the other daemons originate from LXC containers on which Docker is installed. When I stop the LXC containers, only one Docker daemon runs on the host.

root@pve:~# docker run -it --pid host busybox pidof dockerd
1753
root@pve:~# pidof dockerd
1753

Then I don’t know what happened. If you remember anything new that can help, please share and we can continue thinking about this issue should not happen when using the official Docker CE on a physical serverwith regular filesystem. If I have any new idea I will share too.

Is it possible to restart or update a stack created in Portainer without Portainer? I looked in the Portainer Docker volume and found compose data for the individual stacks, but I can’t stop or start them with “docker compose.” Unfortunately, I can no longer access docker.sock via Portainer.

I don’t use portainer to be sure, but in the past, it created swarm stacks not compose projects by default. So if docker compose commands don1t work, you can try docker stack commands.

This is whan of the reasons I don’t use Portainer (especially for creating containers). If I lose access to Portainer and if I cannot even access compose files / stack files, I can’t easily manage the projects.

docker stack commands should work for you. IF not, please, share what the error message is if you have any.

docker stack --help

Portainer uses the stack terminology for compose project and swarm stacks. If the swarm mode is not initialized on the docker host (=default behavior), it will deploy compose projects, if the swarm mode is enabled, it will deploy swarm stacks.

So I’m already getting a similar error on almost all Docker containers after updating.

apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="docker-default" pid=247733 comm="cupsd" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="docker-default" pid=247460 comm="vaultwarden" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="docker-default" pid=247248 comm="java" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="docker-default" pid=247248 comm="jenkins.sh" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none

Adding

 security_opt:
      - apparmor=unconfined

solves the problem, but it’s not a solution.

ii  docker-buildx-plugin                       0.28.0-0~debian.13~trixie                amd64        Docker Buildx plugin extends build capabilities with BuildKit.
ii  docker-ce                                  5:28.4.0-1~debian.13~trixie              amd64        Docker: the open-source application container engine
ii  docker-ce-cli                              5:28.4.0-1~debian.13~trixie              amd64        Docker CLI: the open-source application container engine
ii  docker-ce-rootless-extras                  5:28.4.0-1~debian.13~trixie              amd64        Rootless support for Docker.
ii  docker-compose-plugin                      2.39.4-0~debian.13~trixie                amd64        Docker Compose (V2) plugin for the Docker CLI.

What is that similar to? The original issue in the topic was a socket permission issue. If you have apparmor problems, you can create a new topic or we can move it to a new topic. Let me now if you want that. Do I misunderstand something and do you have docker socket issue as well?

@netsrot Show messages in dmesg

dmesg

Thanks - that works for me - (portainer_agent, kasm and other containers) but now I have to go read all about what that is/does…

@dmcardlenl
Please write what helped you.

Hi there, OK, for me it’s nothing to do with the docker socket file itself, or the permissions or the owner or the group.

I added:

in each ‘service’ in a docker-compose.yaml file and the docker services started again.

And I added --security-opt apparmor=unconfined on the command line for docker run commands and everything works again as it should.

What changed: Debian 12 → 13 upgrade.

Why did I go down this route of adding the security-opt?

Because dmesg was saying stuff like this: [Sat Sep 27 17:14:03 2025] audit: type=1400 audit(1758986043.532:1869722223): apparmor=“DENIED” operation=“create” class=“net” info=“failed protocol match” error=-13 profile=“docker-default” pid=18 2641 comm=“su-exec” family=“unix” sock_type=“stream” protocol=0 requested=“create” denied=“create” addr=none as pointed out by yourself.

@rimelek As I suspected, most people have the same problem as me apparmor

Can you check if the container can be started with -security-opt apparmor=docker-default.

I assume you already read the docs about the AppArmor security profile for Docker:

Update:
this seems like a useful tool to create custom AppArmor profiles:

Update2:
On a 2nd thought: either something is wrong with the AppArmor profile on your systems, or it is indeed a bug, and should be reported as issue in docker’s upstream project https://github.com/moby/moby/issues.

Update3:
Does this command work for you?

docker run -ti --rm \
  -v /var/run/docker.sock:/var/run/docker.sock \
  --security-opt apparmor=docker-default \
  docker:cli ps

#1 I tried that yesterday and it didn’t work but I couldn’t remember so I tried it again and it doesn’t work from the command line.

I said yesterday “I’d go off and read about it…” I haven’t had time yet.

This particular container is just portainer_agent. Everything is out of the box. Not my development.

Digest: sha256:6a73c9433f2ba4279815be1e60f5739288b939dda1e48151d8c393537802de37
Status: Downloaded newer image for docker:cli
permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get “http://%2Fvar%2Frun%2Fdocker.sock/v1.51/containers/json”: dial unix /var/run/docker.sock: socket:
permission denied
$ docker -v
Docker version 26.1.5+dfsg1, build a72d7cd

Last time you shared docker info you had docker v28.3.3 running, using the docker-ce package from dockers repository. Now it seems you are running the docker package from the distro repositories.

I tested the command on Ubuntu 22.04 and 24.04 VMs: works like charm.
I even created a Debian 13 vm template based on the latest generic cloud image, created a qemu vm from it, installed latest docker-ce on it and run the command from above: still works like a charme.

root@trixie:~# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 13 (trixie)"
NAME="Debian GNU/Linux"
VERSION_ID="13"
VERSION="13 (trixie)"
VERSION_CODENAME=trixie
DEBIAN_VERSION_FULL=13.1
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
root@trixie:~# docker run -ti --rm \
  -v /var/run/docker.sock:/var/run/docker.sock \
  --security-opt apparmor=docker-default \
  docker:cli ps
Unable to find image 'docker:cli' locally
cli: Pulling from library/docker
9824c27679d3: Pull complete
02c811d3a0ce: Pull complete
4f4fb700ef54: Pull complete
35e68de1e1b6: Pull complete
03228d3b2192: Pull complete
595b25686cbc: Pull complete
0a2dc334942f: Pull complete
2699d0745970: Pull complete
7a04dfb9c21f: Pull complete
8ab6f3d29685: Pull complete
Digest: sha256:6a73c9433f2ba4279815be1e60f5739288b939dda1e48151d8c393537802de37
Status: Downloaded newer image for docker:cli
CONTAINER ID   IMAGE        COMMAND                  CREATED        STATUS                  PORTS     NAMES
07da86bce93c   docker:cli   "docker-entrypoint.s…"   1 second ago   Up Less than a second             pedantic_ptolemy

I would suggest raising an issue in the Moby project (I shared the url earlier), and describe the situation after upgrading from Debian 12 to 13.

A different person had docker 28 running. Anyway, I’ve upgraded the system with docker 26 on it to 28 and the problem is still there…

Oh, I see. I didn’t recognize that two users just happen to have orange icons. Sorry, for the confusion.

Your problem is on PVE9/Trixie as well, right?

Even though I didn’t want to install docker-ce on Proxmox, I did.. Yup, its a Proxmox related issue.

root@pve1:/etc/apt/sources.list.d# docker run -ti --rm \
  -v /var/run/docker.sock:/var/run/docker.sock \
  --security-opt apparmor=docker-default \
  docker:cli ps
Unable to find image 'docker:cli' locally
cli: Pulling from library/docker
9824c27679d3: Pull complete
02c811d3a0ce: Pull complete
4f4fb700ef54: Pull complete
35e68de1e1b6: Pull complete
03228d3b2192: Pull complete
595b25686cbc: Pull complete
0a2dc334942f: Pull complete
2699d0745970: Pull complete
7a04dfb9c21f: Pull complete
8ab6f3d29685: Pull complete
Digest: sha256:6a73c9433f2ba4279815be1e60f5739288b939dda1e48151d8c393537802de37
Status: Downloaded newer image for docker:cli
permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.51/containers/json": dial unix /var/run/docker.sock: socket: permission denied

OK, I now have a lovely mocaccino-coloured brown avatar colour.

OK, I’ll lurk in the proxmox forums and when someone posts it, I can reply with @slawkasod ‘s suggestion.

Of course, their answer might be: “Use LXC containers on Proxmox”…

Proxmox 9 users that want/need to run Docker on their host, seem to disable AppArmor completely:

Their suggestion is to use QEMU VM (aka kvm):