ntpd from ubuntu container is blocked from the host (ubuntu) apparmor policy (surely an aufs+apparmor bug) #2800
Description
ORIGINAL: https://groups.google.com/forum/#!topic/docker-user/dIFrP4ZzhrE
The host is an ubuntu.
The container is also ubuntu based.
docker 0.6.6
Although at the end ntpd wont be used in the container it is part of an "uneditable install script".
With tearing down apparmor or commenting out all the /etc/apparmor.d/usr.bin.ntpd (and reloading apparmor), ntpd starts smoothly
But the real problem is that with a vanilla apparmor installation, ntpd wont start (and so the package wont install)
The error seems to be tied to https://groups.google.com/forum/#!msg/docker-user/tuFtbr4zNI8/NceW349l_mYJ
[19200.633389] type=1400 audit(1384995132.832:3398): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 parent=24834 profile="/usr/sbin/ntpd" name="var/lib/docker/containers/40934a4eec243d0cefe5e4e9d5735b6dc965c72784f9aa8ac5be23aa7ec8d09c/rw/etc/ld.so.cache" pid=44965 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[19200.633470] type=1400 audit(1384995132.832:3399): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 parent=24834 profile="/usr/sbin/ntpd" name="var/lib/docker/containers/40934a4eec243d0cefe5e4e9d5735b6dc965c72784f9aa8ac5be23aa7ec8d09c/rw/lib/x86_64-linux-gnu" pid=44965 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[19200.633563] type=1400 audit(1384995132.832:3400): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 parent=24834 profile="/usr/sbin/ntpd" name="var/lib/docker/containers/40934a4eec243d0cefe5e4e9d5735b6dc965c72784f9aa8ac5be23aa7ec8d09c/rw/usr/lib/x86_64-linux-gnu/libopts.so.25.15.0" pid=44965 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[19200.633585] type=1400 audit(1384995132.832:3401): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 parent=24834 profile="/usr/sbin/ntpd" name="var/lib/docker/containers/40934a4eec243d0cefe5e4e9d5735b6dc965c72784f9aa8ac5be23aa7ec8d09c/rw/usr/lib/x86_64-linux-gnu" pid=44965 comm="ntpd"
I tried some combination of allowed path in the profile, without success, seems maybe a AUFS + apparmor bug, but from then what is the best "secure" option to do ?
On my collection for #2276