sbug
April 6, 2024, 2:18pm
1
I’m trying to run Docker inside a container on Debian 12, but I get errors regarding AppArmor.
root@elk:~/tmp/elk# docker build .
[+] Building 12.3s (8/19) docker:default
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 1.13kB 0.0s
=> [internal] load metadata for docker.io/library/node:lts-alpine 0.9s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 268B 0.0s
=> [internal] load build context 0.1s
=> => transferring context: 31.88kB 0.0s
=> [base 1/2] FROM docker.io/library/node:lts-alpine@sha256:7e227295e96f5b00aa79555ae166f50610940d888fc2e321cf36 0.0s
=> CACHED [base 2/2] WORKDIR /elk 0.0s
=> ERROR [runner 1/2] RUN set -eux; addgroup -g 911 elk; adduser -u 911 -D -G elk elk; 11.1s
=> ERROR [builder 1/11] RUN corepack enable 0.8s
------
> [runner 1/2] RUN set -eux; addgroup -g 911 elk; adduser -u 911 -D -G elk elk;:
0.540 runc run failed: unable to start container process: error during container init: unable to apply apparmor profile: apparmor failed to apply profile: write /proc/self/attr/apparmor/exec: no such file or directory
------
------
> [builder 1/11] RUN corepack enable:
0.515 runc run failed: unable to start container process: error during container init: unable to apply apparmor profile: apparmor failed to apply profile: write /proc/self/attr/apparmor/exec: no such file or directory
------
Dockerfile:9
--------------------
7 |
8 | # Prepare pnpm https://pnpm.io/installation#using-corepack
9 | >>> RUN corepack enable
10 |
11 | # Prepare deps
--------------------
ERROR: failed to solve: process "/bin/sh -c corepack enable" did not complete successfully: exit code: 1
root@elk:~/tmp/elk#
For everything I normally do in a conatiner to work I need to do
incus config set {container-name} raw.lxc "lxc.apparmor.profile=unconfined"
What I have also tried on the container which is going to run Docker, is to also do
root@debian:~# incus config set elk security.nesting=true
root@debian:~# incus config set elk security.syscalls.intercept.mknod=true
root@debian:~# incus config set elk security.syscalls.intercept.setxattr=true
(something I read on this forum) but that did not help me.
stgraber
April 6, 2024, 3:14pm
2
You definitely don’t want to use lxc.apparmor.profile=unconfined, it will potentially very much mess up your host system.
The main things you need are:
security.nesting=true
security.syscalls.intercept.mknod=true
security.syscalls.intercept.setxattr=true
Do NOT EVER set security.privileged=true for such a setup as that will break things in very odd ways.
Now as for AppArmor, the likely issue is that your system simply has a version of AppArmor which doesn’t correctly detect Incus. That’s pretty easy to fix.
sed -i s/lxd/incus/g /lib/apparmor/rc.apparmor.functions and then restart the instance. That will have AppArmor now detect Incus’ apparmor namespace as suitable for use and the rest should work fine.
stgraber
April 6, 2024, 3:15pm
3
(I sent a fix to upstream AppArmor several months ago, it’s been merged and is present in newer versions, but not all distros have picked it up yet…)
sbug
April 6, 2024, 5:04pm
4
Thanks for your answers.
I changed to incus in /lib/apparmor/rc.apparmor.functions on both the host, and the container.
I also applied the three settings you said.
However, it still does not work.
=> ERROR [builder 1/11] RUN corepack enable 1.4s
=> ERROR [runner 1/2] RUN set -eux; addgroup -g 911 elk; adduser -u 911 -D -G elk elk; 1.4s
------
> [builder 1/11] RUN corepack enable:
0.547 runc run failed: unable to start container process: error during container init: unable to apply apparmor profile: apparmor failed to apply profile: write /proc/self/attr/apparmor/exec: no such file or directory
------
------
> [runner 1/2] RUN set -eux; addgroup -g 911 elk; adduser -u 911 -D -G elk elk;:
0.531 runc run failed: unable to start container process: error during container init: unable to apply apparmor profile: apparmor failed to apply profile: write /proc/self/attr/apparmor/exec: no such file or directory
------
Dockerfile:37
--------------------
36 | # Create a dedicated user and group
37 | >>> RUN set -eux; \
38 | >>> addgroup -g $GID elk; \
39 | >>> adduser -u $UID -D -G elk elk;
40 |
--------------------
ERROR: failed to solve: process "/bin/sh -c set -eux; addgroup -g $GID elk; adduser -u $UID -D -G elk elk;" did not complete successfully: exit code: 1
root@elk:~/tmp/elk# ls -la /proc/self/attr/apparmor/exec
-rw-rw-rw- 1 root root 0 Apr 6 17:00 /proc/self/attr/apparmor/exec
root@elk:~/tmp/elk#
Do I have everything needed installed regarding AppArmor?
root@debian:~# dpkg -l | grep apparmor
ii apparmor 3.0.8-3 amd64 user-space parser utility for AppArmor
ii libapparmor1:amd64 3.0.8-3 amd64 changehat AppArmor library
root@debian:~#
simos
April 6, 2024, 6:00pm
5
As a rule of thumb, when you want to run a container in a container (i.e. Docker in Incus but also other cases), you need to enable that security.nesting=true configuration option. Without it, the outer container is muted , and cannot support an inner container.
