Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"ptrace call denied" logs when running Scaphandre in container #135

Closed
Mathieu-Coupe opened this issue Nov 13, 2021 · 1 comment
Closed

"ptrace call denied" logs when running Scaphandre in container #135

Mathieu-Coupe opened this issue Nov 13, 2021 · 1 comment
Assignees
@bpetit
Labels
bug Something isn't working
Projects
General
Milestone
Release v1.0.0

Comments

@Mathieu-Coupe
Copy link

Bug description

When Scaphandre is running in a Docker container on a host using AppArmor, the log contains error about denied "ptrace" operation.

Nov 13 09:09:14 server audit[1780857]: AVC apparmor="DENIED" operation="ptrace" profile="docker-default" pid=1780857 comm="tokio-runtime-w" requested_mask="read" denied_mask="read" peer="unconfined"
Nov 13 09:09:14 server audit[1780857]: AVC apparmor="DENIED" operation="ptrace" profile="docker-default" pid=1780857 comm="tokio-runtime-w" requested_mask="read" denied_mask="read" peer="unconfined"
Nov 13 09:09:14 server audit[1780857]: AVC apparmor="DENIED" operation="ptrace" profile="docker-default" pid=1780857 comm="tokio-runtime-w" requested_mask="read" denied_mask="read" peer="unconfined"
Nov 13 09:09:14 server kernel: audit: type=1400 audit(1636790954.599:77337): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=1780857 comm="tokio-runtime-w" requested_mask="read" denied_mask="read" peer="unconfined"
Nov 13 09:09:14 server kernel: audit: type=1400 audit(1636790954.599:77338): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=1780857 comm="tokio-runtime-w" requested_mask="read" denied_mask="read" peer="unconfined"
Nov 13 09:09:14 server kernel: audit: type=1400 audit(1636790954.599:77339): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=1780857 comm="tokio-runtime-w" requested_mask="read" denied_mask="read" peer="unconfined"

The same logs comes back every 10s.

To avoid AppArmor denying the ptrace call, the container must be run in privileged mode.

To Reproduce

Run the provided example stack using docker compose file.

Expected behavior

To avoid generating endless logs, either:

  • the ptrace call is important in a container environment and documentation should state that container must be run in privileged mode,
    OR
  • the ptrace call is not important and should not be executed in container mode.

Environment

  • Linux distribution version : Ubuntu 21.10
  • Kernel version : Linux server 5.13.0-20-generic #20-Ubuntu SMP Fri Oct 15 14:21:35 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
  • Docker version 20.10.7, build 20.10.7-0ubuntu5.1
@Mathieu-Coupe Mathieu-Coupe added the bug Something isn't working label Nov 13, 2021
@bpetit bpetit added this to Triage in General Nov 19, 2021
@bpetit bpetit moved this from Triage to To do in General Dec 16, 2021
@bpetit bpetit added this to the Release v0.6.0 milestone Aug 24, 2022
@bpetit bpetit moved this from To do to In progress in General Feb 3, 2023
@bpetit bpetit self-assigned this Mar 14, 2023
bpetit added a commit that referenced this issue Apr 19, 2023
@bpetit
fix: updating docker compose sample stack and docs according to #135
a1a06ea
@bpetit
Copy link
Contributor

bpetit commented Apr 19, 2023

Hi !

Does this sound enough ? a1a06ea

thanks

@bpetit bpetit closed this as completed Jul 24, 2023
General automation moved this from In progress to Done Jul 24, 2023
@bpetit bpetit moved this from Done to Previous releases in General Feb 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bpetit bpetit

Labels
bug Something isn't working
Projects
General
Previous releases
Milestone
Release v1.0.0
Development

No branches or pull requests
2 participants
@bpetit @Mathieu-Coupe