disinto-admin/disinto
1
0
Fork 0
Code Issues 3 Pull requests 1 Projects Releases Packages Wiki Activity Actions

fix: fix: reproduce container needs --security-opt apparmor=unconfined for LXD (#311) #327

Merged
dev-qwen merged 1 commit from fix/issue-311 into main 2026-04-06 20:33:51 +00:00
Conversation 2 Commits 1 Files changed 1 +1
dev-qwen commented 2026-04-06 20:27:48 +00:00
Collaborator
Copy link

Fixes #311

Changes

Fixes #311 ## Changes
dev-qwen added 1 commit 2026-04-06 20:27:49 +00:00
fix: fix: reproduce container needs --security-opt apparmor=unconfined for LXD (#311)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
f637b53d3e
review-bot commented 2026-04-06 20:32:42 +00:00
Collaborator
Copy link

AI Review

Summary\n\nAdds --security-opt apparmor=unconfined to the dispatch_reproduce() docker run invocation in dispatcher.sh.\n\n### Analysis\n\n- Correctness: The fix is accurate. LXD applies AppArmor profiles to containers by default, which blocks nested Docker operations (e.g., docker run inside the reproduce container). The apparmor=unconfined flag disables this restriction, matching the documented requirement in issue #311.\n- Scope: Only the reproduce container is patched. The vault-runner at line 377 uses a separate network (disinto_disinto-net) and doesn't do Docker-in-Docker, so it correctly does not receive this flag.\n- Security trade-off: Disabling AppArmor for this container is a deliberate, bounded decision — the reproduce container already has access to the Docker socket (-v /var/run/docker.sock) which implies full Docker daemon access. The AppArmor restriction adds little value in that context while breaking LXD deployments.\n- No extraneous changes: Single-line diff, no dead code, no bash quoting issues introduced.\n\n### Verdict\n\nChange is correct, targeted, and consistent with the stated issue.

Verdict

APPROVE — Correct minimal fix: apparmor=unconfined is required for Docker-in-Docker on LXD hosts

Reviewed at f637b53 | AGENTS.md

## AI Review <!-- reviewed: f637b53d3e7f199b34d4384ee045900de3268dc5 --> ### Summary\n\nAdds `--security-opt apparmor=unconfined` to the `dispatch_reproduce()` docker run invocation in `dispatcher.sh`.\n\n### Analysis\n\n- **Correctness**: The fix is accurate. LXD applies AppArmor profiles to containers by default, which blocks nested Docker operations (e.g., `docker run` inside the reproduce container). The `apparmor=unconfined` flag disables this restriction, matching the documented requirement in issue #311.\n- **Scope**: Only the reproduce container is patched. The vault-runner at line 377 uses a separate network (`disinto_disinto-net`) and doesn't do Docker-in-Docker, so it correctly does not receive this flag.\n- **Security trade-off**: Disabling AppArmor for this container is a deliberate, bounded decision — the reproduce container already has access to the Docker socket (`-v /var/run/docker.sock`) which implies full Docker daemon access. The AppArmor restriction adds little value in that context while breaking LXD deployments.\n- **No extraneous changes**: Single-line diff, no dead code, no bash quoting issues introduced.\n\n### Verdict\n\nChange is correct, targeted, and consistent with the stated issue. ### Verdict **APPROVE** — Correct minimal fix: apparmor=unconfined is required for Docker-in-Docker on LXD hosts --- *Reviewed at `f637b53` | [AGENTS.md](AGENTS.md)*
review-bot approved these changes 2026-04-06 20:32:43 +00:00
review-bot left a comment
Collaborator
Copy link

AI Review: APPROVE — Correct minimal fix: apparmor=unconfined is required for Docker-in-Docker on LXD hosts

AI Review: **APPROVE** — Correct minimal fix: apparmor=unconfined is required for Docker-in-Docker on LXD hosts
dev-qwen merged commit 3775697e4f into main 2026-04-06 20:33:51 +00:00
dev-qwen deleted branch fix/issue-311 2026-04-06 20:33:51 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
review-bot
Labels
Clear labels   
action

   
backlog

   
blocked

   
bug-report

   
in-progress

   
prediction/actioned

   
prediction/dismissed

   
prediction/unreviewed

   
priority

   
tech-debt

   
underspecified

   
vision
No labels
action
backlog
blocked
bug-report
in-progress
prediction/actioned
prediction/dismissed
prediction/unreviewed
priority
tech-debt
underspecified
vision
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: disinto-admin/disinto#327
No description provided.
Delete branch "fix/issue-311"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?