Docker 18.09.9 snap crashes with AppArmor denial on /sys/kernel/mm/transparent_hugepage/hpage_pmd_size

andersk · November 18, 2019, 11:09pm

With the new docker 18.09.9 snap on Ubuntu 20.04, I’m seeing Docker containers eventually stop working (seemingly at random times) with the following AppArmor error in dmesg:

[82109.669473] kauditd_printk_skb: 2 callbacks suppressed
[82109.669475] audit: type=1400 audit(1574117861.497:670): apparmor="DENIED" operation="open" profile="snap.docker.docker" name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=277187 comm="docker" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[82109.845504] audit: type=1400 audit(1574117861.673:671): apparmor="DENIED" operation="open" profile="snap.docker.docker" name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=277218 comm="docker" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[82110.106467] audit: type=1400 audit(1574117861.934:672): apparmor="DENIED" operation="open" profile="snap.docker.docker" name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=277249 comm="docker" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[82110.383435] audit: type=1400 audit(1574117862.211:673): apparmor="DENIED" operation="open" profile="snap.docker.docker" name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=277279 comm="docker" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[82110.498594] audit: type=1400 audit(1574117862.326:674): apparmor="DENIED" operation="open" profile="snap.docker.docker" name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=277309 comm="docker" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[82110.646808] audit: type=1400 audit(1574117862.475:675): apparmor="DENIED" operation="open" profile="snap.docker.docker" name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=277339 comm="docker" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[82110.738045] audit: type=1400 audit(1574117862.566:676): apparmor="DENIED" operation="open" profile="snap.docker.docker" name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=277370 comm="docker" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[82110.842200] audit: type=1400 audit(1574117862.670:677): apparmor="DENIED" operation="open" profile="snap.docker.docker" name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=277401 comm="docker" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[82110.928289] audit: type=1400 audit(1574117862.756:678): apparmor="DENIED" operation="open" profile="snap.docker.docker" name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=277430 comm="docker" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[82111.025835] audit: type=1400 audit(1574117862.854:679): apparmor="DENIED" operation="open" profile="snap.docker.docker" name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=277460 comm="docker" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

@tianon

ijohnson · November 19, 2019, 3:28pm

For the record, there is not currently an interface which allows access a snap access to this, however the docker interface already has :

github.com

snapcore/snapd/blob/master/interfaces/builtin/docker_support.go#L98


/{,var/}run/mount/utab r,
# Wide read access to /proc, but somewhat limited writes for now
@{PROC}/ r,
@{PROC}/** r,
@{PROC}/[0-9]*/attr/{,apparmor/}exec w,
@{PROC}/[0-9]*/oom_score_adj w,
# Limited read access to specific bits of /sys
/sys/kernel/mm/hugepages/ r,
/sys/kernel/mm/transparent_hugepage/{,**} r,
/sys/fs/cgroup/cpuset/cpuset.cpus r,
/sys/fs/cgroup/cpuset/cpuset.mems r,
/sys/module/apparmor/parameters/enabled r,
# Limit cgroup writes a bit (Docker uses a "docker" sub-group)
/sys/fs/cgroup/*/docker/   rw,
/sys/fs/cgroup/*/docker/** rw,
# Also allow cgroup writes to kubernetes pods
/sys/fs/cgroup/*/kubepods/ rw,

so perhaps it makes sense to update that to also allow transparent_hugepage access, with the eventual goal of being able to instead use the hugepage specific interface proposed at https://github.com/snapcore/snapd/pull/7603/files.

jdstrand · November 21, 2019, 10:53pm

Separate from PR 7603, I’ll be updating docker-support, greengrass-support and kubernetes-support for readonly access to transparent_hugepage.