DietPi-Software | Docker: Service fails to start after upgrade (AppArmor)

[samjw-nz]

ADMIN EDIT

Workaround

apt install apparmor
systemctl disable --now apparmor
systemctl restart docker

---

Creating a bug report/issue

Required Information

• DietPi version | 8.13.2
• Distro version | Bullseye
• Kernel version | Linux Sam-Pi 5.15.89-sunxi #22.11.4 SMP Mon Jan 23 21:58:30 UTC 2023 armv7l GNU/Linux
• SBC model | ZeroPi (FriendlyArm/FriendlyElec)
• Power supply used | 5V 2A supply
• SD card used | Samsung Evo Plus microSD

Additional Information (if applicable)

• Software title | Portainer
• Was the software title installed freshly or updated/migrated? | Both. Fresh install after failing to update.
• Can this issue be replicated on a fresh installation of DietPi? | Unsure, have not tried yet. This install has been going for a couple years.
• Bug report ID | 484d3e4a-4e4c-44bd-b2c4-756bdd3c6779

Steps to reproduce

1. Install Docker from dietpi-software (optional)
2. Install Portainer from dietpi-software (with or without first installing Docker, as it's installed if not already present)
3. Allow Portainer image to pull and then fail by itself.

Expected behaviour

• Portainer properly install & accessible from web interface.

Actual behaviour

• Failing to install Portainer witherror message "Error response from daemon: AppArmor enabled on system but the docker-default profile could not be loaded"

Extra details

• Have had Portainer installed running only one container (UptimeKuma) with no issue.
• Found sometime after apt update/upgrade to Portainer-CE that Portainer web interface is inaccessible and UptimeKuma container has stopped.
• Attempted to both reinstall and fresh install both Docker and Portainer from dietpi-software.
• If I attempt to retry after the failure interrupts isntall, it will fail again with "docker: Error response from daemon: Conflict. The container name "/portainer" is already in use by {imageID here}"
• I am not familiar with AppArmor, and have not knowingly installed it.

[Joulinar]

will it be possible to remove apparmor?

Yes should be possible afterwards.

[MichaIng]

Great to see a solution merged 👍.

[madmedix]

Me too last night: Rock64 1G fresh install (cb0d547c-e913-47ca-b648-e40893a0b3e9), nothing else installed - I checked on Docker and Portainer. I give the above a go too. Cheers,

[Joulinar]

There is no other way around until Docker Devs fixed it. Until a new Docker version is available, the the above workaround is needed.

[MichaIng]

Docker v23.0.1 has been released, issue solved.

[Joulinar]

@MichaIng not sure if the issue has been fixed fully. There is still an issue for apparmor but with a different error now.

docker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: unable to apply apparmor profile: apparmor failed to apply profile: write /proc/self/attr/apparmor/exec: no such file or directory: unknown.

[MichaIng]

Your right...

[MichaIng]

Ah, it has been reverted in containerd now, the only real fix: https://github.com/containerd/containerd/pull/8086 But milestone is containerd 1.7 🤔. ... ah no backported to v1.6 as well: https://github.com/containerd/containerd/pull/8087

Let's hope for a soon containerd release then.

[MichaIng]

containerd v1.6.18 with the fix has been released, but while the error message has changed containers still do not start:

docker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: unable to apply apparmor profile: apparmor failed to apply profile: write /proc/self/attr/apparmor/exec: no such file or directory: unknown.

Looks like it will be fully resolved Docker-side with: https://github.com/moby/moby/pull/44982

[MichaIng]

Finally, with the latest docker-ce update from today the issue is solved. I didn't expect this to take so long.

[Joulinar]

related release notes from Docker side https://docs.docker.com/engine/release-notes/23.0/#2302