scaphandre icon indicating copy to clipboard operation
scaphandre copied to clipboard
verified publisher icon hubblo-org

"ptrace call denied" logs when running Scaphandre in container

Open Mathieu-Coupe opened this issue 4 years ago • 0 comments

Bug description

When Scaphandre is running in a Docker container on a host using AppArmor, the log contains error about denied "ptrace" operation.

Nov 13 09:09:14 server audit[1780857]: AVC apparmor="DENIED" operation="ptrace" profile="docker-default" pid=1780857 comm="tokio-runtime-w" requested_mask="read" denied_mask="read" peer="unconfined"
Nov 13 09:09:14 server audit[1780857]: AVC apparmor="DENIED" operation="ptrace" profile="docker-default" pid=1780857 comm="tokio-runtime-w" requested_mask="read" denied_mask="read" peer="unconfined"
Nov 13 09:09:14 server audit[1780857]: AVC apparmor="DENIED" operation="ptrace" profile="docker-default" pid=1780857 comm="tokio-runtime-w" requested_mask="read" denied_mask="read" peer="unconfined"
Nov 13 09:09:14 server kernel: audit: type=1400 audit(1636790954.599:77337): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=1780857 comm="tokio-runtime-w" requested_mask="read" denied_mask="read" peer="unconfined"
Nov 13 09:09:14 server kernel: audit: type=1400 audit(1636790954.599:77338): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=1780857 comm="tokio-runtime-w" requested_mask="read" denied_mask="read" peer="unconfined"
Nov 13 09:09:14 server kernel: audit: type=1400 audit(1636790954.599:77339): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=1780857 comm="tokio-runtime-w" requested_mask="read" denied_mask="read" peer="unconfined"

The same logs comes back every 10s.

To avoid AppArmor denying the ptrace call, the container must be run in privileged mode.

To Reproduce

Run the provided example stack using docker compose file.

Expected behavior

To avoid generating endless logs, either:

  • the ptrace call is important in a container environment and documentation should state that container must be run in privileged mode, OR
  • the ptrace call is not important and should not be executed in container mode.

Environment

  • Linux distribution version : Ubuntu 21.10
  • Kernel version : Linux server 5.13.0-20-generic #20-Ubuntu SMP Fri Oct 15 14:21:35 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
  • Docker version 20.10.7, build 20.10.7-0ubuntu5.1

Mathieu-Coupe avatar Nov 13 '21 08:11 Mathieu-Coupe