docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"apply apparmor profile: apparmor failed to apply profile: write /proc/self/attr/exec: permission denied\""

[Icon95]

• This is a bug report
• This is a feature request
• I searched existing issues before opening this one

Expected behavior

docker run should be able to run the container

Actual behavior

Running docker run hello-world gives this error

docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"apply apparmor profile: apparmor failed to apply profile: write /proc/self/attr/exec: permission denied\"": unknown.ERRO[0000] error waiting for container: context canceled 

and AppArmor message received looks like this

[65608.775072] audit: type=1400 audit(1602564380.386:31): apparmor="DENIED" operation="change_onexec" profile="/usr/bin/dockerd" pid=19306 comm="runc:[2:INIT]" target="docker-default"

Steps to reproduce the behavior

Download the latest docker binaries from here docker-binaries and install them. I followed this install-daemon-and-client-binaries-on-linux
Create an AppArmor profile that confines the docker daemon.

E.x

#include <tunables/global>

profile /usr/bin/dockerd flags=(attach_disconnected) {
  capability,
  network,
  mount,
  remount,
  umount,
  pivot_root,
  ptrace,
  signal,
  dbus,
  unix,
  file,
  / r,
  /* rwixklm,
  /** rwixklm,
}

Load the profile
Restart docker daemon
docker run hello-world

Output of docker version:

Client: Docker Engine - Community
 Version:           19.03.13
 API version:       1.40
 Go version:        go1.13.15
 Git commit:        4484c46
 Built:             Wed Sep 16 16:58:04 2020
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.13
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       4484c46
  Built:            Wed Sep 16 17:04:43 2020
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v1.3.7
  GitCommit:        8fba4e9a7d01810a393d5d25a3621dc101981175
 runc:
  Version:          1.0.0-rc10
  GitCommit:        dc9208a3303feef5b3839f4323d9beb36df0a9dd
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

Output of docker info:

Client:
 Debug Mode: false

Server:
 Containers: 7
  Running: 0
  Paused: 0
  Stopped: 7
 Images: 5
 Server Version: 19.03.13
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 8fba4e9a7d01810a393d5d25a3621dc101981175
 runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
 init version: fec3683
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 4.9.0-13-amd64
 Operating System: Debian GNU/Linux 9 (stretch)
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 15.57GiB
 ID: MBIE:FOK2:3VZF:COK3:CXGF:DAMV:IKDD:5UPN:M4CJ:3KGV:OYHV:NYJD
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false
 Product License: Community Engine

WARNING: No swap limit support

Additional environment details (AWS, VirtualBox, physical, etc.)
Physical Debian 9

[cpuguy83]

Sorry, this looks like a problem with your custom apparmor profile.
Dockerd needs to be able to confine containers to a default profile that is defined as "docker-default", which your profile is denying.

You can disable the profile that Docker applies, but I doubt that is desirable.

[Icon95]

Do you know what needs to be added to allow the profile transition?

I tested running the container with apparmor=unconfined but it failed with the same error.

docker run --security-opt apparmor=unconfined hello-world

docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"apply apparmor profile: apparmor failed to apply profile: write /proc/self/attr/exec: permission denied\"": unknown.

[152224.918664] audit: type=1400 audit(1602650997.038:39): apparmor="DENIED" operation="change_onexec" profile="/usr/bin/dockerd" pid=6886 comm="runc:[2:INIT]" target="unconfined"

Then I tested uninstalling the docker binaries and install using apt.

 $ sudo apt-get update
 $ sudo apt-get install docker-ce docker-ce-cli containerd.io

When I ran docker run hello-world with this it worked even though I used the same AppArmor profile that failed when I installed using the binaries.

Looking at the output from docker version the only difference seems to be the build times.

Output of docker version:

Client: Docker Engine - Community
 Version:           19.03.13
 API version:       1.40
 Go version:        go1.13.15
 Git commit:        4484c46d9d
 Built:             Wed Sep 16 17:03:03 2020
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.13
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       4484c46d9d
  Built:            Wed Sep 16 17:01:33 2020
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.3.7
  GitCommit:        8fba4e9a7d01810a393d5d25a3621dc101981175
 runc:
  Version:          1.0.0-rc10
  GitCommit:        dc9208a3303feef5b3839f4323d9beb36df0a9dd
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

Output of docker info:

Client:
 Debug Mode: false

Server:
 Containers: 2
  Running: 0
  Paused: 0
  Stopped: 2
 Images: 1
 Server Version: 19.03.13
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 8fba4e9a7d01810a393d5d25a3621dc101981175
 runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
 init version: fec3683
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 4.9.0-13-amd64
 Operating System: Debian GNU/Linux 9 (stretch)
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 15.57GiB
 ID: NW6M:YUXC:ADRK:RTWF:JNME:CGEM:H7MI:V5O3:24NG:SLJA:GTDM:UUTS
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No swap limit support

[cpuguy83]

We have a profile you can apply to dockerd here: https://github.com/moby/moby/blob/master/contrib/apparmor/template.go

[Icon95]

It worked, thanks

[alenpaulvarghese]

We have a profile you can apply to dockerd here: https://github.com/moby/moby/blob/master/contrib/apparmor/template.go

Just copy the string, write it into a file and apply to app_armor?

[daddydrac]

@Icon95 and @alenpaul2001 what is the path to the file we copy that whole go file to?

[fabolous005]

this would be /etc/apparmor.d/