Monit casus massive amounts of apparmor logs

[JensErat]

When running docker-zabbix on Ubuntu, Monit causes a massive amount of apparmor logs like

Feb 26 07:02:09 host kernel: [3076364.602789] type=1400 audit(1424930529.694:10500): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=6383 comm="monit" requested_mask="trace" denied_mask="trace" peer="docker-default"

Multiple of these get logged all ten seconds. I don't know Monit and what it exactly requires ptrace for, but either it should be stopped from doing so, or at least following workaround documented, which requires running the container with ptrace capabilities and apparmor disabled (which probablyl is a bad thing):

    --cap-add SYS_PTRACE \
    --security-opt apparmor:unconfined \

[berngp]

@JensErat thanks for pointing this out. This is not an issue of the zabbix container per-se but related to how docker manages the apparmor configuration.

Did you tried adding the following line to /etc/rc.local?

aa-complain /etc/apparmor.d/docker

Could you share with me the Ubuntu and Docker version you are using?

[JensErat]

This is not an issue of the zabbix container per-se but related to how docker manages the apparmor configuration.

Yes, as I already pointed out, it probably is not something the container can change, but would be a reasonable thing to put into documentation.

Did you tried adding the following line to /etc/rc.local?

aa-complain /etc/apparmor.d/docker

This disables apparmor for all containers and is a horrible thing to do!

Could you share with me the Ubuntu and Docker version you are using?

On this machine, I run Ubuntu 14.04 with all updates and Docker from their own repositories, version 1.5.0.

[berngp]

@JensErat I'll write it down in the documentation. Will replicate over the weekend so I can understand better how to work with apparmor. I agree that disabling it is a horrible thing but I don't see any other workaround, as you pointed it out in the beginning. I also need to get more familiar with apparmor, I am sure you know it a lot better than I do.

[JensErat]

I'm neither very familiar with apparmor, mostly sticking with the default rules of what Debian or Ubuntu provide (pretty much everything I have is running one of those distributions).

Docker is limiting slightly too strict for some applications depending on special kernel features, like Monit tracing whatever in this case (whereas the use case is rather ovbious).

There are different ways of allowing this. The worst is disabling apparmor completely, only slightly better is disabling apparmor for Docker (which is probably running most services for Docker users). The lines I initially posted do two things: giving the container the capability of performing traces, and finally disabling apparmor for the Zabbix container, and nothing else.

Changing apparmor rules for Docker will not work out: Docker overwrites them each time the service is started... I guess in the end, this issue has to be resolved by Docker: --cap-add SYS_PTRACE has to allow tracing withing apparmor... But this is obivously still discussed in a rather broad number of Docker issues.

This will very likely also affect other images depending on Monit.

[berngp]

Agree, we should at least document it as you suggested initially. Feel free to submit a PR to the README.md file, will merge right away. I can also change it but since I have not seen the issue it will have to wait until I replicate and apply your suggestion, hopefully this weekend.

[berngp]

@JensErat thank you, commit 729dc42 Fixes #17