The log is spammed with appamor denied messages

[janusn]

Describe the bug
I have recently switch to Journald logging driver. And I noticed the glances container spams the log with appamor denied messages.

To Reproduce
Steps to reproduce the behavior:

1. Change the log driver of docker to Journald with the following lines added to /etc/docker/daemon.json

{
  "log-driver": "journald"
}

2. restart dockerd
3. Start Glances with the following options '-C /etc/glances.conf -w --password -u ha'
4. Browse the log with the command $ journalctl -n 1000
5. See error

Expected behavior
There should not be errors related to the container glances.

Environement (please complete the following information)

• Operating System (lsb_release -a or OS name/version): To be completed with result of: lsb_release -a

$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 23.10
Release:	23.10
Codename:	mantic

• Glances & psutil versions: To be completed with result of: glances -V

# glances -V
Glances v3.4.0.3 with PsUtil v5.9.5
Log file: /tmp/glances-root.log

• How do you install Glances (Pypi package, script, package manager, source): To be completed
  glances is installed from a docker container on image 'nicolargo/glances:latest-full'
• Glances test (only available with Glances 3.1.7 or higher):
  pastebin

Additional context
Add any other context about the problem here.
You can also pastebin:

• the Glances configuration file (https://glances.readthedocs.io/en/latest/config.html#location)
  pastebin
• the Glances log file (https://glances.readthedocs.io/en/latest/config.html#logging)
  Please note for the following log, the PID of the python3 running glances is 1744.
  pastebin

[nicolargo]

Could you please join the log ?

[janusn]

Could you please join the log ?

Sorry, I am not very familiar with the term. What does "join the log" mean?

Btw, I have attached the output of sudo journalctl -b -g "pid=1744" > 1744.log for your reference and

$ ps aux | grep glances
root        1744 27.5  0.3 182748 121136 ?       Ssl  Nov23 345:09 /venv/bin/python3 -m glances -C /etc/glances.conf -w --password -u ha
janus    1782288  0.0  0.0   6848  2304 pts/0    S+   15:58   0:00 grep --color=auto glances

1744.log

[nicolargo]

Workaround: Add the following option to docker run: --security-opt seccomp:unconfined. It should remove the apparmor message.

[nicolargo]

Under the hood we need to investigate and understand why Glances needs ptrace access on the system (PsUtil ? another lib ?).

The message are also generated with the "minimal" Alpine Docker Image. So need to investigate on the PSUtil side:

make run-docker-alpine-minimal

Logs (/var/log/syslog file):

Nov 25 09:34:48 XPS13-9333 kernel: [ 2223.756408] audit: type=1400 audit(1700901288.199:569): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=52575 comm="python3" requested_mask="read" denied_mask="read" peer="unconfined"

When we disable all the plugins but the process one, the log message is also displayed:

docker run --rm -e TZ="" -e GLANCES_OPT="--disable-plugin all --enable-plugin processcount,processlist" -v /run/user/1000/podman/podman.sock:/run/user/1000/podman/podman.sock:ro -v /var/run/docker.sock:/var/run/docker.sock:ro --pid host --network host -it glances:local-alpine-minimal

So the log are generated by the process plugin (so PsUtil).

[janusn]

Workaround: Add the following option to docker run: --security-opt seccomp:unconfined. It should remove the apparmor message.

I have added the option in a compose.yaml but it doesn't help. The warnings are still reported multiple times every 6 seconds.

---
version: "3"
services:
  glances:
    image: nicolargo/glances:latest-full
    container_name: glances
    
    # temporary fix for silence the kernel warnings reported by journalctl
    security_opt:
      - seccomp:unconfined

    deploy:
      resources:
        limits:
          memory: 1G
    pid: host
    network_mode: host
    environment:
      - "GLANCES_OPT=-w --password -u ha"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./etc/glances.conf:/etc/glances.conf:ro
    secrets:
      - source: glances_password
        target: /root/.config/glances/ha.pwd
    restart: unless-stopped
secrets:
  glances_password:
    file: ./secrets/ha.pwd

[nicolargo]

Strange, it makes the job on my side...

Try to add another option (traditionally to the option --security-opt seccomp:unconfined): –-cap-add=SYS_PTRACE

If it did not work, replace the previous options with: --privileged (ugly work around because it give all the system privileges to the container). You can also have a look on the following post (https://stackoverflow.com/questions/63162665/docker-compose-order-of-cap-drop-and-cap-add/63219871#63219871), it should be possible to limit the --privileged option.

Keep us inform if you find a better solution, nothing is possible from the Glances code.

[janusn]

I have tried to replicate your configuration. I have tried 3 tags. And they all spam the log.

Here is my compose.yaml.

---
version: "3"
services:
  glances:
    image: nicolargo/glances:latest-full
#    image: nicolargo/glances:alpine-latest
#    image: nicolargo/glances:latest
    container_name: glances-temp
    pid: host
    network_mode: host
    environment:
      "GLANCES_OPT": "--disable-plugin all --enable-plugin processcount,processlist"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    restart: unless-stopped

[janusn]

In my original configuration, neither --security-opt seccomp:unconfined nor –-cap-add=SYS_PTRACE worked but --privileged did the trick.

I tried all 3 options above again with "--disable-plugin all --enable-plugin processcount,processlist" arguments to test on 3 tags

• latest-full
• alpine-latest
• latest

They all crash repeatedly with the following messages logged. (Please note the log messages are listed reverse chronically.)

