Docker generates an apparmor profile on the fly under /etc/apparmor.d/docker.
This profile gets overwritten on every docker daemon start.
This profile allows processes to ptrace themselves. This is required by
circus (python process manager) for reasons unknown to me. It floods the logs
with
audit[7623]: <audit-1400> apparmor="DENIED" operation="ptrace" profile="docker-default" pid=7623 comm="python3.4" requested_mask="trace" denied_mask="trace" peer="docker-default"
This is easily tested using:
docker run -it cloudron/base:0.3.3 /bin/bash
a) now do ps
b) journalctl should show error log as above
docker run --security-opt=apparmor:docker-cloudron-app -it cloudron/base:0.3.3 /bin/bash
a) now do ps
b) no error!
Note that despite this, the process may not have ability to ptrace since it does not
have CAP_PTRACE. Also, security-opt is the profile name (inside the apparmor config file)
and not the filename.
References:
https://groups.google.com/forum/#!topic/docker-user/xvxpaceTCywhttps://github.com/docker/docker/issues/7276https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869
This is an infra update because we need to recreate containers to get the right profile.
Fixes#492
Doing so will affect all https requests which is dangerous.
We have these options to solve this:
1. Use superagent.ca(). Appstore already provides wildcard certs
for dev, staging signed with appstore_ca. But we then need to
send across the appstore_ca cert across in the provision call.
This is a bit of work.
2. Convert superagent into https.request calls and use the
rejectUnauthorized option.
3. Simply use http. This is what is done in this commit.
Fixes#488
We used to run this as a separate process but no amount of node/v8 tweaking
makes them run as standalone with 50M RSS.
Three solutions were considered for the memory issue:
1. Use systemd timer. apphealthtask needs to run quiet frequently (10 sec)
for the ui to get the app health update immediately after install.
2. Merge into box server (this commit)
3. Increase memory to 80M. This seems to make apphealthtask run as-is.
