RockPi4C+ | Docker Broken on Newest Ubuntu Image

[benisai]

Need some help, docker is broken. I used the official docker site to install docker, that was a PITA as the apt hash was mismatching, but I got past that, but NOW hello-world will not run at all. 

I need someone with more experience to help me look at the logs below:

Hello-World:

sudo docker run hello-world
docker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: unable to apply apparmor profile: apparmor failed to apply profile: write /proc/self/attr/apparmor/exec: no such file or directory: unknown.
ERRO[0001] error waiting for container: 

 

ben@rockpi-4cplus:~$ journalctl | grep docker
Mar 17 00:38:16 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:16.103935029Z" level=info msg="Starting up"
Mar 17 00:38:16 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:16.121140305Z" level=warning msg="AppArmor enabled on system but \"apparmor_parser\" binary is missing, so profile can't be loaded"
Mar 17 00:38:16 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:16.124122295Z" level=info msg="[core] [Channel #1] Channel created" module=grpc
Mar 17 00:38:16 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:16.124335211Z" level=info msg="[core] [Channel #1] original dial target is: \"unix:///run/containerd/containerd.sock\"" module=grpc
Mar 17 00:38:16 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:16.124536752Z" level=info msg="[core] [Channel #1] parsed dial target is: {Scheme:unix Authority: Endpoint:run/containerd/containerd.sock URL:{Scheme:unix Opaque: User: Host: Path:/run/containerd/containerd.sock RawPath: OmitHost:false ForceQuery:false RawQuery: Fragment: RawFragment:}}" module=grpc
Mar 17 00:38:16 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:16.124626585Z" level=info msg="[core] [Channel #1] Channel authority set to \"localhost\"" module=grpc
Mar 17 00:38:16 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:16.125290124Z" level=info msg="[core] [Channel #1] Resolver state updated: {\n  \"Addresses\": [\n    {\n      \"Addr\": \"/run/containerd/containerd.sock\",\n      \"ServerName\": \"\",\n      \"Attributes\": {},\n      \"BalancerAttributes\": null,\n      \"Type\": 0,\n      \"Metadata\": null\n    }\n  ],\n  \"ServiceConfig\": null,\n  \"Attributes\": null\n} (resolver returned new addresses)" module=grpc
Mar 17 00:38:16 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:16.126441620Z" level=info msg="[core] [Channel #1] Channel switches to new LB policy \"pick_first\"" module=grpc
Mar 17 00:38:16 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:16.126900119Z" level=info msg="[core] [Channel #1 SubChannel #2] Subchannel created" module=grpc
Mar 17 00:38:16 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:16.127208993Z" level=info msg="[core] [Channel #1 SubChannel #2] Subchannel Connectivity change to CONNECTING" module=grpc
Mar 17 00:38:16 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:16.127437659Z" level=info msg="[core] [Channel #1 SubChannel #2] Subchannel picks a new address \"/run/containerd/containerd.sock\" to connect" module=grpc
Mar 17 00:38:16 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:16.127661950Z" level=info msg="[core] [Channel #1] Channel Connectivity change to CONNECTING" module=grpc
Mar 17 00:38:16 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:16.129733151Z" level=info msg="[core] [Channel #1 SubChannel #2] Subchannel Connectivity change to READY" module=grpc
Mar 17 00:38:16 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:16.129933525Z" level=info msg="[core] [Channel #1] Channel Connectivity change to READY" module=grpc
Mar 17 00:38:16 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:16.136601795Z" level=info msg="[core] [Channel #4] Channel created" module=grpc
Mar 17 00:38:16 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:16.136792252Z" level=info msg="[core] [Channel #4] original dial target is: \"unix:///run/containerd/containerd.sock\"" module=grpc
Mar 17 00:38:16 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:16.136976585Z" level=info msg="[core] [Channel #4] parsed dial target is: {Scheme:unix Authority: Endpoint:run/containerd/containerd.sock URL:{Scheme:unix Opaque: User: Host: Path:/run/containerd/containerd.sock RawPath: OmitHost:false ForceQuery:false RawQuery: Fragment: RawFragment:}}" module=grpc
