[Bug 1320869] Re: apparmor=DENIED operation=ptrace profile=docker-default
lxc-docker-1.2.0 is the upstream package. docker.io is the Ubuntu package. This should be fixed in the Ubuntu packaging in 1.2.0~dfsg1-1ubuntu1: docker.io (1.2.0~dfsg1-1ubuntu1) utopic; urgency=medium * debian/patches/sync-apparmor-with-lxc.patch: update AppArmor policy to by in sync with LXC. Specifically this: - reorganizes the rules to allow for easier comparison with other container policy - adds comments for many rules - adds bare dbus rule - adds ptrace rule to allow ptracing ourselves - adds deny mount options=(ro, remount, silent) - / - allows hugetlbfs - adds cgmanager mount - adds /sys/fs/pstore mount - more specific /sys/kernel/security mount options - more specific /sys mount options - more specific /proc/sys/kernel/* deny rules - more specific /proc/sys/net deny rules - more specific /sys/class deny rules - more specific /sys/devices deny rules - more specific /sys/fs deny rules Specifically: # Allow us to ptrace ourselves ptrace peer=@{profile_name}, ** Changed in: docker.io (Ubuntu) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to docker.io in Ubuntu. https://bugs.launchpad.net/bugs/1320869 Title: apparmor=DENIED operation=ptrace profile=docker-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1320869] Re: apparmor=DENIED operation=ptrace profile=docker-default
This also affects me in lxc-docker-1.2.0, version 1.2.0 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1320869 Title: apparmor=DENIED operation=ptrace profile=docker-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1320869] Re: apparmor=DENIED operation=ptrace profile=docker-default
lxc-docker-1.2.0 is the upstream package. docker.io is the Ubuntu package. This should be fixed in the Ubuntu packaging in 1.2.0~dfsg1-1ubuntu1: docker.io (1.2.0~dfsg1-1ubuntu1) utopic; urgency=medium * debian/patches/sync-apparmor-with-lxc.patch: update AppArmor policy to by in sync with LXC. Specifically this: - reorganizes the rules to allow for easier comparison with other container policy - adds comments for many rules - adds bare dbus rule - adds ptrace rule to allow ptracing ourselves - adds deny mount options=(ro, remount, silent) - / - allows hugetlbfs - adds cgmanager mount - adds /sys/fs/pstore mount - more specific /sys/kernel/security mount options - more specific /sys mount options - more specific /proc/sys/kernel/* deny rules - more specific /proc/sys/net deny rules - more specific /sys/class deny rules - more specific /sys/devices deny rules - more specific /sys/fs deny rules Specifically: # Allow us to ptrace ourselves ptrace peer=@{profile_name}, ** Changed in: docker.io (Ubuntu) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1320869 Title: apparmor=DENIED operation=ptrace profile=docker-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1320869] Re: apparmor=DENIED operation=ptrace profile=docker-default
Feel free to send this patchset to the Debian BTS -- we can see about adding an Ubuntu vendor switch so we don't maintain a delta. You should also consider talking with Upstream about getting this fixed in 1.3 Thanks for your work! On Tue, Oct 7, 2014 at 3:05 PM, Jamie Strandboge ja...@ubuntu.com wrote: lxc-docker-1.2.0 is the upstream package. docker.io is the Ubuntu package. This should be fixed in the Ubuntu packaging in 1.2.0~dfsg1-1ubuntu1: docker.io (1.2.0~dfsg1-1ubuntu1) utopic; urgency=medium * debian/patches/sync-apparmor-with-lxc.patch: update AppArmor policy to by in sync with LXC. Specifically this: - reorganizes the rules to allow for easier comparison with other container policy - adds comments for many rules - adds bare dbus rule - adds ptrace rule to allow ptracing ourselves - adds deny mount options=(ro, remount, silent) - / - allows hugetlbfs - adds cgmanager mount - adds /sys/fs/pstore mount - more specific /sys/kernel/security mount options - more specific /sys mount options - more specific /proc/sys/kernel/* deny rules - more specific /proc/sys/net deny rules - more specific /sys/class deny rules - more specific /sys/devices deny rules - more specific /sys/fs deny rules Specifically: # Allow us to ptrace ourselves ptrace peer=@{profile_name}, ** Changed in: docker.io (Ubuntu) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Docker Ubuntu Maintainers, which is subscribed to docker.io in Ubuntu. https://bugs.launchpad.net/bugs/1320869 Title: apparmor=DENIED operation=ptrace profile=docker-default Status in “docker.io” package in Ubuntu: Fix Released Bug description: when starting a container with -p / -P i'm starting to get many error messages in the syslog which looks like this May 19 08:25:47 localhost kernel: [916087.208505] type=1400 audit(1400477147.264:2353): apparmor=DENIED operation=ptrace profile=docker-default pid=12619 comm=706D323A20536174616E204461656D requested_mask=trace denied_mask=trace peer=docker-default » lsb_release -rd Description:Ubuntu 14.04 LTS Release:14.04 » apt-cache policy docker.io docker.io: Installed: 0.9.1~dfsg1-2 Candidate: 0.9.1~dfsg1-2 Version table: *** 0.9.1~dfsg1-2 0 500 http://mirror.isoc.org.il/pub/ubuntu/ trusty/universe amd64 Packages 100 /var/lib/dpkg/status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions -- All programmers are playwrights, and all computers are lousy actors. #define sizeof(x) rand() :wq -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1320869 Title: apparmor=DENIED operation=ptrace profile=docker-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1320869] Re: apparmor=DENIED operation=ptrace profile=docker-default