stgraber
April 6, 2024, 9:30pm
6
I’m not sure what’s different on your system, here is on mine:
stgraber@dakara:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 12 (bookworm)
Release: 12
Codename: bookworm
stgraber@dakara:~$ incus launch images:debian/12 docker -c security.nesting=true -c security.syscalls.intercept.mknod=true -c security.syscalls.intercept.setxattr=true
Launching docker
stgraber@dakara:~$ incus exec docker bash
root@docker:~# apt install docker.io
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
apparmor binutils binutils-common binutils-x86-64-linux-gnu ca-certificates cgroupfs-mount containerd criu gettext-base git git-man iptables less
libbinutils libbrotli1 libctf-nobfd0 libctf0 libcurl3-gnutls liberror-perl libgprofng0 libintl-perl libintl-xs-perl libip6tc2 libjansson4 libldap-2.5-0
libldap-common libmodule-find-perl libmodule-scandeps-perl libnet1 libnetfilter-conntrack3 libnfnetlink0 libnftables1 libnftnl11 libnghttp2-14 libnl-3-200
libnsl2 libproc-processtable-perl libprotobuf-c1 libprotobuf32 libpsl5 libpython3-stdlib libpython3.11-minimal libpython3.11-stdlib libreadline8 librtmp1
libsasl2-2 libsasl2-modules libsasl2-modules-db libsort-naturally-perl libsqlite3-0 libssh2-1 libterm-readkey-perl media-types needrestart nftables openssl
patch publicsuffix python3 python3-minimal python3-protobuf python3.11 python3.11-minimal readline-common runc sgml-base tini xz-utils
Suggested packages:
apparmor-profiles-extra apparmor-utils binutils-doc containernetworking-plugins docker-doc aufs-tools btrfs-progs debootstrap rinse rootlesskit xfsprogs
zfs-fuse | zfsutils-linux git-daemon-run | git-daemon-sysvinit git-doc git-email git-gui gitk gitweb git-cvs git-mediawiki git-svn firewalld kmod
libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi-heimdal libsasl2-modules-ldap libsasl2-modules-otp libsasl2-modules-sql needrestart-session
| libnotify-bin iucode-tool ed diffutils-doc python3-doc python3-tk python3-venv python3.11-venv python3.11-doc binfmt-support readline-doc sgml-base-doc
The following NEW packages will be installed:
apparmor binutils binutils-common binutils-x86-64-linux-gnu ca-certificates cgroupfs-mount containerd criu docker.io gettext-base git git-man iptables less
libbinutils libbrotli1 libctf-nobfd0 libctf0 libcurl3-gnutls liberror-perl libgprofng0 libintl-perl libintl-xs-perl libip6tc2 libjansson4 libldap-2.5-0
libldap-common libmodule-find-perl libmodule-scandeps-perl libnet1 libnetfilter-conntrack3 libnfnetlink0 libnftables1 libnftnl11 libnghttp2-14 libnl-3-200
libnsl2 libproc-processtable-perl libprotobuf-c1 libprotobuf32 libpsl5 libpython3-stdlib libpython3.11-minimal libpython3.11-stdlib libreadline8 librtmp1
libsasl2-2 libsasl2-modules libsasl2-modules-db libsort-naturally-perl libsqlite3-0 libssh2-1 libterm-readkey-perl media-types needrestart nftables openssl
patch publicsuffix python3 python3-minimal python3-protobuf python3.11 python3.11-minimal readline-common runc sgml-base tini xz-utils
0 upgraded, 69 newly installed, 0 to remove and 0 not upgraded.
Need to get 95.7 MB of archives.
