docker not working since omv-upgrade

Zitat von ryecoaaron

apparmor is installed by default now on Debian installs. I would have to look to see if it is installed in a very minimal netinstall (been awhile).

Like I said before, apparmor is not bad. The decision to disable apparmor in grub was just because apparmor being disabled is the default with the OMV iso and lots of existing OMV installs.

With OMV 7, I think apparmor should be enabled by default. I will see what I can come up with for omv-extras installing docker. I might add a checkbox to let the user choose if apparmor is enabled or disabled.

Interesting... So I was just looking at this again. Again, install over mini debian...

root@openmediavault:~# apt install apparmor-utils 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  python3-apparmor python3-libapparmor
Suggested packages:
  vim-addon-manager
The following NEW packages will be installed:
  apparmor-utils python3-apparmor python3-libapparmor
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 383 kB of archives.
After this operation, 1137 kB of additional disk space will be used.
Do you want to continue? [Y/n] n
Abort.
root@openmediavault:~# apt install apparmor
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
apparmor is already the newest version (2.13.6-10).
apparmor set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@openmediavault:~# 

so apparmor I apparently have installed, but not apparmor-utils. I didn't think to just check apparmor... as I figured if it was installed, apparmor-utils was installed.

Zitat von KM0201

so apparmor I apparently have installed, but not apparmor-utils. I didn't think to just check apparmor... as I figured if it was installed, apparmor-utils was installed.

That doesn't surprise me. Installing apparmor-utils will cause no issues if apparmor is already installed.

Zitat von tazzz013

But just so I understand, by running your commands it disables apparmor and will allow me to install the pending updates without any issues?

There is nothing keeping you from installing the updates. The commands just disable apparmor at the OS level (most OMV installs don't have apparmor installed) to tell docker not to try to run apparmor commands. So, you should be good to install updates like normal after running the commands.

Zitat von tazzz013

Also, will this only have to be done once?

Yes.

Zitat von gderf

Check your journal log. Mine was heavily flooded with this line after the docker updates.

I would expect this with apparmor installed and enabled. Do you have it disabled?

Zitat von gderf

this log flooding didn't start happening until I installed the most recent docker updates.

I don't think docker was enabling the docker-default profile until this recent update.

Zitat von gderf

Even with that done I think I had to run the commands to disable it to quiet the log.

Yep, even with the apparmor service disabled (no profiles will be loaded), docker enables the docker-default profile whenever you start a container.

Zitat von gderf

I wonder what the default is?

I thought it was 4G.

Zitat von gderf

So, if I understand it correctly, the latest docker updates require either installing apparmor and apparmor-utils (which allows dockers to run) and also having to accept the mentioned journal log flooding, or disabling apparmor at the OS level to allow docker to run.

The latest updates only need apparmor-utils IF apparmor is not disabled at the OS level. Unfortunately, apparmor-utils depends on apparmor.

I just installed a fresh minimal Debian 11 system (which does have apparmor installed and enabled but not apparmor-utils) and then ran the install script. I then installed docker and portainer from omv-extras. Container works fine. Not sure why it doesn't need apparmor-utls. I'm not seeing the logs being spammed. Where are you seeing the logging?

Zitat von RUsum1

This won't cause me to have to re-install Plex or qBit within Portainer will it? Those took a while for me to set up because I'm a novice

No. And reinstalling portainer doesn't mean you have to set anything back up either. The container just needs to be removed and recreated.

Zitat von gderf

I saw it when running:

sudo journalctl -b

I only see lines from apparmor starting at boot on my fresh system. Installing apparmor later in a system's life definitely seems to cause odd problems. I still can't get portainer to run on a test system from a few months ago when I enable apparmor at the OS level.

Zitat von gderf

Just for information purposes, I grep'd the journal log for the string being flooded.

The log was being spewed at a rate of 563 lines/second. I stopped scrolling the list at a little more than half a million lines. No idea how much more of it is there.

Is one of your containers doing a ptrace?