apparmor uses excessive memory leading to oom kill
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Confirmed
|
Undecided
|
Unassigned | ||
apparmor (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
When attempting to load the profile from comment #7, apparmor uses excessive amounts of memory leading to being killed by the OOM killer and thus the apparmor.service failing.
Original bug description:
On Ubuntu 18.04.2 LTS Desktop, after running out of space on my disk, my system was unable to finish booting and I had to go into recovery mode and remove a number of files before the system would boot. After doing so I discovered that now the apparmor.service systemd unit always fails to start. I see this in dmesg:
[ 1066.975360] Out of memory: Kill process 6799 (apparmor_parser) score 796 or sacrifice child
[ 1066.975364] Killed process 6799 (apparmor_parser) total-vm:
[ 1067.406595] oom_reaper: reaped process 6799 (apparmor_parser), now anon-rss:0kB, file-rss:0kB, shmem-rss:0kB
Whenever apparmor.service is attempted to be started by systemd, i.e. either on boot, or later with `systemctl start apparmor`.
The log from journalctl doesn't show any actual issues with any profiles just this:
-- Reboot --
May 25 17:00:58 systemd[1]: Starting AppArmor initialization...
May 25 17:00:58 apparmor[1521]: * Starting AppArmor profiles
May 25 17:00:58 apparmor[1521]: Skipping profile in /etc/apparmor.
May 25 17:00:58 apparmor[1521]: Skipping profile in /etc/apparmor.
May 25 17:01:40 apparmor[1521]: ...fail!
May 25 17:01:40 systemd[1]: apparmor.service: Main process exited, code=exited, status=123/n/a
May 25 17:01:40 systemd[1]: apparmor.service: Failed with result 'exit-code'.
May 25 17:01:40 systemd[1]: Failed to start AppArmor initialization.
May 25 17:04:53 systemd[1]: Starting AppArmor initialization...
May 25 17:04:53 apparmor[4747]: * Starting AppArmor profiles
May 25 17:04:53 apparmor[4747]: Skipping profile in /etc/apparmor.
May 25 17:04:53 apparmor[4747]: Skipping profile in /etc/apparmor.
May 25 17:05:25 apparmor[4747]: ...fail!
May 25 17:05:25 systemd[1]: apparmor.service: Main process exited, code=exited, status=123/n/a
May 25 17:05:25 systemd[1]: apparmor.service: Failed with result 'exit-code'.
May 25 17:05:25 systemd[1]: Failed to start AppArmor initialization.
I can see that apparmor profiles are active after doing this (using aa-status), but it's still troubling that apparmor runs into an issue without actually saying what the error is.
summary: |
- apparmor fails to start with no parser errors + apparmor uses excessive memory leading to oom kill |
description: | updated |
Changed in apparmor: | |
status: | New → Confirmed |
FWIW this could be a snapd bug, because while my system was unable to boot, I disabled all the snaps I had installed except the core snap, and then after being able to reboot I now re-enable all the snaps and see some warnings:
May 25 17:32:16 systemd[1]: Starting AppArmor initialization... d/disable: usr.bin.firefox d/disable: usr.sbin.rsyslogd snapd/apparmor/ profiles/ snap.lxd. benchmark (/var/lib/ snapd/apparmor/ profiles/ snap.lxd. benchmark line 485): Unconfined exec qualifier (ux) allows some dangerous environment variables to be passed to the unconfined process; 'man 5 apparmor.d' for details. snapd/apparmor/ profiles/ snap.lxd. activate (/var/lib/ snapd/apparmor/ profiles/ snap.lxd. activate line 485): Unconfined exec qualifier (ux) allows some dangerous environment variables to be passed to the unconfined process; 'man 5 apparmor.d' for details. snapd/apparmor/ profiles/ snap.lxd. buginfo (/var/lib/ snapd/apparmor/ profiles/ snap.lxd. buginfo line 485): Unconfined exec qualifier (ux) allows some dangerous environment variables to be passed to the unconfined process; 'man 5 apparmor.d' for details. snapd/apparmor/ profiles/ snap.lxd. daemon (/var/lib/ snapd/apparmor/ profiles/ snap.lxd. daemon line 533): Unconfined exec qualifier (ux) allows some dangerous environment variables to be passed to the unconfined process; 'man 5 apparmor.d' for details. snapd/apparmor/ profiles/ snap.lxd. check-kernel (/var/lib/ snapd/apparmor/ profiles/ snap.lxd. check-kernel line 485): Unconfined exec qualifier (ux) allows some dangerous environment variables to be passed to the unconfined process; 'man 5 apparmor.d' for details. snapd/apparmor/ profiles/ snap.lxd. lxc (/var/lib/ snapd/apparmor/ profiles/ snap.lxd. lxc line 485): Unconfined exec qualifier (ux) allows some dangerous environment variables to be passed to the unconfined process; 'man 5 apparmor.d' for details. snapd/apparmor/ profiles/ snap.lxd. migrate (/var/lib/ snapd/apparmor/ profiles/ snap.lxd. migrate line 485): Unconfined exec qualifier (ux) allows some dangerous environment variables to be passed to the unconfined process; 'man 5 apparmor.d' for details. snapd/apparmor/ profiles/ snap.lxd. lxd (/var/lib/ snapd/apparmor/ profiles/ snap.lxd. lxd line 485): Unconfined exec qualifier (ux) allows some dangerous environment variables to be passed to the unconfined process; 'man 5 apparmor.d' for details. snapd/apparmor/ profiles/ snap.lxd. activate (/var/lib/ snapd/apparmor/ profiles/ snap.lxd. activate line 485): Unconfined exec qualifier (ux) allows some dangerous env...
May 25 17:32:16 apparmor[21005]: * Starting AppArmor profiles
May 25 17:32:16 apparmor[21005]: Skipping profile in /etc/apparmor.
May 25 17:32:16 apparmor[21005]: Skipping profile in /etc/apparmor.
May 25 17:32:16 apparmor[21005]: Warning from /var/lib/
May 25 17:32:16 apparmor[21005]: Warning from /var/lib/
May 25 17:32:16 apparmor[21005]: Warning from /var/lib/
May 25 17:32:16 apparmor[21005]: Warning from /var/lib/
May 25 17:32:16 apparmor[21005]: Warning from /var/lib/
May 25 17:32:16 apparmor[21005]: Warning from /var/lib/
May 25 17:32:16 apparmor[21005]: Warning from /var/lib/
May 25 17:32:16 apparmor[21005]: Warning from /var/lib/
May 25 17:32:34 apparmor[21005]: Warning from /var/lib/