After this operation, 397 MB of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 http://deb.debian.org/debian bookworm/main amd64 runc amd64 1.1.5+ds1-1+deb12u1 [2710 kB]
Get:2 http://deb.debian.org/debian bookworm/main amd64 containerd amd64 1.6.20~ds1-1+b1 [25.9 MB]
Get:3 http://deb.debian.org/debian bookworm/main amd64 libip6tc2 amd64 1.8.9-2 [19.4 kB]
Get:4 http://deb.debian.org/debian bookworm/main amd64 libnfnetlink0 amd64 1.0.2-2 [15.1 kB]
Get:5 http://deb.debian.org/debian bookworm/main amd64 libnetfilter-conntrack3 amd64 1.0.9-3 [40.7 kB]
Get:6 http://deb.debian.org/debian bookworm/main amd64 libnftnl11 amd64 1.2.4-2 [61.6 kB]
Get:7 http://deb.debian.org/debian bookworm/main amd64 iptables amd64 1.8.9-2 [360 kB]
Get:8 http://deb.debian.org/debian bookworm/main amd64 tini amd64 0.19.0-1 [255 kB]
Get:9 http://deb.debian.org/debian bookworm/main amd64 docker.io amd64 20.10.24+dfsg1-1+b3 [36.2 MB]
Get:10 http://deb.debian.org/debian bookworm/main amd64 libpython3.11-minimal amd64 3.11.2-6 [813 kB]
Get:11 http://deb.debian.org/debian bookworm/main amd64 python3.11-minimal amd64 3.11.2-6 [2064 kB]
Get:12 http://deb.debian.org/debian bookworm/main amd64 python3-minimal amd64 3.11.2-1+b1 [26.3 kB]
Get:13 http://deb.debian.org/debian bookworm/main amd64 media-types all 10.0.0 [26.1 kB]
Get:14 http://deb.debian.org/debian bookworm/main amd64 libnsl2 amd64 1.3.0-2 [39.5 kB]
Get:15 http://deb.debian.org/debian bookworm/main amd64 readline-common all 8.2-1.3 [69.0 kB]
Get:16 http://deb.debian.org/debian bookworm/main amd64 libreadline8 amd64 8.2-1.3 [166 kB]
Get:17 http://deb.debian.org/debian bookworm/main amd64 libsqlite3-0 amd64 3.40.1-2 [837 kB]
Get:18 http://deb.debian.org/debian bookworm/main amd64 libpython3.11-stdlib amd64 3.11.2-6 [1796 kB]
Get:19 http://deb.debian.org/debian bookworm/main amd64 python3.11 amd64 3.11.2-6 [572 kB]
Get:20 http://deb.debian.org/debian bookworm/main amd64 libpython3-stdlib amd64 3.11.2-1+b1 [9312 B]
Get:21 http://deb.debian.org/debian bookworm/main amd64 python3 amd64 3.11.2-1+b1 [26.3 kB]
Get:22 http://deb.debian.org/debian bookworm/main amd64 sgml-base all 1.31 [15.4 kB]
Get:23 http://deb.debian.org/debian bookworm/main amd64 less amd64 590-2 [131 kB]
Get:24 http://deb.debian.org/debian bookworm/main amd64 libjansson4 amd64 2.14-2 [40.8 kB]
Get:25 http://deb.debian.org/debian bookworm/main amd64 libnftables1 amd64 1.0.6-2+deb12u2 [299 kB]
Get:26 http://deb.debian.org/debian bookworm/main amd64 nftables amd64 1.0.6-2+deb12u2 [70.3 kB]
Get:27 http://deb.debian.org/debian bookworm/main amd64 openssl amd64 3.0.11-1~deb12u2 [1419 kB]
Get:28 http://deb.debian.org/debian bookworm/main amd64 ca-certificates all 20230311 [153 kB]
Get:29 http://deb.debian.org/debian bookworm/main amd64 gettext-base amd64 0.21-12 [160 kB]
Get:30 http://deb.debian.org/debian bookworm/main amd64 xz-utils amd64 5.4.1-0.2 [471 kB]
Get:31 http://deb.debian.org/debian bookworm/main amd64 apparmor amd64 3.0.8-3 [616 kB]
Get:32 http://deb.debian.org/debian bookworm/main amd64 binutils-common amd64 2.40-2 [2487 kB]
Get:33 http://deb.debian.org/debian bookworm/main amd64 libbinutils amd64 2.40-2 [572 kB]
Get:34 http://deb.debian.org/debian bookworm/main amd64 libctf-nobfd0 amd64 2.40-2 [153 kB]
Get:35 http://deb.debian.org/debian bookworm/main amd64 libctf0 amd64 2.40-2 [89.8 kB]
Get:36 http://deb.debian.org/debian bookworm/main amd64 libgprofng0 amd64 2.40-2 [812 kB]
Get:37 http://deb.debian.org/debian bookworm/main amd64 binutils-x86-64-linux-gnu amd64 2.40-2 [2246 kB]
Get:38 http://deb.debian.org/debian bookworm/main amd64 binutils amd64 2.40-2 [65.0 kB]
Get:39 http://deb.debian.org/debian bookworm/main amd64 cgroupfs-mount all 1.4 [6276 B]
Get:40 http://deb.debian.org/debian bookworm/main amd64 libprotobuf32 amd64 3.21.12-3 [932 kB]
Get:41 http://deb.debian.org/debian bookworm/main amd64 python3-protobuf amd64 3.21.12-3 [245 kB]
Get:42 http://deb.debian.org/debian bookworm/main amd64 libnet1 amd64 1.1.6+dfsg-3.2 [60.3 kB]
Get:43 http://deb.debian.org/debian bookworm/main amd64 libnl-3-200 amd64 3.7.0-0.2+b1 [63.1 kB]
Get:44 http://deb.debian.org/debian bookworm/main amd64 libprotobuf-c1 amd64 1.4.1-1+b1 [27.5 kB]
