Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tsuru kernel errors in syslog #997

Closed
sroze opened this issue Dec 3, 2014 · 7 comments
Closed

Tsuru kernel errors in syslog #997

sroze opened this issue Dec 3, 2014 · 7 comments
Assignees
@fsouza
Labels
bug
Milestone
0.11.0

Comments

@sroze
Copy link
Contributor

sroze commented Dec 3, 2014

I have a lot of tsuru kernel logs such as:

Dec  3 12:41:52 tsuru kernel: [77221.777874] type=1400 audit(1417606912.021:180291): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=7356 comm="circusd" requested_mask="trace" denied_mask="trace" peer="docker-default"
Dec  3 12:41:52 tsuru kernel: [77221.780337] type=1400 audit(1417606912.025:180292): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=7356 comm="circusd" requested_mask="trace" denied_mask="trace" peer="docker-default"
Dec  3 12:41:52 tsuru kernel: [77221.780800] type=1400 audit(1417606912.025:180293): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=7356 comm="circusd" requested_mask="trace" denied_mask="trace" peer="docker-default"
Dec  3 12:41:55 tsuru kernel: [77225.293067] audit_printk_skb: 105 callbacks suppressed
Dec  3 12:41:55 tsuru kernel: [77225.293075] type=1400 audit(1417606915.537:180329): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=7356 comm="circusd" requested_mask="trace" denied_mask="trace" peer="docker-default"
Dec  3 12:42:00 tsuru kernel: [77230.297287] type=1400 audit(1417606920.537:180330): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=7356 comm="circusd" requested_mask="trace" denied_mask="trace" peer="docker-default"
Dec  3 12:42:00 tsuru kernel: [77230.298622] type=1400 audit(1417606920.537:180331): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=7356 comm="circusd" requested_mask="trace" denied_mask="trace" peer="docker-default"
Dec  3 12:42:00 tsuru kernel: [77230.299892] type=1400 audit(1417606920.537:180332): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=7356 comm="circusd" requested_mask="trace" denied_mask="trace" peer="docker-default"
Dec  3 12:42:00 tsuru kernel: [77230.301529] type=1400 audit(1417606920.541:180333): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=7356 comm="circusd" requested_mask="trace" denied_mask="trace" peer="docker-default"

Anybody knows what's the problem here ?
@morpheu
Copy link
Member

morpheu commented Dec 3, 2014

Yes, it's a docker issue already reported here: moby/moby#7276

@morpheu
Copy link
Member

morpheu commented Dec 3, 2014

Already fixed with commit moby/moby@aab89e8 - adds ptrace rule to allow ptracing ourselves - but not released yet.

@morpheu morpheu closed this as completed Dec 3, 2014
@sroze
Copy link
Contributor Author

sroze commented Dec 3, 2014

Thanks !

@jonaskac
Copy link

jonaskac commented Jan 7, 2015

Hey!
Is there a working solution for this? The docker solution doesn't seem to have been release yet, and this is making my system to feel like jelly.

@morpheu
Copy link
Member

morpheu commented Jan 8, 2015

Unfortunately, no :( Even if you manually edit apparmor docker policy,
docker will always rewrite it on restart.

On Wed, Jan 7, 2015 at 8:24 PM, Jonas Kac notifications@github.com wrote:

Hey!
Is there a working solution for this? The docker solution doesn't seem to
have been release yet, and this is making my system to feel like jelly.


Reply to this email directly or view it on GitHub
#997 (comment).

@jonaskac
Copy link

jonaskac commented Jan 8, 2015

Thanks @morpheu!

@morpheu morpheu reopened this Mar 4, 2015
@morpheu
Copy link
Member

morpheu commented Mar 4, 2015

Starting with docker 1.3.0, there is an extra option on docker run, --security-opt, which allow us to choose a different apparmor profile other than docker default built in. Tsuru should support an extra option on conf for docker apparmor profile. According with ptrace docker issue, we just need to create a profile based on docker default including "ptrace peer=@{profile_name}" - I tested it and works fine :)

@andrewsmedina andrewsmedina added this to the 0.11.0 milestone Mar 4, 2015
@fsouza fsouza self-assigned this Mar 6, 2015
fsouza pushed a commit that referenced this issue Mar 6, 2015
provision/docker: add new configuration parameter
a07eac6 
Now users can specify security options for containers in the cloud.

Related to #997.
fsouza pushed a commit that referenced this issue Mar 6, 2015
provision/docker: use docker:security-opts instead of securityopts
d4cd5d2 
This matches our pattern for configuration entries.

Related to #997.
@fsouza fsouza closed this as completed in 37f9196 Mar 6, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fsouza fsouza

Labels
bug
Projects
None yet
Milestone
0.11.0
Development

No branches or pull requests
5 participants
@andrewsmedina @morpheu @fsouza @jonaskac @sroze