Description

This recent commit changed nerdctl's AppArmor detection logic, dropping use of containerd's implementation and replacing it with a custom one based on runc's implementation, which the containerd implementation itself was based on (per the comment there). The one key difference is that the new check drops the check for the apparmor_parser binary, which the containerd implementation had added on top of runc's.

Where I'm running into this is that in versions of Ubuntu prior to 24.04 (I'm running 22.04 in production), it is sufficient to disable AppArmor by uninstalling/disabling the systemd service. So my production machines are not actively running apparmor, and do not have the apparmor-utils package (containing the apparmor_parser binary) installed. But because we have not explicitly disabled AppArmor in the kernel by adding apparmor=0 to the kernel args, these flags still make it look like AppArmor is enabled:

$ ls -l /sys/kernel/security/apparmor
total 0
drwxr-xr-x 16 root root 0 Jan  1  1970 features
lr--r--r--  1 root root 0 Jan  1  1970 policy -> 'apparmorfs:[12575]'
-r--r--r--  1 root root 0 Jan  1  1970 profiles
-r--r--r--  1 root root 0 Jan  1  1970 revision

$ sudo cat /sys/module/apparmor/parameters/enabled
Y

On a machine in this state, using nerdctl (built after this commit) to run a container will fail with this error:

$ sudo nerdctl run hello-world
FATA[0000] load apparmor profile /tmp/nerdctl-default818158507: parser error(""): exec: "apparmor_parser": executable file not found in $PATH

Luckily this is easy to work around by simply installing the apparmor-utils package, and we'll look into setting apparmor=0 explicitly to be on the safe side.

But I think this is a regression, and the apparmor_parser check should be restored. For more background, see this containerd commit where the apparmor_parser check was added to its implementation in the first place.

Steps to reproduce the issue

I did this on a fresh install of Ubuntu 22.04:

1. Confirm that apparmor_parser doesn't exist: stat /usr/sbin/apparmor_parser
2. Confirm that AppArmor service is not running: systemctl status apparmor
3. Using a build of nerdctl from 2ecc394 or newer: sudo nerdctl run hello-world

Describe the results you received and expected

Expected

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (arm64v8)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/get-started/

Received

FATA[0000] load apparmor profile /tmp/nerdctl-default3590477325: parser error(""): exec: "apparmor_parser": executable file not found in $PATH

What version of nerdctl are you using?

Version 2.0.3-41-g2ecc3944 is the build I used to reproduce the error as described above, and 2.0.3-40-g8ef14b7a is the "last good" version (built from the previous commit) that I used in my testing.

Are you using a variant of nerdctl? (e.g., Rancher Desktop)

None

Host information

No response