vteratipally

Yes, it is backed into the base image in Container-Optimized OS. For ubuntu images in GCP it is still reproducible.

Issue seemed to be here: https://github.com/moby/moby/commit/a826ca3aefbd4d29344d851723731e3809f2a4ad The logic `userNS` is not respecting that even though the daemon is run in private mode, it is still considering it as default.

Actually, we have a test to validate the docker with apparmor functionality. The reproduction steps mentioned above is what the test does to validate its functionality. In the above it...

When the container is run in privileged mode, the sysctl values can be modified to allow all connections, but in case of apparmor security profile, all connections shouldn't be allowed...

> I see the same exact behavior between 20.10 and 23.0 (ping works). This issue is first seen in 20.10.13

processes run with apparmor profile has c.HostConfig.UsernsMode.IsPrivate() will be true and in kernel namespace even with privileged or when run without user namespace.

/remove-lifecycle stale

/ok-to-test

This is actually a known issue, tests have been failing as there were some ongoing changes in the kubernetes repo related to dockershim removal. I am working on it

/retest