Portainer keeps restarting - can't open web interface

    So today I did a fresh installation of Debian 10 again (yesterday I did an UEFI-installation and today a MBR-installation) and OMV via CLI.
    The problem remains. Portainer isn't working with Proxmox-kernel but with the standard kernel without any problems.


    Now I've the question. What is better:
    To stay with the standard-kernel and install the docker containers like they should or use the proxmox-kernel (newer and better stability) and install the docker containers with privileged mode?


    Thanks in advance


    Edit: now I found a topic on the internet that user can breakout from a privileged container and hack the system. Like it was here.

    OMV-Server-HW: MoBo Fujitsu D3417-B2 (Intel-LAN), Intel Xeon E3-1245 v6 Kaby Lake (4x3.70GHz), 16GB-Ram ECC UDIMM, 1x512GB SSD Samsung 850 Pro (sda2 - 30GB system, 4GB swap, sda5/rest - for work), 1x 10TB WD Red Pro, 1x 3TB WD Red (both basic setup) - Digibit R1 Sat-IP-Server with SatIP-Axe-Firmware


    OMV-Server-SW: Debian Buster with Proxmox kernel (always up-to-date), OMV v5 (always latest), omv-extras-plugin (always latests), AutoShutdown-Plugin, Docker with PlexMediaServer, TVHeadend, any many more


    BackupServer: Synology DS1010+ with 4GB Ram, 9TB@SHR (different hdd's), DSM 5.2-5967-2

    Don't run containers in privileged mode unless required by the container.

    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 7.x on headless Chenbro NR12000 1U 1x 8m Quad Core E3-1220 3.1GHz 32GB ECC RAM.

    Gefällt mir 2

    Thanks I will do that. I will stay with the standard-kernel and use docker like they should

    OMV-Server-HW: MoBo Fujitsu D3417-B2 (Intel-LAN), Intel Xeon E3-1245 v6 Kaby Lake (4x3.70GHz), 16GB-Ram ECC UDIMM, 1x512GB SSD Samsung 850 Pro (sda2 - 30GB system, 4GB swap, sda5/rest - for work), 1x 10TB WD Red Pro, 1x 3TB WD Red (both basic setup) - Digibit R1 Sat-IP-Server with SatIP-Axe-Firmware


    OMV-Server-SW: Debian Buster with Proxmox kernel (always up-to-date), OMV v5 (always latest), omv-extras-plugin (always latests), AutoShutdown-Plugin, Docker with PlexMediaServer, TVHeadend, any many more


    BackupServer: Synology DS1010+ with 4GB Ram, 9TB@SHR (different hdd's), DSM 5.2-5967-2

    At the weekend i've decided to upgrade my NAS to OMV v5 with a clean install and run into exactly the same problem and error message.
    Portainer won't start with Proxmox kernel only with Debian's one. After 3 days of tinkering finally i have figured out what the heck is going on:
    If you use Debian Netinst ISO, it will automatically install AppArmor by default, instead OMV does not.
    And the reason of this error message is, that AppArmor finds Portainer as a security threat and blocks it. Check dmesg and you will see it.
    So you have 3 options to solve it:

    • Add  --security-opt apparmor:unconfined  option to the docker run command
    • Create new/modify the docker-default security profile in /etc/apparmor.d as described in Docker Doc: https://docs.docker.com/engine/security/apparmor/
    • Remove AppArmor completely from the system:  apt-get --yes purge --autoremove apparmor 

    I choosed the third one, for now :)


    But the big question still remains. Why behaves AppArmor with these kernels differently, even if docker-default profile remains still the same.

    Thank you for this great info. Now I know why portainer is not working with the proxmox kernel.


    Maybe @votdev or @ryecoaaron know why AppArmor is not in the OMV installation iso but in the Debian iso.


    But according to this webside it's not recommended to disable AppArmor.


    Code
    Disable AppArmor
AppArmor is a security mechanism and disabling it is not recommended. If you really need to disable AppArmor on your system:


$ sudo mkdir -p /etc/default/grub.d
$ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=0"' \
  | sudo tee /etc/default/grub.d/apparmor.cfg
$ sudo update-grub
$ sudo reboot

    At the moment I still use the stable kernel v4.19

    OMV-Server-HW: MoBo Fujitsu D3417-B2 (Intel-LAN), Intel Xeon E3-1245 v6 Kaby Lake (4x3.70GHz), 16GB-Ram ECC UDIMM, 1x512GB SSD Samsung 850 Pro (sda2 - 30GB system, 4GB swap, sda5/rest - for work), 1x 10TB WD Red Pro, 1x 3TB WD Red (both basic setup) - Digibit R1 Sat-IP-Server with SatIP-Axe-Firmware


    OMV-Server-SW: Debian Buster with Proxmox kernel (always up-to-date), OMV v5 (always latest), omv-extras-plugin (always latests), AutoShutdown-Plugin, Docker with PlexMediaServer, TVHeadend, any many more


    BackupServer: Synology DS1010+ with 4GB Ram, 9TB@SHR (different hdd's), DSM 5.2-5967-2

    @sfu420


    Now by googling around I found this thread here.
    Really interesting that nobody could remember anymore ;)

