Docker Community Forums

Share and learn in the Docker community.

Cannot reload or start AppArmor in Docker


(Serhiy) #1

Here is my Dockerfile:

FROM ubuntu:14.04

RUN apt-get update

RUN apt-get install -y software-properties-common
RUN apt-get install -y python-software-properties

RUN add-apt-repository ppa:chris-lea/node.js
RUN apt-get update
RUN apt-get install -y nodejs

RUN apt-get install -y apparmor-profiles
RUN apt-get install -y apparmor-utils

ADD server.js /folder1/
ADD usr.bin.nodejs /etc/apparmor.d/

RUN service apparmor reload

CMD node /folder1/server.js

Here is usr.bin.nodejs:

#include <tunables/global>

/usr/bin/nodejs {
  #include <abstractions/base>

  /usr/bin/nodejs mr,
  /folder1/server.js r,
  /folder1/repo/** ralkmix,
  network,

}

I run sudo docker build -t scadge/test-one . to build this image. On Step 7 : RUN apt-get install -y apparmor-profiles I get red messages invoke-rc.d: policy-rc.d denied execution of start and invoke-rc.d: policy-rc.d denied execution of reload. Also on Step 11 : RUN service apparmor reload I get the following:

 * Reloading AppArmor profiles
 * Mounting securityfs on /sys/kernel/security...
mount: permission denied
    ...fail!
    ...fail!

…and sure thing apparmor profiles are not working. So how do I make AppArmor work in Docker? I would also like to admit that all this stuff works fine on my desktop Ubuntu 14.04, downloaded from official site.


(Serhiy) #2

Ok, I tried building without RUN service apparmor reload (successful) and then tried docker run with --privileged. Then in bash I manually typed service apparmor reload and it worked fine, but after that I cannot launch nodejs - it complains nodejs: error while loading shared libraries: libz.so.1: cannot open shared object file: Permission denied. And when I remove AppArmor profile for nodejs and reload it - nodejs launches fine again. So I think there is some issue with AppArmor work inside Docker.