Apparmor Errors with Docker Inside LXC AlmaLinux 8

Philip_C · February 4, 2023, 5:44pm

Trying to spin up an nginx container and I see some error with AppArmor. The test server is a fresh AlmaLinux 8 container.

[philip@alma8-test ~]$ docker run -it -d -p 80:80 nginx
Unable to find image 'nginx:latest' locally
latest: Pulling from library/nginx
01b5b2efb836: Pull complete 
db354f722736: Pull complete 
abb02e674be5: Pull complete 
214be53c3027: Pull complete 
a69afcef752d: Pull complete 
625184acb94e: Pull complete 
Digest: sha256:bb64db4779cb6f1c1b9cbc446f186908f50042479880c5e2804e05b663d7e26c
Status: Downloaded newer image for nginx:latest
9caf042392977237280fc18462c83a2f5da8a409323f613c749deecd27750195
docker: Error response from daemon: AppArmor enabled on system but the docker-default profile could not be loaded: running `apparmor_parser apparmor_parser --version` failed with output: 
error: exec: "apparmor_parser": executable file not found in $PATH.

Did some googling and found posts that ask to install AppArmor. Not sure how to install that - yum/dnf doesn’t find apparmor packages to install.

Philip_C · February 5, 2023, 7:21am

Here is the config of the container.

root@lxd-play:~# lxc config show alma8-test
architecture: x86_64
config:
  image.architecture: amd64
  image.description: Almalinux 8 amd64 (20230204_23:08)
  image.os: Almalinux
  image.release: "8"
  image.serial: "20230204_23:08"
  image.type: squashfs
  image.variant: cloud
  volatile.base_image: 60f65ef0359c3b300f3c259bd6d8e303a00d10c27c1a5275bfc58fe6701c17a8
  volatile.cloud-init.instance-id: f1a93ee2-9116-4d7f-b382-ddb52facba95
  volatile.eth0.host_name: veth8bd0e814
  volatile.eth0.hwaddr: 00:16:3e:08:96:19
  volatile.idmap.base: "0"
  volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.power: RUNNING
  volatile.uuid: 8b7422ce-09fd-4f4a-993c-b85d25bbbb5b
devices: {}
ephemeral: false
profiles:
- default
stateful: false
description: ""

cemzafer · February 5, 2023, 5:24pm

Hi @Philip_C, have you ever checked that page?
https://docs.docker.com/engine/security/apparmor/
Regards.

Philip_C · February 6, 2023, 6:01am

Yes. Though I don’t see AppArmor installed on AlmaLinux 8. Can’t install it with dnf/yum too.

This is first time this error cropped up. Previously docker worked without issues. I saw some posts that RHEL derivatives use SELinux and not AppArmor.

Do you think some lxc config has to be changed in order to fix this - especially because it says AppArmor is enabled but could not be loaded?

cemzafer · February 6, 2023, 6:06am

Hi @Philip_C, I suppose you dont want to be involved apparmor, if this is the case then that link is your answer.
https://github.com/lxc/lxd/issues/3096
Regards.

Philip_C · February 6, 2023, 6:07am

@cemzafer Oh - thanks for the quick reply. Will check it now.

Philip_C · February 6, 2023, 6:16am

@cemzafer

I can’t apply it to the profile. Did the key change?

lxc config set alma8-test raw.lxc "lxc.aa_profile=unconfined"
Error: Failed to load config file "/tmp/lxd_config_2472379704": loading config file for the container failed

cemzafer · February 6, 2023, 6:23am

Hi,
lxc.aa_profile=unconfined is depreciated and the new value is raw.lxc="lxc.apparmor.profile=unconfined"
Regards.

Philip_C · February 6, 2023, 6:29am

Okay. Enabled it on the container and restarted it. Now I get a new error

docker: Error response from daemon: Could not check if docker-default AppArmor profile was loaded: open /sys/kernel/security/apparmor/profiles: permission denied.

Philip_C · February 6, 2023, 6:31am

Just a sec. Looks like I didn’t enable nesting on the LXC container. Will do it and let you know what the result is.

Philip_C · February 6, 2023, 6:34am

Enabled nesting and restarted the container… the AppArmor error comes up.

Philip_C · February 6, 2023, 6:36am

Are you aware of the syntax Stephane talked about here?

Philip_C · February 6, 2023, 6:58am

Some more information:

I do not see the AppArmor issue with an old version of Docker CE. With the latest version, the AppArmor error pops up.

cemzafer · February 6, 2023, 6:32pm

Hi @Philip_C, I have tested with docker-ce-19.03.13-3.el8.x86_64 and everything works flawlessly.
Regards

Philip_C · February 7, 2023, 9:34am

Yes, with an old version of Docker everything works well.

binthemix · February 10, 2023, 4:21pm

Hello!

I confirm Philip_C’s findings, only I am using Rocky 8 flavour as LXC container for Docker and Ubuntu Jammy as LXC host. It did work no problems just a few days back so some change in Docker made this an issue.

A quick fix I found was that running Ubuntu Jammy as the LXC container for Docker makes the problem go away. I use Docker’s own repo, not default Ubuntu ones. I guess this is because apparmor-utils are in Jammy while RHEL derivatives don’t have this because SELinux. For my use cases I will just change my Docker LXC hosts from Rocky to Ubuntu and I am fine. Not sure if this is an option for you Philip.