My journalctl logs get spammed with apparmor messages

[francislavoie]

I get a ton of these (like 50 per second or something, pretty nuts)

audit[13902]: AVC apparmor="DENIED" operation="ptrace" profile="docker-default" pid=13902 comm="apps.plugin" requested_mask="trace" denied_mask="trace" peer="unconfined"

This is my docker-compose.yml:

netdata:
    image: titpetric/netdata:1.8
    expose:
        - "19999"
    volumes:
        - /proc:/host/proc:ro
        - /sys:/host/sys:ro
        - /var/run/docker.sock:/var/run/docker.sock
    environment:
        NETDATA_PORT: 19999
    cap_add:
        - SYS_PTRACE

That pid is the /usr/libexec/netdata/plugins.d/apps.plugin 1 command/process.

This is probably an apparmor misconfiguration, but I have no idea where to look to solve this, so I thought I'd ask for help.

Thanks

[titpetric]

Try adding --security-opt apparmor:unconfined or whatever the compose.yml equivalent of that would be. Referenced in moby/moby#7276, closing because it's a sysadmin issue, not a container/netdata issue.

[nemchik]

This is what you need for docker-compose

    security_opt:
      - apparmor:unconfined

[folex]

Hi! Is there any way to disable that behaviour in netdata if I don't want to allow ptrace in my containers?