On 10/07/2014 02:17 PM, Paul Tagliamonte wrote: Feel free to send this patchset to the Debian BTS -- we can see about adding an Ubuntu vendor switch so we don't maintain a delta. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764405 You should also consider talking with Upstream about getting this fixed in 1.3 https://github.com/docker/docker/issues/8454 Thanks for your work! np! :) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1320869 Title: apparmor=DENIED operation=ptrace profile=docker-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1320869] Re: apparmor=DENIED operation=ptrace profile=docker-default
** Bug watch added: Debian Bug tracker #764405 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764405 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1320869 Title: apparmor=DENIED operation=ptrace profile=docker-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1320869] Re: apparmor=DENIED operation=ptrace profile=docker-default
I can't find the docker-default profile. Here's what I did: sudo find / -name '*docker-default*' -print /sys/kernel/security/apparmor/policy/profiles/docker-default.0 That's the only line that came out. I'm running 13.10 on this machine. Not going to upgrade it until I get another 14.04 machine running correctly. Suggestions? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1320869 Title: apparmor=DENIED operation=ptrace profile=docker-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1320869] Re: apparmor=DENIED operation=ptrace profile=docker-default
@Alan, you can take the file from a 14.04 package. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1320869 Title: apparmor=DENIED operation=ptrace profile=docker-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1320869] Re: apparmor=DENIED operation=ptrace profile=docker-default
I had trouble rebuilding the docker.io package, so I'm sorry I don't have a debdiff or ppa for you guys to try, but this is the patch I wanted to test. Thanks ** Patch added: apparmor-ptrace-docker-default.patch https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+attachment/4148343/+files/apparmor-ptrace-docker-default.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1320869 Title: apparmor=DENIED operation=ptrace profile=docker-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1320869] Re: apparmor=DENIED operation=ptrace profile=docker-default
The attachment apparmor-ptrace-docker-default.patch seems to be a patch. If it isn't, please remove the patch flag from the attachment, remove the patch tag, and if you are a member of the ~ubuntu- reviewers, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1320869 Title: apparmor=DENIED operation=ptrace profile=docker-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1320869] Re: apparmor=DENIED operation=ptrace profile=docker-default
This causes NUMEROUS problems. netstat -lp doesn't work. lsof doesn't work. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1320869 Title: apparmor=DENIED operation=ptrace profile=docker-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1320869] Re: apparmor=DENIED operation=ptrace profile=docker-default
In the docker-default profile, try adding this line: ptrace peer=docker-default, Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1320869 Title: apparmor=DENIED operation=ptrace profile=docker-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1320869] Re: apparmor=DENIED operation=ptrace profile=docker-default
** Tags added: docker docker.io -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1320869 Title: apparmor=DENIED operation=ptrace profile=docker-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1320869] Re: apparmor=DENIED operation=ptrace profile=docker-default
This is a pretty hairy error, but I think it needs to be reported upstream, since anyone using Docker+apparmor would probably run into this (and the fix will likely need to come from upstream anyhow). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1320869 Title: apparmor=DENIED operation=ptrace profile=docker-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1320869] Re: apparmor=DENIED operation=ptrace profile=docker-default
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: docker.io (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1320869 Title: apparmor=DENIED operation=ptrace profile=docker-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs