Rocket.chat: AppArmor errors after Snap Update

Created on 20 May 2019  ·  40Comments  ·  Source: RocketChat/Rocket.Chat

Since last weeks automatic Snap Update to Rocket.Chat 1.0.3 my log is flooded with AppArmor MongoDB errors:

May 20 18:07:55 xxx kernel: [259218.926984] audit: type=1400 audit(1558368474.997:518703): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/1458/net/netstat" pid=1738 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 20 18:07:55 xxx kernel: [259218.927019] audit: type=1400 audit(1558368474.997:518704): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/1458/net/snmp" pid=1738 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

PID 1458 is the mongod process.

Base System: Ubuntu 16.04.6 LTS

core               16-2.38.1  6818
rocketchat-server  1.0.3      1377

snap    2.38.1
snapd   2.38.1
series  16
ubuntu  16.04
kernel  4.4.0-131-generic

All system packages are updated.

picture otw-sem
👍15

Most helpful comment

So I have a workaround for this:

nano /var/lib/snapd/apparmor/profiles/snap.rocketchat-server.rocketchat-mongo
go to the "Miscellaneous accesses" line

Add in the following two lines:

 @{PROC}/@{pid}/net/snmp r,
 @{PROC}/@{pid}/net/netstat r,

Then reload the profile

apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.rocketchat-server.rocketchat-mongo

picture 88fingerslukee on 3 Jun 2019
👍34 🚀85 🎉1

All 40 comments

Same here, RocketChat is running in LXC Container, Log from Host:

`May 25 20:11:18 srv01 kernel: [21161.276433] audit: type=1400 audit(1558807878.000:42274): apparmor="DENIED" operation="open" namespace="root//lxd-sh-rocketchat_" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/598/net/netstat" pid=25745 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=100000 ouid=100000

May 25 20:14:38 srv01 kernel: [21361.276938] audit: type=1400 audit(1558808078.000:42675): apparmor="DENIED" operation="open" namespace="root//lxd-sh-rocketchat_" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/598/net/snmp" pid=25745 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=100000 ouid=100000`

reinfire picture reinfire on 25 May 2019

I also have this issue. Same two program names (snmp and netstat). Anybody know how to fix this?

88fingerslukee picture 88fingerslukee on 31 May 2019

Found a similar problem on CentOS with the mogodb:
https://bugs.centos.org/view.php?id=15137

reinfire picture reinfire on 1 Jun 2019

So I have a workaround for this:

nano /var/lib/snapd/apparmor/profiles/snap.rocketchat-server.rocketchat-mongo
go to the "Miscellaneous accesses" line

Add in the following two lines:

 @{PROC}/@{pid}/net/snmp r,
 @{PROC}/@{pid}/net/netstat r,

Then reload the profile

apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.rocketchat-server.rocketchat-mongo

88fingerslukee picture 88fingerslukee on 3 Jun 2019
👍34 🚀85 🎉1

Same here with rocketchat 1.1.3.
Thanks for posting the rules. Are there reasons why the rules should not be part of the snap package?

scoopex picture scoopex on 25 Jun 2019

Same here after upgrading Ubuntu 18.04 to 19.04. Thank you very much @88fingerslukee :beers:

Wirone picture Wirone on 8 Jul 2019

It still needs to be fixed though. The errors return after every snap update.

88fingerslukee picture 88fingerslukee on 8 Jul 2019
👍7

88fingerslukee

thank you very much. Works

suharevA picture suharevA on 20 Jul 2019

https://github.com/otw-sem

repentles picture repentles on 22 Aug 2019

Same with 1.3.2.

Further issues with the last releases:

  • Automatic snap update leads to a unreachable rocketchat instance.
    The node rocketchat sever starts to fast after upgrading the snap package.
    Mongodb not seems to be ready fast enough and the rocketchat server does not wait long enough to be connected to mongodb. Probably there is a trivial fix in just increasing connection pool timout values.
  • Caddy complains, trivial to fix
    Oct 15 06:33:33 rocketchat-c1-001 rocketchat-server.rocketchat-caddy[1851933]: WARNING: File descriptor limit 1024 is too low for production servers. At least 8192 is recommended. Fix with "ulimit -n 8192"."
scoopex picture scoopex on 15 Oct 2019
👎1

Same with 1.3.2.

You have showed no evidence of an apparmor issue which is what this one is about.

