Alpine Linux, Docker and grsecurity

I was going to deploy an instance of Rocket.Chat on an Alpine Linux (version 3.5.2) powered system, a so-called kernel-based virtual machine to be precise, almost one week ago from today, but I ran into an issue which I had no time to properly debug and/or troubleshoot at the time; it was only today that I decided to look into the matter and hopefully find the final solution to the problem I was having.

My installation of Alpine was using kernel 4.9.17-0-virtgrsec which should've raised some alarm bells or at least given me an indication as to what caused my issue. But as I said, I really did not have time to troubleshoot it at the time I ran into it.

See, when I fired up docker-compose there was some output from MongoDB about failed probes, specifically for /sys/kernel/mm/transparent_hugepage. I didn't even reflect over it at the time. Now, upon closer inspection, it all became very clear to me why -- since grsecurity is a hardened kernel with some limitations as a consequence and in this case prevents access to certain directories such as /sys. So the solution was simple! I just switched to a vanilla kernel (specifically 4.9.20-r0) and since I planned to use this kernel rather than the grsecurity kernel, I edited /boot/extlinux.conf and made it the default one. Naturally, I assume this whole issue could have been prevented entirely if the MongoDB developers included checks for things such as this. Docker has/had similar issues with grsecurity (chroot related, IIRC).

At any rate, when I rebooted the VM and re-ran docker-compose up everything worked as intended. Alas tomorrow, or when I have time to do it, I shall migrate my currently deployed Rocket.Chat instance, which runs on Debian 8, to this new box.

Comment: