Docker containers not working on Debian 10 because default-profile is not loaded

Echedey · December 19, 2019, 11:01am

Imported from here: https://github.com/ONLYOFFICE/Docker-DocumentServer/issues/204

The issue was found testing the OnlyOffice DocumentServer installation in a default Debian 10 installation with snap and docker (from snap) installed after it.

An OnlyOffice worker confirmed the issue in other default Debian 10 installation using the netinstall with both OnlyOffice DocumentServer and the “hello-world” docker image at the moment to run it.

The provided output after trying to run in both cases is related with AppArmor dedicated docker default-profile:

docker: Error response from daemon: AppArmor enabled on system but the docker-default profile could not be loaded: running /sbin/apparmor_parser apparmor_parser --version failed with output: Failed to load features from ‘/usr/share/apparmor-features/features’: No such file or directory

error: exit status 1.

From my ignorance I also provided the output that “/sbin/apparmor_parser apparmor_parser --version” it throws confirming there were no issues running it and that the “/usr/share/apparmor-features/features” file existed and was readable for every user.

ijohnson · January 6, 2020, 6:57pm

@tianon any thoughts?

tianon · January 13, 2020, 8:48pm

Seems odd – as far as I understand, the Docker daemon itself embeds this docker-default profile which it then loads during the start of the daemon, and unless the Snappy profile blocked us, that should’ve worked (because all the required utilities for doing that should’ve been part of the snap or the OS, IIRC).

I wonder if there’s anything useful in the denials logs for the affected host that might give clues? If the issue is reproducible, it might be useful to set up a clean new host to ensure we get just the set of denials that show up after the initial install of the Docker snap?

Echedey · January 13, 2020, 9:10pm

As mentioned in the github thread, the issue is reproducible.

About the logs, if you are speaking about the default output, I listed it in the github thread (and in this one of course).

tianon · January 14, 2020, 11:32pm

Sorry, I meant the apparmor denial logs – on my system, they show up in dmesg with apparmor="DENIED" in the string, as in:

[4249253.115629] audit: type=1400 audit(1573865452.288:3562): apparmor="DENIED" operation="open" profile="snap.docker.dockerd" name="/run/systemd/sessions/1269" pid=5312 comm="ps" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

(as an example)

ShockwaveNN · January 21, 2020, 11:42am

I see not lines about docker in apparmor logs:

dmesg | grep apparmor
[    8.768437] audit: type=1400 audit(1579606791.316:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-xpdfimport" pid=310 comm="apparmor_parser"
[    8.797814] audit: type=1400 audit(1579606791.348:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe" pid=311 comm="apparmor_parser"
[    8.797820] audit: type=1400 audit(1579606791.348:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe//kmod" pid=311 comm="apparmor_parser"
[    9.062710] audit: type=1400 audit(1579606791.612:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-soffice" pid=312 comm="apparmor_parser"
[    9.062712] audit: type=1400 audit(1579606791.612:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-soffice//gpg" pid=312 comm="apparmor_parser"
[    9.256662] audit: type=1400 audit(1579606791.800:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/evince" pid=330 comm="apparmor_parser"
[    9.256664] audit: type=1400 audit(1579606791.800:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/evince//sanitized_helper" pid=330 comm="apparmor_parser"
[    9.256671] audit: type=1400 audit(1579606791.800:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/evince-previewer" pid=330 comm="apparmor_parser"
[    9.256672] audit: type=1400 audit(1579606791.800:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/evince-previewer//sanitized_helper" pid=330 comm="apparmor_parser"
[    9.256672] audit: type=1400 audit(1579606791.800:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/evince-thumbnailer" pid=330 comm="apparmor_parser"