moby: docker: Error response from daemon: oci runtime error: apparmor failed to apply profile: no such file or directory.
Trying to use Docker inside an LXC container. Host OS: Ubuntu 16.04 Guest OS: Ubuntu 16.04 (LXC)
I’m using Vagrant to manage the creation of the machine (box: https://vagrantcloud.com/techtown/boxes/ubuntu-16.04-lxc)
Output of docker version:
Client:
Version: 1.12.0
API version: 1.24
Go version: go1.6.3
Git commit: 8eab29e
Built: Thu Jul 28 22:11:10 2016
OS/Arch: linux/amd64
Server:
Version: 1.12.0
API version: 1.24
Go version: go1.6.3
Git commit: 8eab29e
Built: Thu Jul 28 22:11:10 2016
OS/Arch: linux/amd64
Output of docker info:
Containers: 10
Running: 0
Paused: 0
Stopped: 10
Images: 2
Server Version: 1.12.0
Storage Driver: vfs
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: host bridge overlay null
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: apparmor seccomp
Kernel Version: 4.4.0-31-generic
Operating System: Ubuntu 16.04.1 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 3.859 GiB
Name: vagrant-base-xenial-amd64
ID: SUDX:2KO3:3MTH:U4JW:GVCO:LIFS:33KF:3XUI:SFLI:JWXN:HDBZ:GOA4
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
Insecure Registries:
127.0.0.0/8
Additional environment details (AWS, VirtualBox, physical, etc.): Running on Vagrant Ubuntu 16.04 LXC container (techtown/ubuntu-16.04-lxc)
Steps to reproduce the issue:
docker run hello-world
Describe the results you received:
docker: Error response from daemon: oci runtime error: apparmor failed to apply profile: no such file or directory.
Describe the results you expected:
Hello World
Additional information you deem important (e.g. issue happens only occasionally): AppArmor service status:
● apparmor.service - LSB: AppArmor initialization
Loaded: loaded (/etc/init.d/apparmor; bad; vendor preset: enabled)
Active: active (exited) since Mon 2016-08-08 12:16:59 UTC; 9min ago
Docs: man:systemd-sysv-generator(8)
AppArmor verbose status:
apparmor module is loaded.
5 profiles are loaded.
5 profiles are in enforce mode.
/usr/bin/lxc-start
lxc-container-default
lxc-container-default-cgns
lxc-container-default-with-mounting
lxc-container-default-with-nesting
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
About this issue
- Original URL
- State: closed
- Created 8 years ago
- Comments: 16 (3 by maintainers)
sudo service docker restarthelped us
sudo apt-get install apparmorfollowed bysudo service docker restarthelped meSimilar to @ragingnerd , I solve this by following commands:
@bradcondo @bartmeuris there was a second issue with reloading the profiles, when using
docker exec; this issue is resolved through https://github.com/docker/docker/pull/31773, and will be in the upcoming docker 17.03.1 patch release (which should go out hopefully later this week)docker run --security-opt apparmor=lxc-container-default hello-worldsome problem -docker: Error response from daemon: oci runtime error: apparmor failed to apply profile: no such file or directory.Just an update that I managed to get the hello-world container to actually run. I needed to specify the apparmor profile explicitly.
@tomlankhorst could you try this command to see if it works for you?
All I can assume, based on the docs that I’ve been reading, is that the default profile that the client is looking for is
docker-default, which then results in theno such file or directorymessage.If this is then a valid “fix” is there a way to specify what the default apparmor profile should then be for docker?