Get:45 http://deb.debian.org/debian bookworm/main amd64 criu amd64 3.17.1-2 [665 kB]
Get:46 http://deb.debian.org/debian bookworm/main amd64 libbrotli1 amd64 1.0.9-2+b6 [275 kB]
Get:47 http://deb.debian.org/debian bookworm/main amd64 libsasl2-modules-db amd64 2.1.28+dfsg-10 [20.3 kB]
Get:48 http://deb.debian.org/debian bookworm/main amd64 libsasl2-2 amd64 2.1.28+dfsg-10 [59.7 kB]
Get:49 http://deb.debian.org/debian bookworm/main amd64 libldap-2.5-0 amd64 2.5.13+dfsg-5 [183 kB]
Get:50 http://deb.debian.org/debian bookworm/main amd64 libnghttp2-14 amd64 1.52.0-1+deb12u1 [72.4 kB]
Get:51 http://deb.debian.org/debian bookworm/main amd64 libpsl5 amd64 0.21.2-1 [58.7 kB]
Get:52 http://deb.debian.org/debian bookworm/main amd64 librtmp1 amd64 2.4+20151223.gitfa8646d.1-2+b2 [60.8 kB]
Get:53 http://deb.debian.org/debian bookworm/main amd64 libssh2-1 amd64 1.10.0-3+b1 [179 kB]
Get:54 http://deb.debian.org/debian bookworm/main amd64 libcurl3-gnutls amd64 7.88.1-10+deb12u5 [385 kB]
Get:55 http://deb.debian.org/debian bookworm/main amd64 liberror-perl all 0.17029-2 [29.0 kB]
Get:56 http://deb.debian.org/debian bookworm/main amd64 git-man all 1:2.39.2-1.1 [2049 kB]
Get:57 http://deb.debian.org/debian bookworm/main amd64 git amd64 1:2.39.2-1.1 [7171 kB]
Get:58 http://deb.debian.org/debian bookworm/main amd64 libintl-perl all 1.33-1 [720 kB]
Get:59 http://deb.debian.org/debian bookworm/main amd64 libintl-xs-perl amd64 1.33-1 [15.6 kB]
Get:60 http://deb.debian.org/debian bookworm/main amd64 libldap-common all 2.5.13+dfsg-5 [29.3 kB]
Get:61 http://deb.debian.org/debian bookworm/main amd64 libmodule-find-perl all 0.16-2 [10.6 kB]
Get:62 http://deb.debian.org/debian bookworm/main amd64 libmodule-scandeps-perl all 1.31-2 [41.7 kB]
Get:63 http://deb.debian.org/debian bookworm/main amd64 libproc-processtable-perl amd64 0.634-1+b2 [43.1 kB]
Get:64 http://deb.debian.org/debian bookworm/main amd64 libsasl2-modules amd64 2.1.28+dfsg-10 [66.6 kB]
Get:65 http://deb.debian.org/debian bookworm/main amd64 libsort-naturally-perl all 1.03-4 [13.1 kB]
Get:66 http://deb.debian.org/debian bookworm/main amd64 libterm-readkey-perl amd64 2.38-2+b1 [24.5 kB]
Get:67 http://deb.debian.org/debian bookworm/main amd64 needrestart all 3.6-4+deb12u1 [59.8 kB]
Get:68 http://deb.debian.org/debian bookworm/main amd64 patch amd64 2.7.6-7 [128 kB]
Get:69 http://deb.debian.org/debian bookworm/main amd64 publicsuffix all 20230209.2326-1 [126 kB]
Fetched 95.7 MB in 8s (12.6 MB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package runc.
(Reading database ... 13564 files and directories currently installed.)
Preparing to unpack .../00-runc_1.1.5+ds1-1+deb12u1_amd64.deb ...
Unpacking runc (1.1.5+ds1-1+deb12u1) ...
Selecting previously unselected package containerd.
Preparing to unpack .../01-containerd_1.6.20~ds1-1+b1_amd64.deb ...
Unpacking containerd (1.6.20~ds1-1+b1) ...
Selecting previously unselected package libip6tc2:amd64.
Preparing to unpack .../02-libip6tc2_1.8.9-2_amd64.deb ...
Unpacking libip6tc2:amd64 (1.8.9-2) ...
Selecting previously unselected package libnfnetlink0:amd64.
Preparing to unpack .../03-libnfnetlink0_1.0.2-2_amd64.deb ...
Unpacking libnfnetlink0:amd64 (1.0.2-2) ...
Selecting previously unselected package libnetfilter-conntrack3:amd64.
Preparing to unpack .../04-libnetfilter-conntrack3_1.0.9-3_amd64.deb ...
Unpacking libnetfilter-conntrack3:amd64 (1.0.9-3) ...
Selecting previously unselected package libnftnl11:amd64.
Preparing to unpack .../05-libnftnl11_1.2.4-2_amd64.deb ...
Unpacking libnftnl11:amd64 (1.2.4-2) ...
Selecting previously unselected package iptables.
Preparing to unpack .../06-iptables_1.8.9-2_amd64.deb ...
Unpacking iptables (1.8.9-2) ...
Selecting previously unselected package tini.
Preparing to unpack .../07-tini_0.19.0-1_amd64.deb ...
Unpacking tini (0.19.0-1) ...
Selecting previously unselected package docker.io.
Preparing to unpack .../08-docker.io_20.10.24+dfsg1-1+b3_amd64.deb ...
Unpacking docker.io (20.10.24+dfsg1-1+b3) ...
Selecting previously unselected package libpython3.11-minimal:amd64.
Preparing to unpack .../09-libpython3.11-minimal_3.11.2-6_amd64.deb ...
Unpacking libpython3.11-minimal:amd64 (3.11.2-6) ...
Selecting previously unselected package python3.11-minimal.
