dmesg spam from netdata (i think)

[bdmorin]

I am NOT an apparmor expert, so I'm not sure what's going on here.

[ 4682.870976] audit: type=1400 audit(1561156190.339:4162728): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=31244 comm="apps.plugin" requested_mask="trace" denied_mask="trace" peer="unconfined"

My console dmesg is filled with it, with tens of thousands supressed.

[ 4728.867772] kauditd_printk_skb: 7221 callbacks suppressed
[ 4733.871859] kauditd_printk_skb: 7280 callbacks suppressed
[ 4738.875902] kauditd_printk_skb: 7246 callbacks suppressed
[ 4743.879990] kauditd_printk_skb: 7625 callbacks suppressed
[ 4748.884066] kauditd_printk_skb: 6724 callbacks suppressed
[ 4753.888313] kauditd_printk_skb: 7789 callbacks suppressed
[ 4758.893619] kauditd_printk_skb: 6916 callbacks suppressed
[ 4763.896348] kauditd_printk_skb: 6986 callbacks suppressed
[ 4769.861773] kauditd_printk_skb: 7154 callbacks suppressed

I've read some things about how to deal with this, and it appears adding --security-opts to the docker container might deal with it. I'm unsure. I stopped the netdata container and the audit spam stopped.

[bdmorin]

I added

    security_opt:
      - apparmor:unconfined

as per https://github.com/titpetric/netdata/issues/55#issuecomment-417976535 and netdata and console play nice now.

[tom472]

Ah awesome find .. thanks for linking the thread from Netdata .. I also see their container leaving a zombie process hanging, I need to check to see if that has been reported.

I'll add in this fix and test, should get it pushed to the master branch during the weekend.

[tom472]

OK this fix has been added via commit (https://github.com/tom472/mediabox/commit/14f27377ca2b7d6d0f94f7794456383080ee59ee)

Thanks @bdmorin for pointing out and for linking to the fix. Much appreciated.