Cannot install docker on fresh Ubuntu 17 Server, docker is missing permissions to operate in /var/lib/docker

General Discussions
1

I followed this guide to install docker on a new Ubuntu 17 server. However, I cannot get docker to run.

Installing docker via sudo apt-get install docker-ce yields:

...
Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /lib/systemd/system/docker.service.
Created symlink /etc/systemd/system/sockets.target.wants/docker.socket → /lib/systemd/system/docker.socket.
Job for docker.service failed because the control process exited with error code.
See "systemctl status docker.service" and "journalctl -xe" for details.
invoke-rc.d: initscript docker, action "start" failed.
● docker.service - Docker Application Container Engine
   Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled)
   Active: activating (auto-restart) (Result: exit-code) since Mon 2017-10-16 08:57:52 UTC; 8ms ago
     Docs: https://docs.docker.com
  Process: 7325 ExecStart=/usr/bin/dockerd -H fd:// (code=exited, status=1/FAILURE)
 Main PID: 7325 (code=exited, status=1/FAILURE)
      CPU: 49ms

Checking sudo journalctl -u docker gives

        Oct 16 08:57:51 vm1 systemd[1]: docker.service: Failed to reset devices.list: Operation not permitted
Oct 16 08:57:51 vm1 systemd[1]: Starting Docker Application Container Engine...
Oct 16 08:57:51 vm1 dockerd[7325]: time="2017-10-16T08:57:51.743612657Z" level=info msg="libcontainerd: new containerd process, pid: 7335"
Oct 16 08:57:52 vm1 dockerd[7325]: time="2017-10-16T08:57:52.816490740Z" level=warning msg="failed to rename /var/lib/docker/tmp for background deletion: rename /var/lib/docker/tmp /var/lib/docker/tmp-old
Oct 16 08:57:52 vm1 dockerd[7325]: time="2017-10-16T08:57:52.816839404Z" level=error msg="Could not check if docker-default AppArmor profile was loaded: open /sys/kernel/security/apparmor/profiles: permis
Oct 16 08:57:52 vm1 dockerd[7325]: Error starting daemon: couldn't create plugin manager: error setting plugin manager root to private: permission denied
Oct 16 08:57:52 vm1 systemd[1]: docker.service: Main process exited, code=exited, status=1/FAILURE
Oct 16 08:57:52 vm1 systemd[1]: Failed to start Docker Application Container Engine.
Oct 16 08:57:52 vm1 systemd[1]: docker.service: Unit entered failed state.
Oct 16 08:57:52 vm1 systemd[1]: docker.service: Failed with result 'exit-code'.
Oct 16 08:57:53 vm1 systemd[1]: docker.service: Service hold-off time over, scheduling restart.
Oct 16 08:57:53 vm1 systemd[1]: Stopped Docker Application Container Engine.
Oct 16 08:57:53 vm1 systemd[1]: docker.service: Failed to reset devices.list: Operation not permitted
Oct 16 08:57:53 vm1 systemd[1]: Starting Docker Application Container Engine...
Oct 16 08:57:53 vm1 dockerd[7369]: time="2017-10-16T08:57:53.224145403Z" level=info msg="libcontainerd: new containerd process, pid: 7390"
Oct 16 08:57:54 vm1 dockerd[7369]: time="2017-10-16T08:57:54.241186206Z" level=error msg="Could not check if docker-default AppArmor profile was loaded: open /sys/kernel/security/apparmor/profiles: permis
Oct 16 08:57:54 vm1 dockerd[7369]: Error starting daemon: couldn't create plugin manager: error setting plugin manager root to private: permission denied

What I find weird is the line failed to rename /var/lib/docker/tmp as if docker has no permissions to work in its image directory /var/lib/docker.

Any idea what is wrong or how to fix this? Thanks!

2

Update, I was able to install an older version of docker docker-ce_17.03.2~ce-0~ubuntu-xenial_amd64.deb.

But now running an image like sudo docker run hello-world fails with

Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
5b0f327be733: Extracting [==================================================>]    974 B/974 B
docker: failed to register layer: ApplyLayer exit status 1 stdout:  stderr: permission denied.
2 Likes