[opensuse-factory] kernel 4.14 and docker
Hi, The above combo gives an internal server error when using collabora online in my nextcloud setup on a TW server . When I reboot into kernel 4.13 everything works as expected. I've tried reconfiguring the whole setup to make it work with 4.14 ( incl reïnstalling docker after removing all configs and data in / var ) only to find out that I didn't make any mistakes ( i.e. with 4.13 everything works fine ). Any hints, clues ? -- Gertjan Lettink, a.k.a. Knurpht openSUSE Board Member openSUSE Forums Team -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, Am Freitag, 24. November 2017 schrieb Knurpht - Gertjan Lettink:
The above combo gives an internal server error when using collabora online in my nextcloud setup on a TW server . When I reboot into kernel 4.13 everything works as expected. I've tried reconfiguring the whole setup to make it work with 4.14 ( incl reïnstalling docker after removing all configs and data in / var ) only to find out that I didn't make any mistakes ( i.e. with 4.13 everything works fine ). Any hints, clues ?
Without seeing any error messages, I can only guess. At least the fact that booting with 4.13 solves the problem gives a hint, therefore my guess is... Maybe it's related to AppArmor - in 4.14, support for mount, signal and pivot_root rules was upstreamed, so you might need to adjust your AppArmor profiles. Check /var/log/audit/audit.log for DENIED messages. You can update your profiles manually or using aa-logprof [1]. I tested quite a few things with 4.14rc kernels to find out which profiles need an update (it mostly affected libvirt), but I have to admit I don't use docker and therefore didn't test if its AppArmor profile [2] needs some additions. There's also a kernel bug that was fixed today, but isn't in any snapshot yet: https://bugzilla.opensuse.org/show_bug.cgi?id=1069562 If you are affected by this, keep 4.13.x until the fixed kernel reaches Tumbleweed. Regards, Christian Boltz [1] aa-logprof doesn't support adding mount and pivot_root rules because their usage is too rare and because I'm lazy ;-) Docker _might_ be one of the few programs that need such rules. If in doubt, open a bugreport and attach your audit.log, and I'll check which rules you need. [2] Last time I checked the Docker AppArmor profile, I copied some lines from it to my "AppArmor Crash Course" slides where they now serve as a bad example. And that was _after_ I helped to fix some issues with it... -- Wäre es nicht eine Verbesserung, wenn bei der nächsten Win Version anstatt der beängstigenden Meldung "schwerer Ausnahmefehler" ein beruhigendes "ärgerliches Standardproblem" den bevorstehenden Absturz ankündigte? [Hans Goebl in de.etc.bahn.eisenbahn] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Op zaterdag 25 november 2017 00:10:19 CET schreef Christian Boltz:
Hello,
Am Freitag, 24. November 2017 schrieb Knurpht - Gertjan Lettink:
The above combo gives an internal server error when using collabora online in my nextcloud setup on a TW server . When I reboot into kernel 4.13 everything works as expected. I've tried reconfiguring the whole setup to make it work with 4.14 ( incl reïnstalling docker after removing all configs and data in / var ) only to find out that I didn't make any mistakes ( i.e. with 4.13 everything works fine ). Any hints, clues ?
Without seeing any error messages, I can only guess. At least the fact that booting with 4.13 solves the problem gives a hint, therefore my guess is...
Maybe it's related to AppArmor - in 4.14, support for mount, signal and pivot_root rules was upstreamed, so you might need to adjust your AppArmor profiles. Check /var/log/audit/audit.log for DENIED messages. You can update your profiles manually or using aa-logprof [1].
I tested quite a few things with 4.14rc kernels to find out which profiles need an update (it mostly affected libvirt), but I have to admit I don't use docker and therefore didn't test if its AppArmor profile [2] needs some additions.
There's also a kernel bug that was fixed today, but isn't in any snapshot yet: https://bugzilla.opensuse.org/show_bug.cgi?id=1069562 If you are affected by this, keep 4.13.x until the fixed kernel reaches Tumbleweed.
Regards,
Christian Boltz
[1] aa-logprof doesn't support adding mount and pivot_root rules because their usage is too rare and because I'm lazy ;-) Docker _might_ be one of the few programs that need such rules. If in doubt, open a bugreport and attach your audit.log, and I'll check which rules you need.
[2] Last time I checked the Docker AppArmor profile, I copied some lines from it to my "AppArmor Crash Course" slides where they now serve as a bad example. And that was _after_ I helped to fix some issues with it... Thanks Christian.
There are indeed "DENIED lines" re. docker and containerd in the audit.log. Can't miss the server today, but will check tomorrow and file a bug against apparmor. Will testing with apparmor disabled be useful ? -- Gertjan Lettink, a.k.a. Knurpht openSUSE Board Member openSUSE Forums Team -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, Am Samstag, 25. November 2017 schrieb Knurpht - Gertjan Lettink:
There are indeed "DENIED lines" re. docker and containerd in the audit.log. Can't miss the server today, but will check tomorrow and file a bug against apparmor.
I'll happily reassign it to the docker maintainer - but nevertheless, please first report it against AppArmor and assign it to me.
Will testing with apparmor disabled be useful ?
No ;-) Please use aa-complain /etc/apparmor.d/usr.sbin.docker (assuming that's the profile filename - adjust as needed, and repeat for containerd) to switch the profile to complain mode. This will allow everything and log things that wouldn't be allowed by the profile. Then use Docker as usual and check the audit.log for entries. Note that the log lines contain apparmor="ALLOWED" for profiles in complain mode. BTW: the kernels that are currently building in Kernel:HEAD include the fix for boo#1069562 Regards, Christian Boltz -- There is a limit to the value of statistics. After all, there are lies, damn lies, and statistics. [Richard Brown in opensuse-project] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (2)
-
Christian Boltz -
Knurpht - Gertjan Lettink