Option to disable AppArmor even if available

[Jax89]

Is there any configuration option to prevent the use of AppArmor at all even if it is available?

Reason I'm asking:

I’m trying to run openCPU using the openCPU/debian-10 docker image and a Docker in Docker approach. Startup works fine but every request fails with status code 400:

System failure for: aa_change_profile() (No such file or directory)

I think this might be related to jeroen/RAppArmor#21 but I'm not able to run the Container in privileged mode in the Docker in Docker use case, which unluckily I require for running Test-Pipelines on GitLab.

If I understand correctly from the Docu, AppArmor should not be used by openCPU on Debian by default? I guess since the parent container image is Ubuntu and they share the Linux Kernel it still tries to use AppArmor, which then can not mount securityfs. (https://stackoverflow.com/questions/25533666/cannot-reload-or-start-apparmor-in-docker)

PS.: The openCPU Server Container works fine if I run the container without Docker in Docker on a maschine without AppArmor available.

[jeroen]

How are you starting the docker image? For me the opencpu/debian-10 correctly detects that apparmor is not available:

Using locale: en_US.UTF-8
AppArmor not available. Running OpenCPU without security profile but with rlimits.

[Jax89]

Since I'm trying to use opencpu in a larger setup, I use a compose file and docker-compose up with an custom image (which only preinstalls some additional r packages to opencpu) based on opencpu/debian-10 image. So I think this is fine.

More important is the fact that this error only happens when a start the container inside an other docker container (therefor, docker in docker using the docker:dind image) on an Ubuntu host.

I know this is a very special usecase, nevertheless, here is some minimal code to reproduce:

On a Window host maschine, as expected App Armor is not started:

docker run --name dnd --privileged -d docker:19.03.5-dind
docker exec -it dnd docker run -t -p 80:80 -p 8004:8004 opencpu/debian-10

...
AppArmor not available. Running OpenCPU without security profile but with rlimits.
...

But on an Ubuntu system I get:

docker run --name dnd --privileged -d docker:19.03.5-dind
docker exec -it dnd docker run -t -p 80:80 -p 8004:8004 opencpu/debian-10

...
AppArmor available! Running OpenCPU with security profile and rlimits.
...

[jeroen]

Can you try setting

options(apparmor = FALSE)

to your etc/opencpu/Rprofile file?

[Jax89]

Good idea, thx. I tried this but does not do the trick. I guess this is due to these lines in the "onstartup.R" file, which come directly after setting apparmor to true but befor reading the Rprofile.

#Load opencpu AFTER setting options apparmor and rapache and BEFORE changing libpaths
getNamespace("unix")
getNamespace("opencpu")

If I modify the "onstartup.R" file, remove the line
options(apparmor = TRUE)

and build opencpu from scratch, app armor stays disabled. But I would really like to not do this. Since:

(# DO NOT EDIT THIS FILE! This file gets overwritten for each update.

[jeroen]

I'll add an way to disable it via an environment variable so you can set that in /etc/opencpu/Renviron.

[Jax89]

Thx a lot. Great work :).