Skip to content

"ptrace call denied" logs when running Scaphandre in container #135

New issue
New issue
Closed
Closed
"ptrace call denied" logs when running Scaphandre in container#135
Assignees
bpetit
Labels
bugSomething isn't working
Milestone
Release v1.0.0
@Mathieu-Coupe

Description

@Mathieu-Coupe
Mathieu-Coupe
opened on Nov 13, 2021

Bug description

When Scaphandre is running in a Docker container on a host using AppArmor, the log contains error about denied "ptrace" operation.

Nov 13 09:09:14 server audit[1780857]: AVC apparmor="DENIED" operation="ptrace" profile="docker-default" pid=1780857 comm="tokio-runtime-w" requested_mask="read" denied_mask="read" peer="unconfined"
Nov 13 09:09:14 server audit[1780857]: AVC apparmor="DENIED" operation="ptrace" profile="docker-default" pid=1780857 comm="tokio-runtime-w" requested_mask="read" denied_mask="read" peer="unconfined"
Nov 13 09:09:14 server audit[1780857]: AVC apparmor="DENIED" operation="ptrace" profile="docker-default" pid=1780857 comm="tokio-runtime-w" requested_mask="read" denied_mask="read" peer="unconfined"
Nov 13 09:09:14 server kernel: audit: type=1400 audit(1636790954.599:77337): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=1780857 comm="tokio-runtime-w" requested_mask="read" denied_mask="read" peer="unconfined"
Nov 13 09:09:14 server kernel: audit: type=1400 audit(1636790954.599:77338): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=1780857 comm="tokio-runtime-w" requested_mask="read" denied_mask="read" peer="unconfined"
Nov 13 09:09:14 server kernel: audit: type=1400 audit(1636790954.599:77339): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=1780857 comm="tokio-runtime-w" requested_mask="read" denied_mask="read" peer="unconfined"

The same logs comes back every 10s.

To avoid AppArmor denying the ptrace call, the container must be run in privileged mode.

To Reproduce

Run the provided example stack using docker compose file.

Expected behavior

To avoid generating endless logs, either:

  • the ptrace call is important in a container environment and documentation should state that container must be run in privileged mode,
    OR
  • the ptrace call is not important and should not be executed in container mode.

Environment

  • Linux distribution version : Ubuntu 21.10
  • Kernel version : Linux server 5.13.0-20-generic #20-Ubuntu SMP Fri Oct 15 14:21:35 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
  • Docker version 20.10.7, build 20.10.7-0ubuntu5.1

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

General

Status

Previous releases

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions