AppArmor error running privileged docker container on machine executor


#1

I’m using test-kitchen to test on CircleCI 2.0 with the machine executor. The job fails when trying to start ntpd in the container complaining permission denied when accessing the shared object:

/usr/sbin/ntpd: error while loading shared libraries: libopts.so.25: cannot stat shared object: Permission denied

dmesg shows apparmor is blocking it.

[  313.038963] audit: type=1400 audit(1534978630.297:12): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="var/lib/docker/overlay2/dd4cf35c2a86b3a3700d0014a655c3490dabbaa33b2e7cb6b204020fcf8dee5b/diff/etc/ld.so.cache" pid=22795 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[  313.038995] audit: type=1400 audit(1534978630.297:13): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="var/lib/docker/overlay2/dd4cf35c2a86b3a3700d0014a655c3490dabbaa33b2e7cb6b204020fcf8dee5b/diff/lib/x86_64-linux-gnu" pid=22795 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[  313.039014] audit: type=1400 audit(1534978630.297:14): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="var/lib/docker/overlay2/dd4cf35c2a86b3a3700d0014a655c3490dabbaa33b2e7cb6b204020fcf8dee5b/diff/usr/lib/x86_64-linux-gnu/libopts.so.25.15.0" pid=22795 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[  403.019956] audit: type=1400 audit(1534978720.277:15): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="var/lib/docker/overlay2/dd4cf35c2a86b3a3700d0014a655c3490dabbaa33b2e7cb6b204020fcf8dee5b/diff/etc/ld.so.cache" pid=22860 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[  403.019974] audit: type=1400 audit(1534978720.277:16): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="var/lib/docker/overlay2/dd4cf35c2a86b3a3700d0014a655c3490dabbaa33b2e7cb6b204020fcf8dee5b/diff/lib/x86_64-linux-gnu" pid=22860 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[  403.019994] audit: type=1400 audit(1534978720.277:17): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="var/lib/docker/overlay2/dd4cf35c2a86b3a3700d0014a655c3490dabbaa33b2e7cb6b204020fcf8dee5b/diff/usr/lib/x86_64-linux-gnu/libopts.so.25.15.0" pid=22860 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

The AppArmor error is only triggered when running kitchen-docker in privileged mode. I’m not sure why.


#2

I’m not familiar with AppArmor; can it be turned off?


#3

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.