572f203 Azure: Disable AppArmor profile for chrony

1 file Authored by slev 2 years ago, Committed by abbra 2 years ago,
    Azure: Disable AppArmor profile for chrony
    
    The security option 'apparmor:unconfined' tells Docker to not
    apply AppArmor profiles for containers at all. This will not
    replace or remove any existing profile. For example, this happens
    on Ubuntu 20.04 which switched to chrony and brings its AppArmor
    profile. Container's chronyd get blocked by AppArmor:
    
    fv-az26-252 audit[11304]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/chronyd" pid=11304 comm="chronyd" capability=2  capname="dac_read_search"
    fv-az26-252 audit[11304]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/chronyd" pid=11304 comm="chronyd" capability=1  capname="dac_override"
    
    So, any of AppArmor profiles can block container's processes by
    matching executable name. There are two ways:
    1) prepare custom AppArmor unconfined profile, load it on Host and
        reference it in container's configuration. This requires the
        knowledge of profile syntax at least, not to difficult, but
        potentially hard to maintain.
    2) disable conflicting profile on Host;
    
    Azure will warn about AVC in either case.
    The second one was chosen as more simple.
    
    Signed-off-by: Stanislav Levin <slev@altlinux.org>
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>