[Bug 1320869] Re: apparmor=DENIED operation=ptrace profile=docker-default
lxc-docker-1.2.0 is the upstream package. docker.io is the Ubuntu package. This
should be fixed in the Ubuntu packaging in 1.2.0~dfsg1-1ubuntu1:
docker.io (1.2.0~dfsg1-1ubuntu1) utopic; urgency=medium
* debian/patches/sync-apparmor-with-lxc.patch: update AppArmor policy to
by in sync with LXC. Specifically this:
- reorganizes the rules to allow for easier comparison with other
container policy
- adds comments for many rules
- adds bare dbus rule
- adds ptrace rule to allow ptracing ourselves
- adds deny mount options=(ro, remount, silent) - /
- allows hugetlbfs
- adds cgmanager mount
- adds /sys/fs/pstore mount
- more specific /sys/kernel/security mount options
- more specific /sys mount options
- more specific /proc/sys/kernel/* deny rules
- more specific /proc/sys/net deny rules
- more specific /sys/class deny rules
- more specific /sys/devices deny rules
- more specific /sys/fs deny rules
Specifically:
# Allow us to ptrace ourselves
ptrace peer=@{profile_name},
** Changed in: docker.io (Ubuntu)
Status: Confirmed = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to docker.io in Ubuntu.
https://bugs.launchpad.net/bugs/1320869
Title:
apparmor=DENIED operation=ptrace profile=docker-default
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1320869] Re: apparmor=DENIED operation=ptrace profile=docker-default
This also affects me in lxc-docker-1.2.0, version 1.2.0 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1320869 Title: apparmor=DENIED operation=ptrace profile=docker-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1320869] Re: apparmor=DENIED operation=ptrace profile=docker-default
lxc-docker-1.2.0 is the upstream package. docker.io is the Ubuntu package. This
should be fixed in the Ubuntu packaging in 1.2.0~dfsg1-1ubuntu1:
docker.io (1.2.0~dfsg1-1ubuntu1) utopic; urgency=medium
* debian/patches/sync-apparmor-with-lxc.patch: update AppArmor policy to
by in sync with LXC. Specifically this:
- reorganizes the rules to allow for easier comparison with other
container policy
- adds comments for many rules
- adds bare dbus rule
- adds ptrace rule to allow ptracing ourselves
- adds deny mount options=(ro, remount, silent) - /
- allows hugetlbfs
- adds cgmanager mount
- adds /sys/fs/pstore mount
- more specific /sys/kernel/security mount options
- more specific /sys mount options
- more specific /proc/sys/kernel/* deny rules
- more specific /proc/sys/net deny rules
- more specific /sys/class deny rules
- more specific /sys/devices deny rules
- more specific /sys/fs deny rules
Specifically:
# Allow us to ptrace ourselves
ptrace peer=@{profile_name},
** Changed in: docker.io (Ubuntu)
Status: Confirmed = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1320869
Title:
apparmor=DENIED operation=ptrace profile=docker-default
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1320869] Re: apparmor=DENIED operation=ptrace profile=docker-default
Feel free to send this patchset to the Debian BTS -- we can see about
adding an Ubuntu vendor switch so we don't maintain a delta.
You should also consider talking with Upstream about getting this fixed
in 1.3
Thanks for your work!
On Tue, Oct 7, 2014 at 3:05 PM, Jamie Strandboge ja...@ubuntu.com wrote:
lxc-docker-1.2.0 is the upstream package. docker.io is the Ubuntu package.
This should be fixed in the Ubuntu packaging in 1.2.0~dfsg1-1ubuntu1:
docker.io (1.2.0~dfsg1-1ubuntu1) utopic; urgency=medium
* debian/patches/sync-apparmor-with-lxc.patch: update AppArmor policy to
by in sync with LXC. Specifically this:
- reorganizes the rules to allow for easier comparison with other
container policy
- adds comments for many rules
- adds bare dbus rule
- adds ptrace rule to allow ptracing ourselves
- adds deny mount options=(ro, remount, silent) - /
- allows hugetlbfs
- adds cgmanager mount
- adds /sys/fs/pstore mount
- more specific /sys/kernel/security mount options
- more specific /sys mount options
- more specific /proc/sys/kernel/* deny rules
- more specific /proc/sys/net deny rules
- more specific /sys/class deny rules
- more specific /sys/devices deny rules
- more specific /sys/fs deny rules
Specifically:
# Allow us to ptrace ourselves
ptrace peer=@{profile_name},
** Changed in: docker.io (Ubuntu)
Status: Confirmed = Fix Released
--
You received this bug notification because you are a member of Docker
Ubuntu Maintainers, which is subscribed to docker.io in Ubuntu.