Nov 26 20:23:31 nuc13 systemd[1]: docker-286f45f2dcf75ddd985016d4140d5ef3055d72d04d2db907bd07c24c8a71132f.scope: Deactivated successfully.
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]: _curses.error: setupterm: could not find terminal
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:     setupterm(term=_os.environ.get("TERM", "unknown"),
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:   File "/usr/lib/python3.11/curses/__init__.py", line 29, in initscr
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:                   ^^^^^^^^^^^^^^^^
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:     self.screen = curses.initscr()
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:   File "/app/glances/outputs/glances_curses.py", line 143, in __init__
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:     self.screen = GlancesCursesStandalone(config=config, args=args)
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:   File "/app/glances/standalone.py", line 106, in __init__
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:     mode = GlancesMode(config=config, args=args)
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:   File "/app/glances/__init__.py", line 108, in start
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:     start(config=core.get_config(), args=core.get_args())
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:   File "/app/glances/__init__.py", line 185, in main
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:     glances.main()
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:   File "/app/glances/__main__.py", line 18, in <module>
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:   File "<frozen runpy>", line 88, in _run_code
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:   File "<frozen runpy>", line 198, in _run_module_as_main
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]: Traceback (most recent call last):

Regarding the appamor on with "--disable-plugin all --enable-plugin processcount,processlist" arguments, besides crashing, the docker options made no difference.

• --security-opt seccomp:unconfined ❌
• –-cap-add=SYS_PTRACE ❌
• --privileged ✅

Nov 26 20:23:31 nuc13 systemd[1]: docker-286f45f2dcf75ddd985016d4140d5ef3055d72d04d2db907bd07c24c8a71132f.scope: Deactivated successfully.
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]: _curses.error: setupterm: could not find terminal
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:     setupterm(term=_os.environ.get("TERM", "unknown"),
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:   File "/usr/lib/python3.11/curses/__init__.py", line 29, in initscr
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:                   ^^^^^^^^^^^^^^^^
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:     self.screen = curses.initscr()
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:   File "/app/glances/outputs/glances_curses.py", line 143, in __init__
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:     self.screen = GlancesCursesStandalone(config=config, args=args)
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:   File "/app/glances/standalone.py", line 106, in __init__
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:     mode = GlancesMode(config=config, args=args)
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:   File "/app/glances/__init__.py", line 108, in start
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:     start(config=core.get_config(), args=core.get_args())
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:   File "/app/glances/__init__.py", line 185, in main
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:     glances.main()
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:   File "/app/glances/__main__.py", line 18, in <module>
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:   File "<frozen runpy>", line 88, in _run_code
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]:   File "<frozen runpy>", line 198, in _run_module_as_main
Nov 26 20:23:28 nuc13 286f45f2dcf7[929]: Traceback (most recent call last):
Nov 26 20:23:28 nuc13 kernel: audit: type=1400 audit(1701030208.275:906105): apparmor="DENIED" operation="ptrace" class="ptrace" profile="docker-default" pid=1506038 comm="python3" requested_mask="read" denied_mask="read" peer="unconfined"
Nov 26 20:23:28 nuc13 kernel: audit: type=1400 audit(1701030208.231:906104): apparmor="DENIED" operation="ptrace" class="ptrace" profile="docker-default" pid=1506038 comm="python3" requested_mask="read" denied_mask="read" peer="unconfined"
Nov 26 20:23:28 nuc13 kernel: audit: type=1400 audit(1701030208.231:906103): apparmor="DENIED" operation="ptrace" class="ptrace" profile="docker-default" pid=1506038 comm="python3" requested_mask="read" denied_mask="read" peer="unconfined"
Nov 26 20:23:28 nuc13 kernel: audit: type=1400 audit(1701030208.231:906102): apparmor="DENIED" operation="ptrace" class="ptrace" profile="docker-default" pid=1506038 comm="python3" requested_mask="read" denied_mask="read" peer="unconfined"
Nov 26 20:23:28 nuc13 kernel: audit: type=1400 audit(1701030208.231:906101): apparmor="DENIED" operation="ptrace" class="ptrace" profile="docker-default" pid=1506038 comm="python3" requested_mask="read" denied_mask="read" peer="unconfined"
Nov 26 20:23:28 nuc13 kernel: audit: type=1400 audit(1701030208.231:906100): apparmor="DENIED" operation="ptrace" class="ptrace" profile="docker-default" pid=1506038 comm="python3" requested_mask="read" denied_mask="read" peer="unconfined"
Nov 26 20:23:28 nuc13 kernel: audit: type=1400 audit(1701030208.231:906099): apparmor="DENIED" operation="ptrace" class="ptrace" profile="docker-default" pid=1506038 comm="python3" requested_mask="read" denied_mask="read" peer="unconfined"
Nov 26 20:23:28 nuc13 kernel: audit: type=1400 audit(1701030208.231:906098): apparmor="DENIED" operation="ptrace" class="ptrace" profile="docker-default" pid=1506038 comm="python3" requested_mask="read" denied_mask="read" peer="unconfined"
Nov 26 20:23:28 nuc13 kernel: audit: type=1400 audit(1701030208.231:906097): apparmor="DENIED" operation="ptrace" class="ptrace" profile="docker-default" pid=1506038 comm="python3" requested_mask="read" denied_mask="read" peer="unconfined"
Nov 26 20:23:28 nuc13 kernel: audit: type=1400 audit(1701030208.231:906096): apparmor="DENIED" operation="ptrace" class="ptrace" profile="docker-default" pid=1506038 comm="python3" requested_mask="read" denied_mask="read" peer="unconfined"
Nov 26 20:30:49 nuc13 kernel: kauditd_printk_skb: 1493 callbacks suppressed

[github-actions[bot]]

This issue is stale because it has been open for 3 months with no activity.