Docker Community Forums

Share and learn in the Docker community.

AppArmor seems to be interfering with a node's behaviour

dockercloud

(Mark Henwood) #1

The actual problem I’m investigating is that one of my 2 Load Balancers seems to regularly return 503s and whenever the service endpoint DNS roundrobin points at that LB container, my service starts failing intermittently. It ought to be added that the LB itself considers all its downstream app containers to be healthy.

SSHing onto the node which contains the LB (HAProxy) container shows the following in /var/log/syslog which is not present in the log of the node which contains the other, more healthy load balancer container.

Nov  4 13:54:27 ip-10-47-1-187 kernel: [16946350.172311] docker0: port 8(veth47b6f8a) entered forwarding state
Nov  4 13:54:27 ip-10-47-1-187 kernel: [16946350.172316] docker0: port 8(veth47b6f8a) entered forwarding state
Nov  4 13:54:28 ip-10-47-1-187 kernel: [16946350.844141] IPv6: eth0: IPv6 duplicate address fe80::42:acff:fe11:9 detected!
Nov  4 13:54:30 ip-10-47-1-187 kernel: [16946352.571221] docker0: port 8(veth47b6f8a) entered disabled state
Nov  4 13:54:30 ip-10-47-1-187 kernel: [16946352.682989] docker0: port 8(veth47b6f8a) entered disabled state
Nov  4 13:54:30 ip-10-47-1-187 kernel: [16946352.684502] device veth47b6f8a left promiscuous mode
Nov  4 13:54:30 ip-10-47-1-187 kernel: [16946352.684508] docker0: port 8(veth47b6f8a) entered disabled state
Nov  4 13:54:42 ip-10-47-1-187 kernel: [16946364.620969] type=1400 audit(1478267682.278:4796583): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=32031 comm="ps" requested_mask="trace" denied_mask="trace" peer="docker-default"
Nov  4 13:54:42 ip-10-47-1-187 kernel: [16946364.621477] type=1400 audit(1478267682.278:4796584): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=32031 comm="ps" requested_mask="trace" denied_mask="trace" peer="docker-default"
Nov  4 13:54:42 ip-10-47-1-187 kernel: [16946364.621545] type=1400 audit(1478267682.278:4796585): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=32031 comm="ps" requested_mask="trace" denied_mask="trace" peer="docker-default"
Nov  4 13:54:42 ip-10-47-1-187 kernel: [16946364.621600] type=1400 audit(1478267682.278:4796586): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=32031 comm="ps" requested_mask="trace" denied_mask="trace" peer="docker-default"
Nov  4 13:55:02 ip-10-47-1-187 kernel: [16946384.748376] type=1400 audit(1478267702.406:4796587): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=32121 comm="ps" requested_mask="trace" denied_mask="trace" peer="docker-default"

...and so on

The eth0: IPv6 duplicate address fe80::42:acff:fe11:9 detected! message looks suboptimal but I do not know rn where this problem is coming from.

Any ideas?


Intermitten Weave connection hangs [started with last week's API/DNS outage]