Preparing to unpack .../10-python3.11-minimal_3.11.2-6_amd64.deb ...
Unpacking python3.11-minimal (3.11.2-6) ...
Setting up libpython3.11-minimal:amd64 (3.11.2-6) ...
Setting up python3.11-minimal (3.11.2-6) ...
Selecting previously unselected package python3-minimal.
(Reading database ... 14382 files and directories currently installed.)
Preparing to unpack .../0-python3-minimal_3.11.2-1+b1_amd64.deb ...
Unpacking python3-minimal (3.11.2-1+b1) ...
Selecting previously unselected package media-types.
Preparing to unpack .../1-media-types_10.0.0_all.deb ...
Unpacking media-types (10.0.0) ...
Selecting previously unselected package libnsl2:amd64.
Preparing to unpack .../2-libnsl2_1.3.0-2_amd64.deb ...
Unpacking libnsl2:amd64 (1.3.0-2) ...
Selecting previously unselected package readline-common.
Preparing to unpack .../3-readline-common_8.2-1.3_all.deb ...
Unpacking readline-common (8.2-1.3) ...
Selecting previously unselected package libreadline8:amd64.
Preparing to unpack .../4-libreadline8_8.2-1.3_amd64.deb ...
Unpacking libreadline8:amd64 (8.2-1.3) ...
Selecting previously unselected package libsqlite3-0:amd64.
Preparing to unpack .../5-libsqlite3-0_3.40.1-2_amd64.deb ...
Unpacking libsqlite3-0:amd64 (3.40.1-2) ...
Selecting previously unselected package libpython3.11-stdlib:amd64.
Preparing to unpack .../6-libpython3.11-stdlib_3.11.2-6_amd64.deb ...
Unpacking libpython3.11-stdlib:amd64 (3.11.2-6) ...
Selecting previously unselected package python3.11.
Preparing to unpack .../7-python3.11_3.11.2-6_amd64.deb ...
Unpacking python3.11 (3.11.2-6) ...
Selecting previously unselected package libpython3-stdlib:amd64.
Preparing to unpack .../8-libpython3-stdlib_3.11.2-1+b1_amd64.deb ...
Unpacking libpython3-stdlib:amd64 (3.11.2-1+b1) ...
Setting up python3-minimal (3.11.2-1+b1) ...
Selecting previously unselected package python3.
(Reading database ... 14829 files and directories currently installed.)
Preparing to unpack .../00-python3_3.11.2-1+b1_amd64.deb ...
Unpacking python3 (3.11.2-1+b1) ...
Selecting previously unselected package sgml-base.
Preparing to unpack .../01-sgml-base_1.31_all.deb ...
Unpacking sgml-base (1.31) ...
Selecting previously unselected package less.
Preparing to unpack .../02-less_590-2_amd64.deb ...
Unpacking less (590-2) ...
Selecting previously unselected package libjansson4:amd64.
Preparing to unpack .../03-libjansson4_2.14-2_amd64.deb ...
Unpacking libjansson4:amd64 (2.14-2) ...
Selecting previously unselected package libnftables1:amd64.
Preparing to unpack .../04-libnftables1_1.0.6-2+deb12u2_amd64.deb ...
Unpacking libnftables1:amd64 (1.0.6-2+deb12u2) ...
Selecting previously unselected package nftables.
Preparing to unpack .../05-nftables_1.0.6-2+deb12u2_amd64.deb ...
Unpacking nftables (1.0.6-2+deb12u2) ...
Selecting previously unselected package openssl.
Preparing to unpack .../06-openssl_3.0.11-1~deb12u2_amd64.deb ...
Unpacking openssl (3.0.11-1~deb12u2) ...
Selecting previously unselected package ca-certificates.
Preparing to unpack .../07-ca-certificates_20230311_all.deb ...
Unpacking ca-certificates (20230311) ...
Selecting previously unselected package gettext-base.
Preparing to unpack .../08-gettext-base_0.21-12_amd64.deb ...
Unpacking gettext-base (0.21-12) ...
Selecting previously unselected package xz-utils.
Preparing to unpack .../09-xz-utils_5.4.1-0.2_amd64.deb ...
Unpacking xz-utils (5.4.1-0.2) ...
Selecting previously unselected package apparmor.
Preparing to unpack .../10-apparmor_3.0.8-3_amd64.deb ...
Unpacking apparmor (3.0.8-3) ...
Selecting previously unselected package binutils-common:amd64.
Preparing to unpack .../11-binutils-common_2.40-2_amd64.deb ...
Unpacking binutils-common:amd64 (2.40-2) ...
Selecting previously unselected package libbinutils:amd64.
Preparing to unpack .../12-libbinutils_2.40-2_amd64.deb ...
Unpacking libbinutils:amd64 (2.40-2) ...
Selecting previously unselected package libctf-nobfd0:amd64.
Preparing to unpack .../13-libctf-nobfd0_2.40-2_amd64.deb ...
Unpacking libctf-nobfd0:amd64 (2.40-2) ...
Selecting previously unselected package libctf0:amd64.
Preparing to unpack .../14-libctf0_2.40-2_amd64.deb ...
Unpacking libctf0:amd64 (2.40-2) ...
Selecting previously unselected package libgprofng0:amd64.