https://bugs.launchpad.net/bugs/1320869
Title:
apparmor=DENIED operation=ptrace profile=docker-default
Status in “docker.io” package in Ubuntu:
Fix Released
Bug description:
when starting a container with -p / -P i'm starting to get many error
messages in the syslog which looks like this
May 19 08:25:47 localhost kernel: [916087.208505] type=1400
audit(1400477147.264:2353): apparmor=DENIED operation=ptrace
profile=docker-default pid=12619 comm=706D323A20536174616E204461656D
requested_mask=trace denied_mask=trace peer=docker-default
» lsb_release -rd
Description:Ubuntu 14.04 LTS
Release:14.04
» apt-cache policy docker.io
docker.io:
Installed: 0.9.1~dfsg1-2
Candidate: 0.9.1~dfsg1-2
Version table:
*** 0.9.1~dfsg1-2 0
500 http://mirror.isoc.org.il/pub/ubuntu/ trusty/universe amd64
Packages
100 /var/lib/dpkg/status
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions
--
All programmers are playwrights, and all computers are lousy actors.
#define sizeof(x) rand()
:wq
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1320869
Title:
apparmor=DENIED operation=ptrace profile=docker-default
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1320869] Re: apparmor=DENIED operation=ptrace profile=docker-default
On 10/07/2014 02:17 PM, Paul Tagliamonte wrote: Feel free to send this patchset to the Debian BTS -- we can see about adding an Ubuntu vendor switch so we don't maintain a delta. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764405 You should also consider talking with Upstream about getting this fixed in 1.3 https://github.com/docker/docker/issues/8454 Thanks for your work! np! :) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1320869 Title: apparmor=DENIED operation=ptrace profile=docker-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1320869] Re: apparmor=DENIED operation=ptrace profile=docker-default
** Bug watch added: Debian Bug tracker #764405 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764405 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1320869 Title: apparmor=DENIED operation=ptrace profile=docker-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1320869] Re: apparmor=DENIED operation=ptrace profile=docker-default
I can't find the docker-default profile. Here's what I did: sudo find / -name '*docker-default*' -print /sys/kernel/security/apparmor/policy/profiles/docker-default.0 That's the only line that came out. I'm running 13.10 on this machine. Not going to upgrade it until I get another 14.04 machine running correctly. Suggestions? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1320869 Title: apparmor=DENIED operation=ptrace profile=docker-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1320869] Re: apparmor=DENIED operation=ptrace profile=docker-default
@Alan, you can take the file from a 14.04 package. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1320869 Title: apparmor=DENIED operation=ptrace profile=docker-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1320869] Re: apparmor=DENIED operation=ptrace profile=docker-default
I had trouble rebuilding the docker.io package, so I'm sorry I don't have a debdiff or ppa for you guys to try, but this is the patch I wanted to test. Thanks ** Patch added: apparmor-ptrace-docker-default.patch https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+attachment/4148343/+files/apparmor-ptrace-docker-default.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1320869 Title: apparmor=DENIED operation=ptrace profile=docker-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1320869] Re: apparmor=DENIED operation=ptrace profile=docker-default
The attachment apparmor-ptrace-docker-default.patch seems to be a patch. If it isn't, please remove the patch flag from the attachment, remove the patch tag, and if you are a member of the ~ubuntu- reviewers, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1320869 Title: apparmor=DENIED operation=ptrace profile=docker-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1320869] Re: apparmor=DENIED operation=ptrace profile=docker-default
This causes NUMEROUS problems. netstat -lp doesn't work. lsof doesn't work. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1320869 Title: apparmor=DENIED operation=ptrace profile=docker-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1320869] Re: apparmor=DENIED operation=ptrace profile=docker-default
In the docker-default profile, try adding this line: ptrace peer=docker-default, Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1320869 Title: apparmor=DENIED operation=ptrace profile=docker-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1320869] Re: apparmor=DENIED operation=ptrace profile=docker-default
** Tags added: docker docker.io -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1320869 Title: apparmor=DENIED operation=ptrace profile=docker-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1320869] Re: apparmor=DENIED operation=ptrace profile=docker-default
This is a pretty hairy error, but I think it needs to be reported upstream, since anyone using Docker+apparmor would probably run into this (and the fix will likely need to come from upstream anyhow). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1320869 Title: apparmor=DENIED operation=ptrace profile=docker-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1320869] Re: apparmor=DENIED operation=ptrace profile=docker-default
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: docker.io (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1320869 Title: apparmor=DENIED operation=ptrace profile=docker-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
