2023-02-10 10:05:56 -07:00 · a3265102d9
commit a3265102d9
parent fdfdc9bfc0
1 changed files with 4 additions and 2 deletions
--- a/pkg/apparmor/apparmor_linux.go
+++ b/pkg/apparmor/apparmor_linux.go
@ -35,8 +35,10 @@ func hostSupports() bool {
 	checkAppArmor.Do(func() {
 		// see https://github.com/opencontainers/runc/blob/0d49470392206f40eaab3b2190a57fe7bb3df458/libcontainer/apparmor/apparmor_linux.go
 		if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil && os.Getenv("container") == "" {
-			buf, err := os.ReadFile("/sys/module/apparmor/parameters/enabled")
-			appArmorSupported = err == nil && len(buf) > 1 && buf[0] == 'Y'
+			if _, err = os.Stat("/sbin/apparmor_parser"); err == nil {
+				buf, err := os.ReadFile("/sys/module/apparmor/parameters/enabled")
+				appArmorSupported = err == nil && len(buf) > 1 && buf[0] == 'Y'
+			}
 		}
 	})
 	return appArmorSupported