Can't run docker containers after upgrade to v6. AppArmor missing"

1. offizieller Beitrag

    Hi,


    I just finished upgrading from v5 to v6.0.29. The upgrade itself went very smooth, thanks for that!

    Afterwards I upgraded my kernel to 5.15.35-2-pve (Proxmox because I use ZFS).

    When I then tried to start my docker containers it failed claiming AppArmor is enabled, but the docker-default profile is missing:

    Code
    ERROR: for XXX  Cannot start service jackett: AppArmor enabled on system but the docker-default profile could not be loaded: running `apparmor_parser apparmor_parser --version` failed with output: 
error: exec: "apparmor_parser": executable file not found in $PATH

    Linux 5.15.35-2-p

    But the apparmor-package is not installed, as seems to be the default for OMV:

    Code
    dpkg --list | grep apparmor
rc  apparmor                            2.13.6-10                      amd64        user-space parser utility for AppArmor
rc  apparmor-utils                      2.13.6-10                      amd64        utilities for controlling AppArmor
ii  libapparmor1:amd64                  2.13.6-10                      amd64        changehat AppArmor library

    B

    I completely removed docker and reinstalled it using omv-installdocker, but this has not helped. Any idea what might have gone wrong here?

    • Offizieller Beitrag

    You removed it but it could possibly still be active. Reboot.

    omv 7.0.5-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.13 | compose 7.2 | k8s 7.1.0-3 | cputemp 7.0.1 | mergerfs 7.0.4 | scripts 7.0.1


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    A reboot did not help. It somehow still detects AppArmor as installed.

    Could it be that the proxmox kernel has it enabled, and that's what docker checks?

    • Offizieller Beitrag
    Zitat von namron

    Could it be that the proxmox kernel has it enabled, and that's what docker checks?

    No. I run the proxmox kernel on all of my systems. What is the output of: dpkg -l | grep apparmor

    omv 7.0.5-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.13 | compose 7.2 | k8s 7.1.0-3 | cputemp 7.0.1 | mergerfs 7.0.4 | scripts 7.0.1


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    I purged the apparmor packages, that's the output now:

    Code
    dpkg -l | grep apparmor                                                                      
ii  libapparmor1:amd64                  2.13.6-10                      amd64        changehat AppArmor library


    Still the same error when trying to start a docker container.

    • Offizieller Beitrag

    What packages did you have to purge? I assume you rebooted after? Does the /etc/apparmor.d/docker file exist?

    omv 7.0.5-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.13 | compose 7.2 | k8s 7.1.0-3 | cputemp 7.0.1 | mergerfs 7.0.4 | scripts 7.0.1


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    I ran

    Code
    apt-get purge apparmor apparmor-utils auditd

    just to make sure they are completely gone and rebooted afterwards.


    no /etc/apparmor.d:

    Code
    ❯ sudo ls -al /etc/apparmor.d/
ls: cannot access '/etc/apparmor.d/': No such file or directory

    Einmal editiert, zuletzt von namron () aus folgendem Grund: pasted wrong output

    what does docker info tell you regarding apparmor?

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

    docker info still thinks apparmor is on:



    EDIT:


    I found out, that explicitly disabling AppArmor per service is a workaround:

    Code
    security_opt:         
  - apparmor:unconfined

    This is a workaround but not the solution.


    The interesting thing is, on my system (without apparmor) I get this:


    Code
    root@omv:~# cat /sys/module/apparmor/parameters/enabled
Y
root@omv:~# dpkg -l | grep appa
ii  libapparmor1:amd64                   2.13.6-10                      amd64        changehat AppArmor library
root@omv:~#

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

    Sure, it's only a workaround, that's why I called it so.


    I get the exact same results as you:

    Code
    ❯ cat /sys/module/apparmor/parameters/enabled
Y
❯ dpkg -l | grep appa
ii  libapparmor1:amd64                  2.13.6-10                      amd64        changehat AppArmor library

    I am still confused:


    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

    This is what I have.

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

    I had problems with all my containers failing to start or taking forever to start as soon as I installed the Proxmox kernel. Booting to the regular kernel had no such problems with the containers.


    Problem was traced to something inappropriate in the Apparmor configuration related to docker. I tried fixing it according to sample config files I found on the net but none worked. So as was suggested by a more experienced user here I uninstalled the apparmor package. Solved.


    Edit:


    For grins I reinstalled apparmor. All containers start promptly. But my console is heavily flooded by apparmor messages. Anyone know how to quiet that down?

    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 7.x on headless Chenbro NR12000 1U 1x 8m Quad Core E3-1220 3.1GHz 32GB ECC RAM.

    Einmal editiert, zuletzt von gderf ()

    • Offizieller Beitrag
    Zitat von namron

    My docker version is Server Version: 20.10.5+dfsg1

    That is an older version than even OMV 5.x gets. You probably need to fix your docker repo (click install docker again) and update.

    omv 7.0.5-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.13 | compose 7.2 | k8s 7.1.0-3 | cputemp 7.0.1 | mergerfs 7.0.4 | scripts 7.0.1


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    I don't understand where this docker version comes from. My sources all look good to me:

    Code
    sources.list                            
16:deb [arch=amd64] https://download.docker.com/linux/debian bullseye stable 
17:# deb-src [arch=amd64] https://download.docker.com/linux/debian bullseye stable


    Re-installing (with omv-installdocker) gets me the same version again:


    Code
    Setting up docker.io (20.10.5+dfsg1-1+deb11u1) ...

    Sorry, I can't tell.

    I just installed docker manually following the instructions from docker.com.


    Code
    sudo apt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugin


    and now I got version 20.10.17 and the apparmor-issue is gone.


    Thanks for all the help!

    I appear to be having this exact same issue suddenly after an update of docker this morning.


    Apparmor isn't installed, docker is detecting it. The only apparmor package is the libapparmor package.


    I would like to avoid installing apparmor.


    I initially installed docker via omv-extras>docker.


    I'm running kernel 5.15 on OMV 6

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!

Benutzerkonto erstellen Anmelden