Unless your issues are DIRECTLY related to this Issue please open a new one after carefully searching to see if has already been opened.

Thanks.

reetp picture reetp on 15 Oct 2019

updated to 2.1.1 and this still persists. Does anybody read this?

88fingerslukee picture 88fingerslukee on 12 Nov 2019
👍2 😕1

@LuluGO any ideas on this? Do we need to add a plug or something ? I think these are non critical errors. But they are noisy

geekgonecrazy picture geekgonecrazy on 17 Nov 2019 
* Automatic snap update leads to a unreachable rocketchat instance.
  The node rocketchat sever starts to fast after upgrading the snap package.
  Mongodb not seems to be ready fast enough and the rocketchat server does not wait long enough  to be connected to mongodb. Probably there is a trivial fix in just increasing connection pool timout values.

i created a report for this: https://github.com/RocketChat/Rocket.Chat/issues/15806

* Caddy complains, trivial to fix

Oct 15 06:33:33 rocketchat-c1-001 rocketchat-server.rocketchat-caddy[1851933]: WARNING: File descriptor limit 1024 is too low for production servers. At least 8192 is recommended. Fix with "ulimit -n 8192"."

already reported, see https://github.com/RocketChat/Rocket.Chat/issues/6979

scoopex picture scoopex on 17 Nov 2019
👎1 
* Automatic snap update leads to a unreachable rocketchat instance.
  The node rocketchat sever starts to fast after upgrading the snap package.
  Mongodb not seems to be ready fast enough and the rocketchat server does not wait long enough  to be connected to mongodb. Probably there is a trivial fix in just increasing connection pool timout values.

i created a report for this: #15806

* Caddy complains, trivial to fix

Oct 15 06:33:33 rocketchat-c1-001 rocketchat-server.rocketchat-caddy[1851933]: WARNING: File descriptor limit 1024 is too low for production servers. At least 8192 is recommended. Fix with "ulimit -n 8192"."

already reported, see #6979

@scoopex This is NOT what this thread is about, please stop commenting on these issues in this thread.

88fingerslukee picture 88fingerslukee on 17 Nov 2019
👍2

I'm having the same symptoms with Ubuntu Snap.
Eager to see my logs clean again, right now get this type of logs 2-3 times per second:

Dec 13 06:33:17 rocket kernel: [747494.022369] audit: type=1400 audit(1576218796.998:1462109): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/30208/net/netstat" pid=30208 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
nodje picture nodje on 16 Dec 2019
👍3

ubuntu snap install v2.3.1 up!

zzeesstt picture zzeesstt on 19 Dec 2019

Same issue with v2.3.1 on Ubuntu 18.04 here.

mvvvmd picture mvvvmd on 19 Dec 2019

The issue is still there on Snap:
rocketchat-server 2.4.2 1420 stable rocketchat✓
The apparmor fix from @88fingerslukee is also still working though.

buckyball picture buckyball on 20 Jan 2020
👍1

Hello, this is quite the annoying issue. Currently when the snap updates, this fix no longer works, which by default, happens often. Can someone please have a look? Is this not an easy fix?

ajcollett picture ajcollett on 1 Apr 2020
👍2

To get rid of theses messages, I've disabled mongodb diagnostics :
snap run --shell rocketchat-server to enter into a shell in snap environment
$SNAP/bin/mongo to launch the mongodb client
db.adminCommand( { setParameter: 1, diagnosticDataCollectionEnabled: false } )
exit to exit mongodb client
exit to exit snap shell
The change is immediate and should be permanent as the mongo admin db is persistent

vanmachin picture vanmachin on 1 Apr 2020
4

How is this still not fixed when @88fingerslukee has posted an easy 2 line fix MONTH ago?

Marx1st picture Marx1st on 28 Apr 2020

How is this still not fixed when @88fingerslukee has posted an easy 2 line fix MONTH ago?

