AppArmor error running privileged docker container on machine executor

adborden · August 23, 2018, 12:01am

I’m using test-kitchen to test on CircleCI 2.0 with the machine executor. The job fails when trying to start ntpd in the container complaining permission denied when accessing the shared object:

/usr/sbin/ntpd: error while loading shared libraries: libopts.so.25: cannot stat shared object: Permission denied

dmesg shows apparmor is blocking it.

[  313.038963] audit: type=1400 audit(1534978630.297:12): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="var/lib/docker/overlay2/dd4cf35c2a86b3a3700d0014a655c3490dabbaa33b2e7cb6b204020fcf8dee5b/diff/etc/ld.so.cache" pid=22795 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[  313.038995] audit: type=1400 audit(1534978630.297:13): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="var/lib/docker/overlay2/dd4cf35c2a86b3a3700d0014a655c3490dabbaa33b2e7cb6b204020fcf8dee5b/diff/lib/x86_64-linux-gnu" pid=22795 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[  313.039014] audit: type=1400 audit(1534978630.297:14): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="var/lib/docker/overlay2/dd4cf35c2a86b3a3700d0014a655c3490dabbaa33b2e7cb6b204020fcf8dee5b/diff/usr/lib/x86_64-linux-gnu/libopts.so.25.15.0" pid=22795 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[  403.019956] audit: type=1400 audit(1534978720.277:15): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="var/lib/docker/overlay2/dd4cf35c2a86b3a3700d0014a655c3490dabbaa33b2e7cb6b204020fcf8dee5b/diff/etc/ld.so.cache" pid=22860 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[  403.019974] audit: type=1400 audit(1534978720.277:16): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="var/lib/docker/overlay2/dd4cf35c2a86b3a3700d0014a655c3490dabbaa33b2e7cb6b204020fcf8dee5b/diff/lib/x86_64-linux-gnu" pid=22860 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[  403.019994] audit: type=1400 audit(1534978720.277:17): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="var/lib/docker/overlay2/dd4cf35c2a86b3a3700d0014a655c3490dabbaa33b2e7cb6b204020fcf8dee5b/diff/usr/lib/x86_64-linux-gnu/libopts.so.25.15.0" pid=22860 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

The AppArmor error is only triggered when running kitchen-docker in privileged mode. I’m not sure why.

halfer · August 24, 2018, 7:43pm

I’m not familiar with AppArmor; can it be turned off?

system · November 22, 2018, 7:43pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
CircleCI/AppArmor issue for validation on Ubuntu Linux Feedback & Bug Reports linux	6	3158	March 19, 2019
Container-agent permissions errors Build Environment	6	1130	September 27, 2022
Mount: permission denied Build Environment	2	3476	June 18, 2018
CLI doesn't run successfully locally on MacOS w/Podman Desktop Build Environment docker , cli	0	404	March 19, 2024
Unable to run test cases for Android in Docker for Nativescript Running Tests docker	3	1215	October 11, 2018

AppArmor error running privileged docker container on machine executor

Related topics