monotux.tech

Ubuntu 24.04 & Podman restart bug

podman, ubuntu

So I recently upgraded to Ubuntu 24.04.1 on my homelab NAS, and discovered that I could no longer restart any of my Podman containers. That is not…great, as I use autoupdates for most of my containers1.

There is also no fix for it, yet. Only a workaround :-)

It took me some time to discover why I couldn’t restart any containers after reboot, until I found this in the system log:

sep 08 08:15:08 atomic kernel: audit: type=1400 audit(1725776108.382:279172): apparmor="DENIED" operation="signal" class="signal" profile="containers-default-0.57.4" pid=420564 comm="3" requested_mask="receive" denied_mask="receive" signal=kill peer="crun"
sep 08 08:15:09 atomic podman[420567]: 2024-09-08 08:15:09.090202975 +0200 CEST m=+0.101909420 container health_status 509d35f31f1ca6f91193095f224ec1c664e961edd7d0410d773c14fae9641545 (image=docker.io/filebrowser/filebrowser:latest, name=syncthing_filebrowser, health_s[...]
sep 08 08:15:10 atomic kernel: audit: type=1400 audit(1725776110.178:279173): apparmor="DENIED" operation="signal" class="signal" profile="containers-default-0.57.4" pid=420591 comm="3" requested_mask="receive" denied_mask="receive" signal=term peer="crun"
sep 08 08:15:11 atomic podman[418962]: time="2024-09-08T08:15:11+02:00" level=warning msg="StopSignal SIGTERM failed to stop container 233e10251dc7-infra in 10 seconds, resorting to SIGKILL"

The workaround for now is to disable the AppArmor profile preventing us from restarting the container. I found this in the Ubuntu bug tracker (current status is “Confirmed” for 24.04)

# echo -n containers-default-0.57.4 > /sys/kernel/security/apparmor/.remove

(link to snippet in bug)

For now I just chose to run the above in my crontab after reboot…and document it here so I can remember why and how I did it. :-)

# crontab -e
@reboot echo -n containers-default-0.57.4 > /sys/kernel/security/apparmor/.remove

Update 2024-09-10 #

The above didn’t work for more than a short time. I’m now using a shady PPA with a patched podman version instead.

sudo add-apt-repository ppa:brightbox/experimental
sudo apt update
sudo apt upgrade

Now we can just wait for the fix to be backported to 24.04…

  1. Not with tag latest, I’m not insane! ↩︎