Error accessing /var/run/docker.sock in nested containers

Giuliano · March 22, 2025, 4:56am

I have a nested container running in debian lxc which I am trying to mount /var/run/docker.sock but the container cannot access it. Is this not possible in incus? I did verify my docker-default app armor profile mentions incus.

I created the lxc container with:

    incus launch images:debian/12 docker \
      -c security.nesting=true \
      -c security.syscalls.intercept.mknod=true \
      -c security.syscalls.intercept.setxattr=true

In my docker compose inside of the lxc container:

services:
    ...
    volumes:
      - '/var/run/docker.sock:/var/run/docker.sock:ro'

The container gets the following error:

ERR Cannot create Docker client error=“permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.47/version": dial unix /var/run/docker.sock: socket: permission denied” provider=docker

and I see this in dmesg on the host:

[19145.517335] audit: type=1400 audit(1742618687.992:826): apparmor=“DENIED” operation=“create” class=“net” info=“failed type and protocol match” error=-13 namespace=“root//incus-docker_” profile=“docker-default” pid=55630 comm=“node” family=“unix” sock_type=“stream” protocol=0 requested=“create” denied=“create” addr=none

Host is Ubuntu 24.04.2

Giuliano · March 24, 2025, 4:48am

I saw other folks are using docker.io instead of docker-ce, does docker-ce have issues with apparmor that docker.io doesn’t when using incus? Should I be using docker.io?

Giuliano · March 27, 2025, 5:40pm

So it looks like its not just /var/run/docker.sock but even just trying to run some containers (such as Uptime Kuma) doesn’t work unless I set privileged: true on the container itself because it can’t listen on a socket. So to work around I’m having to make most of my containers privileged. I don’t want to disable apparmor completely and I tried a workaround to only ignore the incus namespace but that did not work.

Anyone have a clue what to try?

dmesg on host:

[341947.019302] audit: ggpe:1456 audit (1743096946.408:9111) : apparmor=“DENIED” operation=‘‘create’ class=‘net" info=’“failed type and protocol match” error=-13 namespace=‘root//incus-docker_" profile=“docker-default” pid=160©345
S comm=“node” family=“unix” sock_type="stream’" protocol=0 requested=‘create’ denied=’'create" addr=none

Uptime kuma error:

2025-93-27T10:33:48-07:00 [SERVICES] INFO: Starting nscd
Trace: Error: read ENOTCONN
at tryReadStart (node:net:710:20)
at Socket._read (node:net:725:5)
at Readable.read (node:internal/streams/readable:539:12)
at Socket.read (node:net:781:39)
at new Socket (node:net:498:12)
at Object.Socket (node:net:367:41)
at createSocket (node:internalschild_process:329:14)
at ChildProcess.spawn (node:internalschild_process:444:23)
at spawn (node:child_process:761:9)
at Object.execFile (node:child_process:351:17) §
| errno: -167,
] code: ‘ENOTCONN’,
}| syscall: 'read’
] at process.unexpectedErrorHandler (/app/server/server.js:19605:13)
] at process.emit (node:events:517:28)