podman run fails on Ubuntu 23.10 (Error: install profile containers-default-0.50.1: generate default profile into pipe: get AppArmor version: convert AppArmor patch version: strconv.Atoi: parsing "0~alpha2": invalid syntax)

[maflcko]

Issue Description

# podman run fedora:rawhide ls
Error: install profile containers-default-0.50.1: generate default profile into pipe: get AppArmor version: convert AppArmor patch version: strconv.Atoi: parsing "0~alpha2": invalid syntax

Steps to reproduce the issue

Describe the results you received

error

Describe the results you expected

no error

podman info output

podman info 
host:
  arch: amd64
  buildahVersion: 1.28.2
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon_2.1.6+ds1-1_amd64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.6, commit: unknown'
  cpuUtilization:
    idlePercent: 88.8
    systemPercent: 1.13
    userPercent: 10.08
  cpus: 8
  distribution:
    codename: mantic
    distribution: ubuntu
    version: "23.10"
  eventLogger: journald
  hostname: ubuntu-16gb-hil-1
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.5.0-5-generic
  linkmode: dynamic
  logDriver: journald
  memFree: 10791440384
  memTotal: 16363732992
  networkBackend: netavark
  ociRuntime:
    name: crun
    package: crun_1.8.5-1_amd64
    path: /usr/bin/crun
    version: |-
      crun version 1.8.5
      commit: b6f80f766c9a89eb7b1440c0a70ab287434b17ed
      rundir: /run/user/0/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +WASM:wasmedge +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: true
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns_1.2.0-1_amd64
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.4
  swapFree: 0
  swapTotal: 0
  uptime: 0h 21m 23.00s
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries: {}
store:
  configFile: /usr/share/containers/storage.conf
  containerStore:
    number: 3
    paused: 0
    running: 0
    stopped: 3
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 241635364864
  graphRootUsed: 7267053568
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 7
  runRoot: /run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.3.1
  Built: 0
  BuiltTime: Thu Jan  1 00:00:00 1970
  GitCommit: ""
  GoVersion: go1.20.7
  Os: linux
  OsArch: linux/amd64
  Version: 4.3.1

Podman in a container

No

Privileged Or Rootless

None

Upstream Latest Release

Yes

Additional environment details

Additional environment details

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

[flouthoc]

Hi @MarcoFalke , I think it happens because of alpha patch, maybe try a diff something like this and see if it works. If this works then we can push this patch to containers/common

diff --git a/vendor/github.com/containers/common/pkg/apparmor/apparmor_linux.go b/vendor/github.com/containers/common/pkg/apparmor/apparmor_linux.go
index 7ba63ba74..549c1a2ac 100644
--- a/vendor/github.com/containers/common/pkg/apparmor/apparmor_linux.go
+++ b/vendor/github.com/containers/common/pkg/apparmor/apparmor_linux.go
@@ -212,6 +212,11 @@ func parseAAParserVersion(output string) (int, error) {
        words := strings.Split(lines[0], " ")
        version := words[len(words)-1]
 
+       if strings.Contains(version, "~") {
+               alpha := strings.Split(version, "~")
+               version = alpha[0]
+       }
+
        // split by major minor version
        v := strings.Split(version, ".")
        if len(v) == 0 || len(v) > 3 {

[maflcko]

Hmm, I think I won't be able to compile from scratch, unless you provide me with a full one-line bash command to copy-paste, to do it. :)

The machine is a fresh vanilla Ubuntu. The apparmor package seems to be https://packages.ubuntu.com/mantic/apparmor and the podman package is https://packages.ubuntu.com/mantic/podman-docker

[vrothberg]

We first need to get something into the main branch to fix. Ubuntu can then cherry-pick the fix and apply it downstream.

Heads up: @siretart

[vrothberg]

I'd hope it'll work on final release of Ubuntu 23.10, but I'll set up a VM and try to prepare a PR.

[vrothberg]

Cannot reproduce on the latest Ubuntu 23.10 beta, so I think we can close.

[flouthoc]

@vrothberg I think it will fail with alpha version of apparmor i.e https://launchpad.net/ubuntu/+source/apparmor/4.0.0~alpha2-0ubuntu5 , could you confirm the version of apparmor which you had on your ubuntu distro

[vrothberg]

Ah ... I should have paid better attention. For sure, the profile will only be loaded when running root_ful_ but I ran rootless.

[Luap99]

see #19962, we need someone to send these patches to c/common

[vrothberg]

I'm on it. Having all rootful podmans broken on Ubuntu would be bad - unless the package changes the file name.

[vrothberg]

Following what Docker did, the following patch to containers/common does the trick:

diff --git a/pkg/apparmor/apparmor_linux.go b/pkg/apparmor/apparmor_linux.go
index 7ba63ba7..435422c2 100644
--- a/pkg/apparmor/apparmor_linux.go
+++ b/pkg/apparmor/apparmor_linux.go
@@ -212,6 +212,11 @@ func parseAAParserVersion(output string) (int, error) {
        words := strings.Split(lines[0], " ")
        version := words[len(words)-1]
 
+       // trim "-beta1" suffix from version="3.0.0-beta1" if exists
+       version = strings.SplitN(version, "-", 2)[0]
+       // also trim "~..." suffix used historically (https://gitlab.com/apparmor/apparmor/-/commit/bca67d3d27d219d11ce8c9cc70612bd637f88c10)
+       version = strings.SplitN(version, "~", 2)[0]
+
        // split by major minor version
        v := strings.Split(version, ".")
        if len(v) == 0 || len(v) > 3 {

[flouthoc]

This will be resolved on next vendor of c/common

[vrothberg]

Fix is in containers/common#1689

[epikhinm]

Is there any workaround?

[maflcko]

Is there any workaround?

I don't think so, apart from waiting for the affected Ubuntu/Debian to pull in the fix. You could use --privileged in the meantime, but I wouldn't recommend that for obvious reasons.

[Luap99]

Based on the docs I would assume --security apparmor=unconfined should be enough an no full --privileged should be needed.

[siretart]

apparently this has been reported in ubuntu as https://bugs.launchpad.net/podman/+bug/2040082

[siretart]

Apparently this issue is specific to ubuntu mantic (23.10), and curently to noble (the current dev release). It is not observable on earlier releases of ubuntu, such as lunar, or on any Debian release, as none of those distro ship a version of apparmor that comes with ~alpha2 string in its version.