Preparing to unpack .../15-libgprofng0_2.40-2_amd64.deb ...
Unpacking libgprofng0:amd64 (2.40-2) ...
Selecting previously unselected package binutils-x86-64-linux-gnu.
Preparing to unpack .../16-binutils-x86-64-linux-gnu_2.40-2_amd64.deb ...
Unpacking binutils-x86-64-linux-gnu (2.40-2) ...
Selecting previously unselected package binutils.
Preparing to unpack .../17-binutils_2.40-2_amd64.deb ...
Unpacking binutils (2.40-2) ...
Selecting previously unselected package cgroupfs-mount.
Preparing to unpack .../18-cgroupfs-mount_1.4_all.deb ...
Unpacking cgroupfs-mount (1.4) ...
Selecting previously unselected package libprotobuf32:amd64.
Preparing to unpack .../19-libprotobuf32_3.21.12-3_amd64.deb ...
Unpacking libprotobuf32:amd64 (3.21.12-3) ...
Selecting previously unselected package python3-protobuf.
Preparing to unpack .../20-python3-protobuf_3.21.12-3_amd64.deb ...
Unpacking python3-protobuf (3.21.12-3) ...
Selecting previously unselected package libnet1:amd64.
Preparing to unpack .../21-libnet1_1.1.6+dfsg-3.2_amd64.deb ...
Unpacking libnet1:amd64 (1.1.6+dfsg-3.2) ...
Selecting previously unselected package libnl-3-200:amd64.
Preparing to unpack .../22-libnl-3-200_3.7.0-0.2+b1_amd64.deb ...
Unpacking libnl-3-200:amd64 (3.7.0-0.2+b1) ...
Selecting previously unselected package libprotobuf-c1:amd64.
Preparing to unpack .../23-libprotobuf-c1_1.4.1-1+b1_amd64.deb ...
Unpacking libprotobuf-c1:amd64 (1.4.1-1+b1) ...
Selecting previously unselected package criu.
Preparing to unpack .../24-criu_3.17.1-2_amd64.deb ...
Unpacking criu (3.17.1-2) ...
Selecting previously unselected package libbrotli1:amd64.
Preparing to unpack .../25-libbrotli1_1.0.9-2+b6_amd64.deb ...
Unpacking libbrotli1:amd64 (1.0.9-2+b6) ...
Selecting previously unselected package libsasl2-modules-db:amd64.
Preparing to unpack .../26-libsasl2-modules-db_2.1.28+dfsg-10_amd64.deb ...
Unpacking libsasl2-modules-db:amd64 (2.1.28+dfsg-10) ...
Selecting previously unselected package libsasl2-2:amd64.
Preparing to unpack .../27-libsasl2-2_2.1.28+dfsg-10_amd64.deb ...
Unpacking libsasl2-2:amd64 (2.1.28+dfsg-10) ...
Selecting previously unselected package libldap-2.5-0:amd64.
Preparing to unpack .../28-libldap-2.5-0_2.5.13+dfsg-5_amd64.deb ...
Unpacking libldap-2.5-0:amd64 (2.5.13+dfsg-5) ...
Selecting previously unselected package libnghttp2-14:amd64.
Preparing to unpack .../29-libnghttp2-14_1.52.0-1+deb12u1_amd64.deb ...
Unpacking libnghttp2-14:amd64 (1.52.0-1+deb12u1) ...
Selecting previously unselected package libpsl5:amd64.
Preparing to unpack .../30-libpsl5_0.21.2-1_amd64.deb ...
Unpacking libpsl5:amd64 (0.21.2-1) ...
Selecting previously unselected package librtmp1:amd64.
Preparing to unpack .../31-librtmp1_2.4+20151223.gitfa8646d.1-2+b2_amd64.deb ...
Unpacking librtmp1:amd64 (2.4+20151223.gitfa8646d.1-2+b2) ...
Selecting previously unselected package libssh2-1:amd64.
Preparing to unpack .../32-libssh2-1_1.10.0-3+b1_amd64.deb ...
Unpacking libssh2-1:amd64 (1.10.0-3+b1) ...
Selecting previously unselected package libcurl3-gnutls:amd64.
Preparing to unpack .../33-libcurl3-gnutls_7.88.1-10+deb12u5_amd64.deb ...
Unpacking libcurl3-gnutls:amd64 (7.88.1-10+deb12u5) ...
Selecting previously unselected package liberror-perl.
Preparing to unpack .../34-liberror-perl_0.17029-2_all.deb ...
Unpacking liberror-perl (0.17029-2) ...
Selecting previously unselected package git-man.
Preparing to unpack .../35-git-man_1%3a2.39.2-1.1_all.deb ...
Unpacking git-man (1:2.39.2-1.1) ...
Selecting previously unselected package git.
Preparing to unpack .../36-git_1%3a2.39.2-1.1_amd64.deb ...
Unpacking git (1:2.39.2-1.1) ...
Selecting previously unselected package libintl-perl.
Preparing to unpack .../37-libintl-perl_1.33-1_all.deb ...
Unpacking libintl-perl (1.33-1) ...
Selecting previously unselected package libintl-xs-perl.
