You are not logged in.
Docker info:
Client:
Version: 29.5.1
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: 0.34.1
Path: /usr/lib/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: 5.1.3
Path: /usr/lib/docker/cli-plugins/docker-compose
Server:
Containers: 2
Running: 0
Paused: 0
Stopped: 2
Images: 34
Server Version: 29.5.1
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: true
Native Overlay Diff: false
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
CDI spec directories:
/etc/cdi
/var/run/cdi
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 64b425cf570b3b8dd1d4cc46da7c1fce65c6651a.m
runc version:
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: builtin
cgroupns
Kernel Version: 7.0.11-arch1-1
Operating System: Arch Linux
OSType: linux
Architecture: x86_64
CPUs: 12
Total Memory: 14.39GiB
Name: red-laptop-16124
ID: 1bd39403-84b2-4463-ab82-328e6f12df94
Docker Root Dir: /var/lib/docker
Debug Mode: false
Username: virgula
Experimental: false
Insecure Registries:
::1/128
127.0.0.0/8
Live Restore Enabled: false
Firewall Backend: iptables
EnableUserlandProxy: true
UserlandProxyPath: /usr/bin/docker-proxyHello,
I recently installed AppArmor on my arch distro instance
uname -r
7.0.11-arch1-1
cat /etc/os-release
NAME="Arch Linux"
PRETTY_NAME="Arch Linux"
ID=arch
BUILD_ID=rolling
ANSI_COLOR="38;2;23;147;209"
HOME_URL="https://archlinux.org/"
DOCUMENTATION_URL="https://wiki.archlinux.org/"
SUPPORT_URL="https://bbs.archlinux.org/"
BUG_REPORT_URL="https://gitlab.archlinux.org/groups/archlinux/-/issues"
PRIVACY_POLICY_URL="https://terms.archlinux.org/docs/privacy-policy/"
LOGO=archlinux-logosudo pacman -S apparmor
sudo systemctl enable --now apparmor.servicewith startup options in `/proc/cmdline` for the `GRUB`:
BOOT_IMAGE=/vmlinuz-linux root=UUID=XXXX rw cryptdevice=UUID=XXXX::cryptlvm rootfstype=ext4 apparmor=1 security=apparmor loglevel=3 quietwithout adding new profiles by doing `aa-stauts` I get default enforced ones like these:
9 profiles are in enforce mode.
/usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
apache2//phpsysinfo
chromium//opencl_pocl_clang
chromium//opencl_pocl_ld
docker-default
firefox//opencl_pocl_clang
firefox//opencl_pocl_ld
systemd-coredump//opencl_pocl_clang
systemd-coredump//opencl_pocl_ldFirst of all as far as I understood the fact that the profile is not saved on the disk but loaded in memory and then deleted, is something done on purpose and is very frustrating not finding it in `/etc/apparmor.d/` location.
I think the `docker-default` profile is the one giving me troubles with docker rootfull installation, in fact:
docker run --rm hello-world
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: unable to start init: fork/exec /proc/self/fd/6: permission denied
Run 'docker run --help' for more informationand even this does not work:
docker run --rm --security-opt apparmor=unconfined hello-world
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: unable to start init: fork/exec /proc/self/fd/6: permission denied
Run 'docker run --help' for more informationFor this reason I have created a mock trying to disable the in-memory module:
echo 'profile docker-default {}' | tee /etc/apparmor.d/docker-default
sudo aa-disable /etc/apparmor.d/docker-defaultWith this trick the module enforced is gone from the list:
8 profiles are in enforce mode.
/usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
apache2//phpsysinfo
chromium//opencl_pocl_clang
chromium//opencl_pocl_ld
firefox//opencl_pocl_clang
firefox//opencl_pocl_ld
systemd-coredump//opencl_pocl_clang
systemd-coredump//opencl_pocl_ldbut docker still won't work:
docker run --rm hello-world
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: unable to start init: fork/exec /proc/self/fd/6: permission denied
Run 'docker run --help' for more information, the only way to make it work is to tardown all loaded profiles:Instead, unloading all profiles:
sudo aa-teardown
Unloading AppArmor profilesdocker run --rm hello-world
Hello from Docker!
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
(amd64)
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.
To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker ID:
https://hub.docker.com/
For more examples and ideas, visit:
https://docs.docker.com/get-started/I need to use apparmor for other security reason but I can't if docker gives me this kind of problem. What is the problem? Does any other enforced profile restricts the behavior for `fork/exec /proc/self/fd/6`? How can I eventually disable it since I also tried to complain them all with `sudo aa-complain /etc/apparmor.d/*`
Offline