Docker fails with permission denied inside containers

PeterSR · May 21, 2020, 5:52pm

I am having the same issue and spend a long time tracing it down what seems to be AppArmor.

Different images I tried:

Ubuntu

$ docker run -it ubuntu /bin/bash
bash: /root/.bashrc: Permission denied
root@60bb6a5cca3f:/#

Journal:

May 21 19:44:37 Yoga-C940 audit[7988]: AVC apparmor="DENIED" operation="open" profile="snap.docker.dockerd" name="/root/.bashrc" pid=7988 comm="bash" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 21 19:44:37 Yoga-C940 kernel: audit: type=1400 audit(1590083077.908:171): apparmor="DENIED" operation="open" profile="snap.docker.dockerd" name="/root/.bashrc" pid=7988 comm="bash" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

nginx

$ docker run -it nginx  
2020/05/21 17:42:36 [emerg] 1#1: open() "/etc/nginx/nginx.conf" failed (13: Permission denied)
nginx: [emerg] open() "/etc/nginx/nginx.conf" failed (13: Permission denied)

Journal:

May 21 19:43:20 Yoga-C940 audit[7860]: AVC apparmor="DENIED" operation="open" profile="snap.docker.dockerd" name="/etc/nginx/nginx.conf" pid=7860 comm="nginx" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 21 19:43:20 Yoga-C940 kernel: audit: type=1400 audit(1590083000.646:170): apparmor="DENIED" operation="open" profile="snap.docker.dockerd" name="/etc/nginx/nginx.conf" pid=7860 comm="nginx" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Apache / httpd

docker run -it httpd           
/bin/sh: 0: Can't open /usr/local/bin/httpd-foreground

Journal:

May 21 19:46:09 Yoga-C940 audit[8143]: AVC apparmor="DENIED" operation="open" profile="snap.docker.dockerd" name="/usr/local/bin/httpd-foreground" pid=8143 comm="httpd-foregroun" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 21 19:46:09 Yoga-C940 kernel: audit: type=1400 audit(1590083169.799:172): apparmor="DENIED" operation="open" profile="snap.docker.dockerd" name="/usr/local/bin/httpd-foreground" pid=8143 comm="httpd-foregroun" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Using --cap-add=SYS_PTRACE and --security-opt=apparmor:unconfined as mentioned here, doesn’t seem to fix anything.

Snap version:

snap    2.44.3+20.04
snapd   2.44.3+20.04
series  16
ubuntu  20.04
kernel  5.4.0-31-generic

Docker version:

Client:
 Version:           18.09.9
 API version:       1.39
 Go version:        go1.13.4
 Git commit:        1752eb3
 Built:             Sat Nov 16 01:05:26 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          18.09.9
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.13.4
  Git commit:       9552f2b
  Built:            Sat Nov 16 01:07:48 2019
  OS/Arch:          linux/amd64
  Experimental:     false

Can confirm that booting up in kernel 5.4.0-29-generic does not cause the above issue.