Depressing. It seems that nodejs hackers do not have very much affinity to system-engineering problems ;-)

scoopex picture scoopex on 28 Apr 2020
👎1 👍1

I'm seeing the same issue (Rocket.Chat snap 2.4.11 on Ubuntu 18.04).

paulkernstock picture paulkernstock on 9 May 2020
👍5

Our rocketchat just went down because of this a few hours ago out of nowhere :/ We're out cold. Going to try some of these work arounds

stevensedory picture stevensedory on 13 May 2020

Our rocketchat just went down because of this a few hours ago out of nowhere :/ We're out cold. Going to try some of these work arounds

Same here, but in our case its not related to this Github issue... Snap version 2.4.12 got (accidentally) released on the latest/stable channel (but is retracted already). "Refreshing" back to version 2.4.11 worked for me.

scornet256 picture scornet256 on 13 May 2020

Oh thank you. I disabled apparmor to get it to come up. I'll do the refresh.

stevensedory picture stevensedory on 13 May 2020

I just got this issue on Ubuntu 18.04.04 after this morning's apt update. The workaround doesn't seem to work for me. I'm still down

captainwasabi picture captainwasabi on 18 May 2020

I just got this issue on Ubuntu 18.04.04 after this morning's apt update. The workaround doesn't seem to work for me. I'm still down

Try disabling apparmor. That did it for us. OR, when you "refresh", give it like five minutes afterwards, and try in a new browser or private tab, to eliminate cache issues. It will still have the gateway error on the webservice for a few minutes while it starts up (ours was about a minute I think).

stevensedory picture stevensedory on 18 May 2020

Did that and nothing would start.

I think it stalls because:

After=snap-rocketchatx2dserver-1433.mount network.target snapd.apparmor.service

moving to the 3.x/stable track fixed me. I had been considering moving anyway.

captainwasabi picture captainwasabi on 18 May 2020

Did that and nothing would start.

I think it stalls because:

After=snap-rocketchatx2dserver-1433.mount network.target snapd.apparmor.service

moving to the 3.x/stable track fixed me. I had been considering moving anyway.

Oh? Are we on a dev track or something? Is there any easy way to move and preserve our current setup?

stevensedory picture stevensedory on 18 May 2020

I was on latest/stable (which is the same as 2.x/stable)

new installs are defaulting to 3.x/stable already.

snap run rocketchat-server.backupdb

Then move that file somewhere safe, then

snap switch rocketchat-server --channel=3.x/stable
snap refresh

Worked perfect for me, as far as I can tell. YMMV

captainwasabi picture captainwasabi on 19 May 2020

Awesome thanks!

stevensedory picture stevensedory on 19 May 2020

Ubuntu 18.04, RC as snap package:

After snap update this night, RC (3.5.2) is down again - fix from https://github.com/RocketChat/Rocket.Chat/issues/14562#issuecomment-498321790 solved the problem (as it did in the past) for us.

Are there any concerns that the fix is not applied already to RC?

math-uzh picture math-uzh on 3 Sep 2020

I have just lost Logs because of this. I seem to only have the last days logs, and I suspect it's because of the log getting so full with these messages. Nothing lasts, none of the fixes here last after an update:

