Problems running podman in AKS container due to apparmor

[GolanTrevize10]

Hi, did anybody succeeded running rootful podman in a container in AKS without privileged flag? I was getting error like

Error: mount /var/lib/containers/storage/overlay:/var/lib/containers/storage/overlay, flags: 0x1000: permission denied

and I found out it was because of default apparmor profile in the AKS nodes prevents podman to mount the overlay filesystem. The solution is obviously to create a custom apparmor profile in the node. The problem is, if the node is recreated after upgrade or new nodes are created automatically due to autoscaling, then the custom apparmor profile is lost.
According to MS support, it is not possible to disable apparmor and, the only solution they suggest is to create a daemonset that loads automatically the profile in the new nodes.

[vrothberg]

Thanks for reaching out, @GolanTrevize10.

Do you know whether the AppArmor profile blocks this specific path or does it block making use of overlay in general?

A daemonset seems like a good idea to workaround that. An alternative may be using fuse-overlayfs but that would require the AKS container to have /dev/fuse mounted. Is that the case?

[GolanTrevize10]

It blocks mounting in general. I'm using native overlayfs instead of fuse. I was wondering if anybody managed to disable apparmor or create a custom apparmor profile automatically in all nodes

[vrothberg]

Not being able to mount is a blocker.

It seems more like a AKS-request than a Podman one but let's keep the issue open. Maybe other folks can share some best practices.

[vrothberg]

Transformed into a discussion.

[nathanweeks]

In case it helps lead to a solution: the Azure Linux Container Host uses SELinux instead of AppArmor (reference).

[GolanTrevize10]

Thanks, I solved the issue with a custom apparmor profile

[yashodgayashan]

@GolanTrevize10 Could you please provide how you solved this with custom apparmor profile in podman?