Preparing to unpack .../38-libintl-xs-perl_1.33-1_amd64.deb ...
Unpacking libintl-xs-perl (1.33-1) ...
Selecting previously unselected package libldap-common.
Preparing to unpack .../39-libldap-common_2.5.13+dfsg-5_all.deb ...
Unpacking libldap-common (2.5.13+dfsg-5) ...
Selecting previously unselected package libmodule-find-perl.
Preparing to unpack .../40-libmodule-find-perl_0.16-2_all.deb ...
Unpacking libmodule-find-perl (0.16-2) ...
Selecting previously unselected package libmodule-scandeps-perl.
Preparing to unpack .../41-libmodule-scandeps-perl_1.31-2_all.deb ...
Unpacking libmodule-scandeps-perl (1.31-2) ...
Selecting previously unselected package libproc-processtable-perl:amd64.
Preparing to unpack .../42-libproc-processtable-perl_0.634-1+b2_amd64.deb ...
Unpacking libproc-processtable-perl:amd64 (0.634-1+b2) ...
Selecting previously unselected package libsasl2-modules:amd64.
Preparing to unpack .../43-libsasl2-modules_2.1.28+dfsg-10_amd64.deb ...
Unpacking libsasl2-modules:amd64 (2.1.28+dfsg-10) ...
Selecting previously unselected package libsort-naturally-perl.
Preparing to unpack .../44-libsort-naturally-perl_1.03-4_all.deb ...
Unpacking libsort-naturally-perl (1.03-4) ...
Selecting previously unselected package libterm-readkey-perl.
Preparing to unpack .../45-libterm-readkey-perl_2.38-2+b1_amd64.deb ...
Unpacking libterm-readkey-perl (2.38-2+b1) ...
Selecting previously unselected package needrestart.
Preparing to unpack .../46-needrestart_3.6-4+deb12u1_all.deb ...
Unpacking needrestart (3.6-4+deb12u1) ...
Selecting previously unselected package patch.
Preparing to unpack .../47-patch_2.7.6-7_amd64.deb ...
Unpacking patch (2.7.6-7) ...
Selecting previously unselected package publicsuffix.
Preparing to unpack .../48-publicsuffix_20230209.2326-1_all.deb ...
Unpacking publicsuffix (20230209.2326-1) ...
Setting up media-types (10.0.0) ...
Setting up libpsl5:amd64 (0.21.2-1) ...
Setting up libip6tc2:amd64 (1.8.9-2) ...
Setting up libbrotli1:amd64 (1.0.9-2+b6) ...
Setting up libsqlite3-0:amd64 (3.40.1-2) ...
Setting up libsasl2-modules:amd64 (2.1.28+dfsg-10) ...
Setting up binutils-common:amd64 (2.40-2) ...
Setting up libnghttp2-14:amd64 (1.52.0-1+deb12u1) ...
Setting up less (590-2) ...
Setting up libctf-nobfd0:amd64 (2.40-2) ...
Setting up gettext-base (0.21-12) ...
Setting up libnftnl11:amd64 (1.2.4-2) ...
Setting up libldap-common (2.5.13+dfsg-5) ...
Setting up libprotobuf-c1:amd64 (1.4.1-1+b1) ...
Setting up runc (1.1.5+ds1-1+deb12u1) ...
Setting up libjansson4:amd64 (2.14-2) ...
Setting up libsasl2-modules-db:amd64 (2.1.28+dfsg-10) ...
Setting up liberror-perl (0.17029-2) ...
Setting up apparmor (3.0.8-3) ...
Created symlink /etc/systemd/system/sysinit.target.wants/apparmor.service → /lib/systemd/system/apparmor.service.
Reloading AppArmor profiles
Setting up libmodule-find-perl (0.16-2) ...
Setting up librtmp1:amd64 (2.4+20151223.gitfa8646d.1-2+b2) ...
Setting up xz-utils (5.4.1-0.2) ...
update-alternatives: using /usr/bin/xz to provide /usr/bin/lzma (lzma) in auto mode
Setting up tini (0.19.0-1) ...
Setting up patch (2.7.6-7) ...
Setting up libsasl2-2:amd64 (2.1.28+dfsg-10) ...
Setting up libprotobuf32:amd64 (3.21.12-3) ...
Setting up libproc-processtable-perl:amd64 (0.634-1+b2) ...
Setting up libnfnetlink0:amd64 (1.0.2-2) ...
Setting up libnsl2:amd64 (1.3.0-2) ...
Setting up libnl-3-200:amd64 (3.7.0-0.2+b1) ...
Setting up libintl-perl (1.33-1) ...
Setting up git-man (1:2.39.2-1.1) ...
Setting up libssh2-1:amd64 (1.10.0-3+b1) ...
Setting up sgml-base (1.31) ...
Setting up cgroupfs-mount (1.4) ...
Setting up libterm-readkey-perl (2.38-2+b1) ...
Setting up libbinutils:amd64 (2.40-2) ...
Setting up containerd (1.6.20~ds1-1+b1) ...
Created symlink /etc/systemd/system/multi-user.target.wants/containerd.service → /lib/systemd/system/containerd.service.
Setting up openssl (3.0.11-1~deb12u2) ...
