6

I am trying to apply the following simple AppArmor profile: 

#include <tunables/global>

profile docker-profile flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/base>
  #network,
  #capability,
  #file,
  #umount,
  #ptrace,
  #mount,
  pivot_root,
}

When I run docker run -it --rm --security-opt apparmor=docker-profile alpine I get the following error:

docker: Error response from daemon: invalid header field value "oci runtime error: container_linux.go:247: starting container process caused \"process_linux.go:359: container init caused \\"apparmor failed to apply profile: no such file or directory\\"\"\n".

I tried to reinstall it (based on suggestions here): 

rm -rf /etc/apparmor*
apt install apparmor --reinstall
service apparmor restart
service docker restart

It didn't help, I am still getting the same error.

Any suggestion what can be the reason and how to solve it ?

E235
  • 11,560
  • 24
  • 91
  • 141

2 Answers2

15
sudo apt-get purge apparmor apparmor-profiles apparmor-utils

sudo apt-get install apparmor-utils apparmor-profiles apparmor-profiles-extra vim-addon-manager

reboot
blabdude
  • 3
  • 2
SharingIsCaring
  • 159
  • 1
  • 3
  • 8
    Welcome to Stack Overflow! While this code may solve the question, [including an explanation](//meta.stackexchange.com/q/114762) of how and why this solves the problem would really help to improve the quality of your post, and probably result in more up-votes. Remember that you are answering the question for readers in the future, not just the person asking now. Please [edit] your answer to add explanations and give an indication of what limitations and assumptions apply. – Yunnosch Jun 11 '21 at 06:14
  • 2
    this worked for me on Debian 11 bullseye! thanks! – Eric Wang Feb 13 '23 at 02:28
  • this worked for me on MxLinux 21 – mzalazar Feb 28 '23 at 23:47
  • 1
    I'm Running omv6, and something happened when I updated and all the docker container refused to load. I don't know what happened but this fixed it. – Martin Watson Mar 01 '23 at 05:06
  • worked for Debian 11 bullseye!!!!!! – David Bister Mar 03 '23 at 10:04
  • The `vim-addon-manager` is not needed... but it works! – UTF_or_Death Mar 08 '23 at 17:49
  • I was having the same issue on `orange pi+ 2` after installing the docker from `armbian-config` utility, I ran the above commands and things seems to be working for me. – Mian Muhammad Mar 09 '23 at 07:21
2

I needed to register the profile by running apparmor_parser -r -W docker.profile.

More information can be found here:
https://docs.docker.com/engine/security/apparmor/

E235
  • 11,560
  • 24
  • 91
  • 141