Mailinglist Archive: opensuse-factory (765 mails)

< Previous Next >
Re: [opensuse-factory] kernel 4.14 and docker
  • From: Knurpht - Gertjan Lettink <knurpht@xxxxxxxxxxxx>
  • Date: Sat, 25 Nov 2017 10:35:18 +0100
  • Message-id: <1651734.D9zPreP9f0@knurpht-hp>
Op zaterdag 25 november 2017 00:10:19 CET schreef Christian Boltz:
Hello,

Am Freitag, 24. November 2017 schrieb Knurpht - Gertjan Lettink:
The above combo gives an internal server error when using collabora
online in my nextcloud setup on a TW server . When I reboot into
kernel 4.13 everything works as expected. I've tried reconfiguring
the whole setup to make it work with 4.14 ( incl reïnstalling docker
after removing all configs and data in / var ) only to find out that
I didn't make any mistakes ( i.e. with 4.13 everything works fine ).
Any hints, clues ?

Without seeing any error messages, I can only guess. At least the fact
that booting with 4.13 solves the problem gives a hint, therefore my
guess is...

Maybe it's related to AppArmor - in 4.14, support for mount, signal and
pivot_root rules was upstreamed, so you might need to adjust your
AppArmor profiles. Check /var/log/audit/audit.log for DENIED messages.
You can update your profiles manually or using aa-logprof [1].

I tested quite a few things with 4.14rc kernels to find out which
profiles need an update (it mostly affected libvirt), but I have to
admit I don't use docker and therefore didn't test if its AppArmor
profile [2] needs some additions.


There's also a kernel bug that was fixed today, but isn't in any
snapshot yet: https://bugzilla.opensuse.org/show_bug.cgi?id=1069562
If you are affected by this, keep 4.13.x until the fixed kernel reaches
Tumbleweed.


Regards,

Christian Boltz

[1] aa-logprof doesn't support adding mount and pivot_root rules because
their usage is too rare and because I'm lazy ;-) Docker _might_ be
one of the few programs that need such rules.
If in doubt, open a bugreport and attach your audit.log, and I'll
check which rules you need.

[2] Last time I checked the Docker AppArmor profile, I copied some lines
from it to my "AppArmor Crash Course" slides where they now serve as
a bad example. And that was _after_ I helped to fix some issues with
it...
Thanks Christian.

There are indeed "DENIED lines" re. docker and containerd in the audit.log.
Can't miss the server today, but will check tomorrow and file a bug against
apparmor. Will testing with apparmor disabled be useful ?


--
Gertjan Lettink, a.k.a. Knurpht

openSUSE Board Member
openSUSE Forums Team
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups