Wine socket permission issues in docker with box64

Greelan · September 2, 2025, 12:52am

Having trouble resolving an issue running Wine with box64 inside a docker container, nested within an Incus container, on an ARM64 system.

This started as an issue maybe six months ago. It only occurs on ARM64 systems - I can run Wine inside a docker container, nested within an Incus container, on an AMD64 system just fine (obviously no box64 involved there).

It seems potentially related to file system issues connected with how /tmp is handled in the docker container. This is where the Wine socket is created by default.

Variously when trying to run an application in Wine in the docker container, I get:

wine: chdir to /tmp/.wine-1000/server-58-1367300000000 : No such file or directory

(the actual directory that exists is `/tmp/.wine-1000/server-58-13673`- a truncated version of what Wine is trying to access)

OR

sock_init: ERROR in sock_check_pollhup()`
`wineserver: socket: Permission denied

Potentially the /tmp directory and socket issues could be caused by AppArmor policies. I see a bunch of “denied” in dmesg like:

[9495658.487230] audit: type=1400 audit(1756715883.257:5062): apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 namespace="root//incus-amp2x64_<var-lib-incus>" profile="docker-default" pid=3408907 comm="wineserver" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none

However, disabling AppArmor on the docker container (by using docker run --security-opt apparmor=unconfined), and trying other ways to override the default AppArmor policies, don’t resolve the issue.

The Incus container has the normal settings to allow for nested containers:

security.nesting: "true"
security.syscalls.intercept.mknod: "true"
security.syscalls.intercept.setxattr: "true"

Would really appreciate any ideas. As mentioned, this only surfaced as an issue within the last six months or so. Previously this setup worked fine.

Currently running Incus 6.12.

Greelan · September 2, 2025, 6:23am

More information:

incus config show --expanded amp2x64
architecture: aarch64
config:
  boot.autostart: "true"
  image.architecture: arm64
  image.description: Debian bookworm arm64 (20241112_05:24)
  image.os: Debian
  image.release: bookworm
  image.serial: "20241112_05:24"
  image.type: squashfs
  image.variant: default
  security.idmap.isolated: "true"
  security.nesting: "true"
  security.protection.delete: "true"
  security.syscalls.intercept.mknod: "true"
  security.syscalls.intercept.setxattr: "true"
  volatile.base_image: 05ec69532cd02d58b7c8a177340cc620bb80a7f3d734713e82a5cb9711420085
  volatile.cloud-init.instance-id: ee537ab9-abbb-4575-8724-efdd80da2250
  volatile.eth0.host_name: veth608001c8
  volatile.eth0.hwaddr: 00:16:3e:96:d9:f8
  volatile.idmap.base: "458752"
  volatile.idmap.current: '\[{"Isuid":true,"Isgid":false,"Hostid":458752,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":458752,"Nsid":0,"Maprange":65536}\]'
  volatile.idmap.next: '\[{"Isuid":true,"Isgid":false,"Hostid":458752,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":458752,"Nsid":0,"Maprange":65536}\]'
  volatile.last_state.idmap: '\[\]'
  volatile.last_state.power: RUNNING
  volatile.uuid: 096cd194-015a-4e2e-b3cd-e4c3422c2ccf
  volatile.uuid.generation: 096cd194-015a-4e2e-b3cd-e4c3422c2ccf
devices:
  eth0:
    name: eth0
    network: incusbr0
    security.mac_filtering: "true"
    type: nic
  root:
    path: /
    pool: incus
    type: disk
ephemeral: false
profiles:
- default
stateful: false
description: ""

incus storage list
+-------+--------+-------------+---------+---------+
| NAME  | DRIVER | DESCRIPTION | USED BY |  STATE  |
+-------+--------+-------------+---------+---------+
| incus | zfs    |             | 7       | CREATED |
+-------+--------+-------------+---------+---------+

journalctl -o short-precise -k --since "2 days ago"
...
Sep 01 18:37:28.685344 cloudvm kernel: overlayfs: fs on '/var/lib/docker/overlay2/l/XEQSMHRI2XNOQLIAQQZUXFBTVD' does not support file handles, falling back to xino=off.
Sep 01 18:37:28.695278 cloudvm kernel: overlayfs: fs on '/var/lib/docker/overlay2/l/N677GQG6KV4ZNIPFRA3DHBT7LB' does not support file handles, falling back to xino=off.
Sep 01 18:37:31.757906 cloudvm kernel: overlayfs: fs on '/var/lib/docker/overlay2/l/N677GQG6KV4ZNIPFRA3DHBT7LB' does not support file handles, falling back to xino=off.
Sep 01 18:37:31.877779 cloudvm kernel: kauditd_printk_skb: 56 callbacks suppressed
Sep 01 18:37:31.877887 cloudvm kernel: audit: type=1400 audit(1756715851.875:4938): apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 namespace="root//incus-amp2x64_<var-lib-incus>" profile="docker-default" pid=3408585 comm="ampstart.sh" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Sep 01 18:37:31.877918 cloudvm kernel: audit: type=1400 audit(1756715851.875:4939): apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 namespace="root//incus-amp2x64_<var-lib-incus>" profile="docker-default" pid=3408585 comm="ampstart.sh" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Sep 01 18:37:31.897262 cloudvm kernel: audit: type=1400 audit(1756715851.895:4940): apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 namespace="root//incus-amp2x64_<var-lib-incus>" profile="docker-default" pid=3408598 comm="getent" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Sep 01 18:37:31.897360 cloudvm kernel: audit: type=1400 audit(1756715851.895:4941): apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 namespace="root//incus-amp2x64_<var-lib-incus>" profile="docker-default" pid=3408598 comm="getent" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Sep 01 18:37:31.898325 cloudvm kernel: audit: type=1400 audit(1756715851.896:4942): apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 namespace="root//incus-amp2x64_<var-lib-incus>" profile="docker-default" pid=3408599 comm="getent" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Sep 01 18:37:31.898401 cloudvm kernel: audit: type=1400 audit(1756715851.896:4943): apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 namespace="root//incus-amp2x64_<var-lib-incus>" profile="docker-default" pid=3408599 comm="getent" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Sep 01 18:37:31.900401 cloudvm kernel: audit: type=1400 audit(1756715851.898:4944): apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 namespace="root//incus-amp2x64_<var-lib-incus>" profile="docker-default" pid=3408600 comm="groupadd" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Sep 01 18:37:31.900477 cloudvm kernel: audit: type=1400 audit(1756715851.898:4945): apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 namespace="root//incus-amp2x64_<var-lib-incus>" profile="docker-default" pid=3408600 comm="groupadd" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Sep 01 18:37:32.102272 cloudvm kernel: audit: type=1400 audit(1756715852.100:4946): apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 namespace="root//incus-amp2x64_<var-lib-incus>" profile="docker-default" pid=3408600 comm="groupadd" family="unix" sock_type="dgram" protocol=0 requested="create" denied="create" addr=none
Sep 01 18:37:32.153372 cloudvm kernel: audit: type=1400 audit(1756715852.151:4947): apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 namespace="root//incus-amp2x64_<var-lib-incus>" profile="docker-default" pid=3408600 comm="groupadd" family="unix" sock_type="dgram" protocol=0 requested="create" denied="create" addr=none
Sep 01 18:37:37.848358 cloudvm kernel: kauditd_printk_skb: 80 callbacks suppressed
Sep 01 18:37:37.848485 cloudvm kernel: audit: type=1400 audit(1756715857.846:5028): apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 namespace="root//incus-amp2x64_<var-lib-incus>" profile="docker-default" pid=3408745 comm="socat" family="unix" sock_type="dgram" protocol=0 requested="create" denied="create" addr=none
Sep 01 18:37:37.848521 cloudvm kernel: audit: type=1400 audit(1756715857.846:5029): apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 namespace="root//incus-amp2x64_<var-lib-incus>" profile="docker-default" pid=3408745 comm="socat" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Sep 01 18:37:37.848539 cloudvm kernel: audit: type=1400 audit(1756715857.846:5030): apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 namespace="root//incus-amp2x64_<var-lib-incus>" profile="docker-default" pid=3408747 comm="socat" family="unix" sock_type="dgram" protocol=0 requested="create" denied="create" addr=none
Sep 01 18:37:41.156279 cloudvm kernel: audit: type=1400 audit(1756715861.154:5031): apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 namespace="root//incus-amp2x64_<var-lib-incus>" profile="docker-default" pid=3408753 comm="CHTTPClientThre" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Sep 01 18:37:41.156392 cloudvm kernel: audit: type=1400 audit(1756715861.154:5032): apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 namespace="root//incus-amp2x64_<var-lib-incus>" profile="docker-default" pid=3408753 comm="CHTTPClientThre" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Sep 01 18:37:49.944295 cloudvm kernel: audit: type=1400 audit(1756715869.942:5033): apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 namespace="root//incus-amp2x64_<var-lib-incus>" profile="docker-default" pid=3408794 comm="socat" family="unix" sock_type="dgram" protocol=0 requested="create" denied="create" addr=none
Sep 01 18:37:49.944421 cloudvm kernel: audit: type=1400 audit(1756715869.943:5034): apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 namespace="root//incus-amp2x64_<var-lib-incus>" profile="docker-default" pid=3408794 comm="socat" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Sep 01 18:37:49.945263 cloudvm kernel: audit: type=1400 audit(1756715869.943:5035): apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 namespace="root//incus-amp2x64_<var-lib-incus>" profile="docker-default" pid=3408795 comm="socat" family="unix" sock_type="dgram" protocol=0 requested="create" denied="create" addr=none
Sep 01 18:37:53.256308 cloudvm kernel: audit: type=1400 audit(1756715873.253:5036): apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 namespace="root//incus-amp2x64_<var-lib-incus>" profile="docker-default" pid=3408800 comm="CHTTPClientThre" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Sep 01 18:37:53.256426 cloudvm kernel: audit: type=1400 audit(1756715873.253:5037): apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 namespace="root//incus-amp2x64_<var-lib-incus>" profile="docker-default" pid=3408800 comm="CHTTPClientThre" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Sep 01 18:37:53.778334 cloudvm kernel: audit: type=1400 audit(1756715873.776:5038): apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 namespace="root//incus-amp2x64_<var-lib-incus>" profile="docker-default" pid=3408585 comm=2E4E455420545020576F726B6572 family="unix" sock_type="dgram" protocol=0 requested="create" denied="create" addr=none
Sep 01 18:37:53.778445 cloudvm kernel: audit: type=1400 audit(1756715873.776:5039): apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 namespace="root//incus-amp2x64_<var-lib-incus>" profile="docker-default" pid=3408585 comm=2E4E455420545020576F726B6572 family="unix" sock_type="dgram" protocol=0 requested="create" denied="create" addr=none
Sep 01 18:37:53.778464 cloudvm kernel: audit: type=1400 audit(1756715873.776:5040): apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 namespace="root//incus-amp2x64_<var-lib-incus>" profile="docker-default" pid=3408585 comm=2E4E455420545020576F726B6572 family="unix" sock_type="dgram" protocol=0 requested="create" denied="create" addr=none
Sep 01 18:37:53.778484 cloudvm kernel: audit: type=1400 audit(1756715873.776:5041): apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 namespace="root//incus-amp2x64_<var-lib-incus>" profile="docker-default" pid=3408585 comm=2E4E455420545020576F726B6572 family="unix" sock_type="dgram" protocol=0 requested="create" denied="create" addr=none
Sep 01 18:37:53.778500 cloudvm kernel: audit: type=1400 audit(1756715873.776:5042): apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 namespace="root//incus-amp2x64_<var-lib-incus>" profile="docker-default" pid=3408585 comm=2E4E455420545020576F726B6572 family="unix" sock_type="dgram" protocol=0 requested="create" denied="create" addr=none
Sep 01 18:38:03.259268 cloudvm kernel: kauditd_printk_skb: 19 callbacks suppressed
Sep 01 18:38:03.259406 cloudvm kernel: audit: type=1400 audit(1756715883.257:5062): apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 namespace="root//incus-amp2x64_<var-lib-incus>" profile="docker-default" pid=3408907 comm="wineserver" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Sep 01 18:38:03.262275 cloudvm kernel: audit: type=1400 audit(1756715883.260:5063): apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 namespace="root//incus-amp2x64_<var-lib-incus>" profile="docker-default" pid=3408908 comm="wineserver" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Sep 02 11:43:05.044279 cloudvm kernel: audit: type=1400 audit(1756777385.042:5064): apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 namespace="root//incus-amp2x64_<var-lib-incus>" profile="docker-default" pid=3575252 comm="bash" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
...

Greelan · September 2, 2025, 7:30am

I’ve since updated Incus to 6.16 (I hadn’t noticed that the zabbly repo key had expired … oops) and also docker in the container, no change.