My log now gets filled up with messages like this:
This is caused by our monitoring (check_mk) ... However, the same message appears when doing ps inside a lxc container manually.
I've added this to /etc/apparmor.d/lxc/lxc-default
followed by an /etc/init.d/apparmor reload which made the errors disapper.
Code:
Jan 08 08:17:54 itchy kernel: audit: type=1400 audit(1452237474.036:1468): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=19654 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:17:59 itchy kernel: audit: type=1400 audit(1452237479.028:1469): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=19748 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:18:04 itchy kernel: audit: type=1400 audit(1452237484.032:1470): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=19957 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:18:09 itchy kernel: audit: type=1400 audit(1452237489.043:1471): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=20056 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:18:14 itchy kernel: audit: type=1400 audit(1452237494.027:1472): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=20084 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:18:19 itchy kernel: audit: type=1400 audit(1452237499.031:1473): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=20181 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:18:24 itchy kernel: audit: type=1400 audit(1452237504.035:1474): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=20230 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:18:29 itchy kernel: audit: type=1400 audit(1452237509.027:1475): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=20325 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:18:34 itchy kernel: audit: type=1400 audit(1452237514.031:1476): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=20383 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:18:39 itchy kernel: audit: type=1400 audit(1452237519.030:1477): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=20676 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:18:44 itchy kernel: audit: type=1400 audit(1452237524.022:1478): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=20707 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:18:49 itchy kernel: audit: type=1400 audit(1452237529.058:1479): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=20905 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"This is caused by our monitoring (check_mk) ... However, the same message appears when doing ps inside a lxc container manually.
I've added this to /etc/apparmor.d/lxc/lxc-default
Code:
ptrace peer=@{profile_name},followed by an /etc/init.d/apparmor reload which made the errors disapper.
Code:
# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc
profile lxc-container-default flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/lxc/container-base>
# the container may never be allowed to mount devpts. If it does, it
# will remount the host's devpts. We could allow it to do it with
# the newinstance option (but, right now, we don't).
deny mount fstype=devpts,
ptrace peer=@{profile_name},
}
Last edited:
