Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix apparmor profile to work with COS Linux used by GKE #2541

Merged
merged 8 commits into from
Nov 11, 2024
Merged

Fix apparmor profile to work with COS Linux used by GKE #2541

merged 8 commits into from
Nov 11, 2024

Commits on Nov 5, 2024

  1. Update runc to v1.2.1 and crun to v1.18.2 

    Signed-off-by: Sascha Grunert <[email protected]>
    @saschagrunert
    saschagrunert committed Nov 5, 2024
    Configuration menu
    Copy the full SHA
    9605eca View commit details
    Browse the repository at this point in the history

Commits on Nov 8, 2024

  1. Filter out invalid file path which shouldn't land into the apparmor p… 

    …rofile

Change-Id: I14fbf59d58d7617386578a3bb410dfe3fd0d492f
Signed-off-by: Cosmin Cojocar <[email protected]>
    @ccojocar
    ccojocar committed Nov 8, 2024
    Configuration menu
    Copy the full SHA
    05a2def View commit details
    Browse the repository at this point in the history

  2. Update go-apparmor to main version 

    Update the go-apparmor to main version to include the fix
pjbgf/go-apparmor#30

Change-Id: I45997ac722b830b9589751db034f9e89ba8526e4
Signed-off-by: Cosmin Cojocar <[email protected]>
    @ccojocar
    ccojocar committed Nov 8, 2024
    Configuration menu
    Copy the full SHA
    e92593e View commit details
    Browse the repository at this point in the history

  3. Update the apparmor builder options to include the logger and to assu… 

    …me the host pid namespace

This assumes that the container runs into the host pid namespace, which
is typically the case in Kubernetes. Otherwise the go-apparmor will
auto-detect this and that check will require that the Linux kernel was
compiled with CONFIG_SCHED_DEBUG. Disabiling this check will ensure that
the apparmor works with Linux distributions which don't have this kernel
option active such as COS used by GKE.

Change-Id: I1435b63d2f9c5b8d8f527ef1d77dcc2b9cb74bc9
Signed-off-by: Cosmin Cojocar <[email protected]>
    @ccojocar
    ccojocar committed Nov 8, 2024
    Configuration menu
    Copy the full SHA
    4810720 View commit details
    Browse the repository at this point in the history

  4. Fix typo 

    Change-Id: Ie4f329ea92c2548266311d500d553ccb22537d8e
Signed-off-by: Cosmin Cojocar <[email protected]>
    @ccojocar
    ccojocar committed Nov 8, 2024
    Configuration menu
    Copy the full SHA
    3e29815 View commit details
    Browse the repository at this point in the history

Commits on Nov 11, 2024

  1. Use the exist? method in Vagrantfile to avoid undifined method exists? 

    Change-Id: I0181d6fd17ecae835c2ec2dbf1971b6eda87bdaf
Signed-off-by: Cosmin Cojocar <[email protected]>
    @ccojocar
    ccojocar committed Nov 11, 2024
    Configuration menu
    Copy the full SHA
    4a5c147 View commit details
    Browse the repository at this point in the history

  2. Update runc and crun versions in the examples 

    Change-Id: I14955f4a2568babe8f24c5a3664f0a26c34fc02c
Signed-off-by: Cosmin Cojocar <[email protected]>
    @ccojocar
    ccojocar committed Nov 11, 2024
    Configuration menu
    Copy the full SHA
    870372f View commit details
    Browse the repository at this point in the history

  3. Merge branch 'runc-crun' into apparmor-cos 

    Change-Id: I1bf38a8e11e3603ab24370fac819889e7fb4290d
    @ccojocar
    ccojocar committed Nov 11, 2024
    Configuration menu
    Copy the full SHA
    a6f8521 View commit details
    Browse the repository at this point in the history