Apparmor gets in the way of docker publish

[phish108]

When running docker nested in a lxc system container, then with the latest packages network configuration is blocked. While the containers can communicate across different systems (on the same host), the network access is entirely blocked. The port will open, but the request never reaches the endpoint within a docker container.

It seems that docker's apparmor profiles get in the way of accessing the network. This appears to be similar to the effect that systems on different hosts could connect but not exchange data after upgrading docker last year.

[phish108]

Ubuntu's microk8s profile is almost the same as the profile we use, but sets additional apparmor flags.

This profile comes from the microk8s lxd guide. However, the guide focuses on single node clusters.

[phish108]

reading list

https://docs.docker.com/engine/security/apparmor/

https://unix.stackexchange.com/questions/127606/apparmor-profiles-in-docker-lxc?rq=1

https://dockerlabs.collabnix.com/advanced/security/apparmor/

https://www.padok.fr/en/blog/security-docker-apparmor

https://ubuntu.com/server/docs/security-apparmor

https://unix.stackexchange.com/questions/135115/apparmor-profile-deny-internet-access

https://forum.snapcraft.io/t/snapd-apparmor-profiles-not-being-applied-in-lxd-containers-with-lxc-apparmor-profile-unconfined-when-host-is-rebooted/5818/9

My old answer is incomplete after a few upgrades

https://discuss.linuxcontainers.org/t/current-status-of-docker-swarm-in-lxd-we-cant-get-it-to-work/13901

[phish108]

OK, it seems that the services are exposed on the server on which they are running.

[phish108]

The problem was two fold:

1. The hosts did not run on the correct IPs.
2. The apparmor settings were incorrect.

Fixed again

[phish108]

Things to do

• test if the new profile spec solves the problem of clustering across hosts.
• find a way to avoid the unconfined profile
• understand the interplay of the configuration options