Setting up readline-common (8.2-1.3) ...
Setting up publicsuffix (20230209.2326-1) ...
Setting up libsort-naturally-perl (1.03-4) ...
Setting up libmodule-scandeps-perl (1.31-2) ...
Setting up libctf0:amd64 (2.40-2) ...
Setting up libnftables1:amd64 (1.0.6-2+deb12u2) ...
Setting up nftables (1.0.6-2+deb12u2) ...
Setting up libreadline8:amd64 (8.2-1.3) ...
Setting up libnet1:amd64 (1.1.6+dfsg-3.2) ...
Setting up libintl-xs-perl (1.33-1) ...
Setting up libldap-2.5-0:amd64 (2.5.13+dfsg-5) ...
Setting up ca-certificates (20230311) ...
Updating certificates in /etc/ssl/certs...
140 added, 0 removed; done.
Setting up libgprofng0:amd64 (2.40-2) ...
Setting up libnetfilter-conntrack3:amd64 (1.0.9-3) ...
Setting up binutils-x86-64-linux-gnu (2.40-2) ...
Setting up iptables (1.8.9-2) ...
update-alternatives: using /usr/sbin/iptables-legacy to provide /usr/sbin/iptables (iptables) in auto mode
update-alternatives: using /usr/sbin/ip6tables-legacy to provide /usr/sbin/ip6tables (ip6tables) in auto mode
update-alternatives: using /usr/sbin/iptables-nft to provide /usr/sbin/iptables (iptables) in auto mode
update-alternatives: using /usr/sbin/ip6tables-nft to provide /usr/sbin/ip6tables (ip6tables) in auto mode
update-alternatives: using /usr/sbin/arptables-nft to provide /usr/sbin/arptables (arptables) in auto mode
update-alternatives: using /usr/sbin/ebtables-nft to provide /usr/sbin/ebtables (ebtables) in auto mode
Setting up libpython3.11-stdlib:amd64 (3.11.2-6) ...
Setting up libcurl3-gnutls:amd64 (7.88.1-10+deb12u5) ...
Setting up docker.io (20.10.24+dfsg1-1+b3) ...
Adding group `docker' (GID 107) ...
Done.
Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /lib/systemd/system/docker.service.
Created symlink /etc/systemd/system/sockets.target.wants/docker.socket → /lib/systemd/system/docker.socket.
Setting up binutils (2.40-2) ...
Setting up git (1:2.39.2-1.1) ...
Setting up libpython3-stdlib:amd64 (3.11.2-1+b1) ...
Setting up python3.11 (3.11.2-6) ...
Setting up needrestart (3.6-4+deb12u1) ...
Setting up python3 (3.11.2-1+b1) ...
running python rtupdate hooks for python3.11...
running python post-rtupdate hooks for python3.11...
Setting up python3-protobuf (3.21.12-3) ...
Setting up criu (3.17.1-2) ...
Processing triggers for systemd (252.22-1~deb12u1) ...
Processing triggers for libc-bin (2.36-9+deb12u4) ...
Processing triggers for ca-certificates (20230311) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
root@docker:~# sed -i s/lxd/incus/g /lib/apparmor/rc.apparmor.functions
root@docker:~# reboot
root@docker:~#
stgraber@dakara:~$ incus exec docker bash
root@docker:~# apparmor_status
apparmor module is loaded.
8 profiles are loaded.
8 profiles are in enforce mode.
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/{,usr/}sbin/dhclient
docker-default
lsb_release
nvidia_modprobe
nvidia_modprobe//kmod
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.
root@docker:~# docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
c1ec31eb5944: Pull complete
Digest: sha256:53641cd209a4fecfc68e21a99871ce8c6920b2e7502df0a20671c6fccc73a7c6
Status: Downloaded newer image for hello-world:latest
Hello from Docker!
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
(amd64)
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.
To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker ID:
https://hub.docker.com/
For more examples and ideas, visit:
https://docs.docker.com/get-started/
root@docker:~#
sbug
April 6, 2024, 9:46pm
7
Hum, that strange.
root@debian:~# incus config get elk security.nesting
true
root@debian:~# incus config get elk security.syscalls.intercept.mknod
true
root@debian:~# incus config get elk security.syscalls.intercept.setxattr
true
root@debian:~# incus start elk
root@debian:~# incus shell elk
root@elk:~# grep incus /lib/apparmor/rc.apparmor.functions
# LXD and LXC set up AppArmor namespaces starting with "incus-" and
if [ "${ns_name#incus-*}" = "$ns_name" ] && \
root@elk:~# apparmor_status
apparmor module is loaded.
You do not have enough privilege to read the profile set.
root@elk:~#
Not enough priviledge to read the profile set
sbug
April 6, 2024, 9:56pm
8
stgraber:
docker run hello-world
Ok, I ran the exact same commands as you did and that worked.
Thank you for your time ans support!
stgraber
April 6, 2024, 10:35pm
9
Could it be that your host system doesn’t have AppArmor enabled?
sbug
April 7, 2024, 8:21am
10
Well, it worked when I setup my container the exact same way that you did.
I think I installed Docker in another way, and maybe that way didn’t install all apparmor dependencies as needed.