rocketchat-server  3.6.2      1442  3.x/stable     rocketchat✓  -

Sep 28 09:53:41 <snip> kernel: audit: type=1400 audit(1601279620.997:3610932): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/snmp" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:41 <snip> kernel: audit: type=1400 audit(1601279620.997:3610931): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/netstat" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:40 <snip> audit[31946]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/snmp" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:40 <snip> audit[31946]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/netstat" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:39 <snip> audit[31946]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/snmp" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:40 <snip> kernel: audit: type=1400 audit(1601279619.997:3610930): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/snmp" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:40 <snip> kernel: audit: type=1400 audit(1601279619.997:3610929): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/netstat" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:39 <snip> audit[31946]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/netstat" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:38 <snip> audit[31946]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/snmp" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:39 <snip> kernel: audit: type=1400 audit(1601279618.997:3610928): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/snmp" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:39 <snip> kernel: audit: type=1400 audit(1601279618.997:3610927): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/netstat" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:39 <snip> kernel: kauditd_printk_skb: 2 callbacks suppressed
Sep 28 09:53:38 <snip> audit[31946]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/netstat" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:37 <snip> audit[31946]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/snmp" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:37 <snip> audit[31946]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/netstat" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:37 <snip> kernel: audit: type=1400 audit(1601279616.997:3610924): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/snmp" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:37 <snip> kernel: audit: type=1400 audit(1601279616.997:3610923): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/netstat" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:36 <snip> audit[31946]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/snmp" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:36 <snip> audit[31946]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/netstat" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:35 <snip> audit[31946]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/snmp" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:36 <snip> kernel: audit: type=1400 audit(1601279615.997:3610922): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/snmp" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:36 <snip> kernel: audit: type=1400 audit(1601279615.997:3610921): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/netstat" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:35 <snip> audit[31946]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/netstat" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:34 <snip> audit[31946]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/snmp" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:35 <snip> kernel: audit: type=1400 audit(1601279614.997:3610920): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/snmp" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:35 <snip> kernel: audit: type=1400 audit(1601279614.997:3610919): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/netstat" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:34 <snip> audit[31946]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/netstat" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:34 <snip> kernel: audit: type=1400 audit(1601279613.997:3610918): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/snmp" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:34 <snip> kernel: audit: type=1400 audit(1601279613.997:3610917): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/netstat" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:33 <snip> audit[31946]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/snmp" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:33 <snip> audit[31946]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/netstat" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:33 <snip> kernel: audit: type=1400 audit(1601279613.001:3610916): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/snmp" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:33 <snip> kernel: audit: type=1400 audit(1601279613.001:3610915): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/netstat" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:33 <snip> audit[31946]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/snmp" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:33 <snip> audit[31946]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/netstat" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:31 <snip> audit[31946]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/snmp" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:32 <snip> kernel: audit: type=1400 audit(1601279611.997:3610914): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/snmp" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:32 <snip> kernel: audit: type=1400 audit(1601279611.997:3610913): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/netstat" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:31 <snip> audit[31946]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/netstat" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:30 <snip> audit[31946]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/snmp" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:31 <snip> kernel: audit: type=1400 audit(1601279610.997:3610912): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/snmp" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:31 <snip> kernel: audit: type=1400 audit(1601279610.997:3610911): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/netstat" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:30 <snip> audit[31946]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/netstat" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:29 <snip> audit[31946]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/snmp" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:30 <snip> kernel: audit: type=1400 audit(1601279609.997:3610910): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/snmp" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:30 <snip> kernel: audit: type=1400 audit(1601279609.997:3610909): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/netstat" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:29 <snip> audit[31946]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/netstat" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:29 <snip> kernel: audit: type=1400 audit(1601279609.001:3610908): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/snmp" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:29 <snip> kernel: audit: type=1400 audit(1601279608.997:3610907): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/netstat" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:29 <snip> audit[31946]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/snmp" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:28 <snip> audit[31946]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/netstat" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:27 <snip> audit[31946]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/snmp" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:28 <snip> kernel: audit: type=1400 audit(1601279607.997:3610906): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/snmp" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:28 <snip> kernel: audit: type=1400 audit(1601279607.997:3610905): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/31946/net/netstat" pid=31946 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 28 09:53:28 <snip> kernel: kauditd_printk_skb: 2 callbacks suppressed

Does anyone have a permanent solution? This is driving me nuts.

ajcollett picture ajcollett on 28 Sep 2020

@rodrigok I don't know whats going on here, but can someone please be directed to this issue?

ajcollett picture ajcollett on 28 Sep 2020

So I have a workaround for this:

nano /var/lib/snapd/apparmor/profiles/snap.rocketchat-server.rocketchat-mongo
go to the "Miscellaneous accesses" line

Add in the following two lines:

 @{PROC}/@{pid}/net/snmp r,
 @{PROC}/@{pid}/net/netstat r,

Then reload the profile

apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.rocketchat-server.rocketchat-mongo

I created a script to do this, i hope it can be userful to someone:

https://gist.github.com/Majunko/81e8b45f2a7588975d48be156fd38173

Majunko picture Majunko on 28 Oct 2020
🎉21

How epically terrible must a response to an issue be when a guy has to write a script to do this? I mean, this script took longer to write than the pull request to fix the error FFS.

88fingerslukee picture 88fingerslukee on 29 Oct 2020
👍5

How is this still happening, especially with such a simple workaround existing?

PH-Bluechain picture PH-Bluechain on 24 Dec 2020

I reported this a long time ago and really didn't get much of a look in from RC.

Today just got a disk usage alert as those logs have taken up huge amounts of space and have now just found this. Glad I'm not alone.

iammattmartin picture iammattmartin on 30 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

lunitic picture lunitic  ·  3Comments
danpospisil picture danpospisil  ·  3Comments
ghost picture ghost  ·  3Comments
mddvul22 picture mddvul22  ·  3Comments
neha1deshmukh picture neha1deshmukh  ·  3Comments