    OMV-Server-HW: MoBo Fujitsu D3417-B2 (Intel-LAN), Intel Xeon E3-1245 v6 Kaby Lake (4x3.70GHz), 16GB-Ram ECC UDIMM, 1x512GB SSD Samsung 850 Pro (sda2 - 30GB system, 4GB swap, sda5/rest - for work), 1x 10TB WD Red Pro, 1x 3TB WD Red (both basic setup) - Digibit R1 Sat-IP-Server with SatIP-Axe-Firmware


    OMV-Server-SW: Debian Buster with Proxmox kernel (always up-to-date), OMV v5 (always latest), omv-extras-plugin (always latests), AutoShutdown-Plugin, Docker with PlexMediaServer, TVHeadend, any many more


    BackupServer: Synology DS1010+ with 4GB Ram, 9TB@SHR (different hdd's), DSM 5.2-5967-2

    Gefällt mir 1

    Today I did the step to disable AppArmor (how-to see two posts above) and after reboot I've installed the proxmox kernel.
    Everything is running fine. No problems with portainer anymore and even VirtualBox runs great. No need to do any modifications.

    OMV-Server-HW: MoBo Fujitsu D3417-B2 (Intel-LAN), Intel Xeon E3-1245 v6 Kaby Lake (4x3.70GHz), 16GB-Ram ECC UDIMM, 1x512GB SSD Samsung 850 Pro (sda2 - 30GB system, 4GB swap, sda5/rest - for work), 1x 10TB WD Red Pro, 1x 3TB WD Red (both basic setup) - Digibit R1 Sat-IP-Server with SatIP-Axe-Firmware


    OMV-Server-SW: Debian Buster with Proxmox kernel (always up-to-date), OMV v5 (always latest), omv-extras-plugin (always latests), AutoShutdown-Plugin, Docker with PlexMediaServer, TVHeadend, any many more


    BackupServer: Synology DS1010+ with 4GB Ram, 9TB@SHR (different hdd's), DSM 5.2-5967-2

    Zitat von sfu420

    At the weekend i've decided to upgrade my NAS to OMV v5 with a clean install and run into exactly the same problem and error message.
    Portainer won't start with Proxmox kernel only with Debian's one. After 3 days of tinkering finally i have figured out what the heck is going on:
    If you use Debian Netinst ISO, it will automatically install AppArmor by default, instead OMV does not.
    And the reason of this error message is, that AppArmor finds Portainer as a security threat and blocks it. Check dmesg and you will see it.
    So you have 3 options to solve it:

    • Add  --security-opt apparmor:unconfined  option to the docker run command
    • Create new/modify the docker-default security profile in /etc/apparmor.d as described in Docker Doc: https://docs.docker.com/engine/security/apparmor/
    • Remove AppArmor completely from the system:  apt-get --yes purge --autoremove apparmor 

    I choosed the third one, for now :)


    But the big question still remains. Why behaves AppArmor with these kernels differently, even if docker-default profile remains still the same.

    Hi sfu420! Thanks so much for the investigation on this.


    I decided I wanted to start with your option 1, which for mysetup worked with this command:


    docker run -d --name=portainer-apparmor-unconfined -p 9001:9000 -p 8001:8000 --security-opt apparmor:unconfined --restart=unless-stopped -v /var/run/docker.sock:/var/run/docker.sock -v /gnosis/AppData/portainer:/data portainer/portainer


    how would i make this change persist? where do i modify the default docker run command for portainer in omv? ah, nevermind...when i tried to launch one of my other docker containers i also encountered permissions problems. i'm going through with @Hubrer 's post for disabling apparmor without removing it...yes, that worked fine. thanks. but now apparmor is disabled! and i don't want that.


    but yeah - where would one file a bug for this? is it a bug? kind of a weird one ofc because here I'm using Proxmox' kernel for ZFS support but not using it on Proxmox, heh....

    Zitat von sfu420

    Add --security-opt apparmor:unconfined option to the docker run command


    Create new/modify the docker-default security profile in /etc/apparmor.d as described in Docker Doc: https://docs.docker.com/engine/security/apparmor/


    Remove AppArmor completely from the system: apt-get --yes purge --autoremove apparmor

    Thanks for this information which helped me a lot. I have also chosen to remove AppArmor.

    Hi,



    Do you install omv on debian 10?


    I also had this issue when I installed omv on debian 10.

    not only portainer but also all docker container had not permission for listen port.



    I gave up and re-installed via omv iso. and I can see the docker version is different.


    Now my docker version is 18.09.1+dfsg1-7.1+deb10u2.


    So I guess there is something wrong for docker when you install omv on debian.


    Regards

    • Offizieller Beitrag

    OMV over Debian is fine, so long as it is done properly. OMV-extras has an install script that literally makes it one command... I've used it many, many times w/o issue.


    https://github.com/OpenMediaVa…-Developers/installScript


    It says it is for Pi's, etc... but it will pull the proper architecture of OMV, no matter which you have (I've used it on a few SBC's and x64)

    wow it took me 2 days of de-installing , configuring with started as a ZFS problem on OMV 6 with standard kernel and moving to the proxmox kernel where my docker and portainer was not working anymore.... then i finally run into this post. This should be pinned or something as its a very big issue is you decide to use the proxmox kernel i found out now i have apparmor and i removed it. But.... i don't know how i got it as i never installed OMV on top of debian, and recently upgraded the dist with OMV script to go to OMV 6


    I wish i had found this post 2 days back, after removing apparmor, reboot and installing portainer through web-gui of OMV everything is working again as before.


    TIP , please add also the OMV 6 tag to the post !!!

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!

Benutzerkonto erstellen Anmelden