Mar 17 00:38:16 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:16.137071960Z" level=info msg="[core] [Channel #4] Channel authority set to \"localhost\"" module=grpc
Mar 17 00:38:16 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:16.137358375Z" level=info msg="[core] [Channel #4] Resolver state updated: {\n  \"Addresses\": [\n    {\n      \"Addr\": \"/run/containerd/containerd.sock\",\n      \"ServerName\": \"\",\n      \"Attributes\": {},\n      \"BalancerAttributes\": null,\n      \"Type\": 0,\n      \"Metadata\": null\n    }\n  ],\n  \"ServiceConfig\": null,\n  \"Attributes\": null\n} (resolver returned new addresses)" module=grpc
Mar 17 00:38:16 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:16.137624666Z" level=info msg="[core] [Channel #4] Channel switches to new LB policy \"pick_first\"" module=grpc
Mar 17 00:38:16 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:16.137869082Z" level=info msg="[core] [Channel #4 SubChannel #5] Subchannel created" module=grpc
Mar 17 00:38:16 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:16.138125748Z" level=info msg="[core] [Channel #4 SubChannel #5] Subchannel Connectivity change to CONNECTING" module=grpc
Mar 17 00:38:16 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:16.138310372Z" level=info msg="[core] [Channel #4 SubChannel #5] Subchannel picks a new address \"/run/containerd/containerd.sock\" to connect" module=grpc
Mar 17 00:38:16 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:16.138439288Z" level=info msg="[core] [Channel #4] Channel Connectivity change to CONNECTING" module=grpc
Mar 17 00:38:16 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:16.141760194Z" level=info msg="[core] [Channel #4 SubChannel #5] Subchannel Connectivity change to READY" module=grpc
Mar 17 00:38:16 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:16.142022401Z" level=info msg="[core] [Channel #4] Channel Connectivity change to READY" module=grpc
Mar 17 00:38:16 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:16.169234518Z" level=info msg="[graphdriver] using prior storage driver: overlay2"
Mar 17 00:38:16 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:16.187258000Z" level=info msg="Loading containers: start."
Mar 17 00:38:16 rockpi-4cplus NetworkManager[856]: <info>  [1679013496.7062] manager: (docker0): new Bridge device (/org/freedesktop/NetworkManager/Devices/5)
Mar 17 00:38:16 rockpi-4cplus NetworkManager[856]: <info>  [1679013496.9197] device (docker0): state change: unmanaged -> unavailable (reason 'connection-assumed', sys-iface-state: 'external')
Mar 17 00:38:16 rockpi-4cplus NetworkManager[856]: <info>  [1679013496.9222] device (docker0): state change: unavailable -> disconnected (reason 'connection-assumed', sys-iface-state: 'external')
Mar 17 00:38:16 rockpi-4cplus NetworkManager[856]: <info>  [1679013496.9261] device (docker0): Activation: starting connection 'docker0' (cec9bf20-e7eb-4668-8a94-73c7877780d9)
Mar 17 00:38:16 rockpi-4cplus NetworkManager[856]: <info>  [1679013496.9267] device (docker0): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'external')
Mar 17 00:38:16 rockpi-4cplus NetworkManager[856]: <info>  [1679013496.9279] device (docker0): state change: prepare -> config (reason 'none', sys-iface-state: 'external')
Mar 17 00:38:16 rockpi-4cplus NetworkManager[856]: <info>  [1679013496.9292] device (docker0): state change: config -> ip-config (reason 'none', sys-iface-state: 'external')
Mar 17 00:38:16 rockpi-4cplus NetworkManager[856]: <info>  [1679013496.9306] device (docker0): state change: ip-config -> ip-check (reason 'none', sys-iface-state: 'external')
Mar 17 00:38:16 rockpi-4cplus NetworkManager[856]: <info>  [1679013496.9377] device (docker0): state change: ip-check -> secondaries (reason 'none', sys-iface-state: 'external')
Mar 17 00:38:16 rockpi-4cplus NetworkManager[856]: <info>  [1679013496.9388] device (docker0): state change: secondaries -> activated (reason 'none', sys-iface-state: 'external')
Mar 17 00:38:16 rockpi-4cplus NetworkManager[856]: <info>  [1679013496.9424] device (docker0): Activation: successful, device activated.
Mar 17 00:38:17 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:17.256107456Z" level=info msg="Removing stale sandbox 72c1d4470e5e427325cdee8d88a5bbccc1e935b72204517df77a486c05a528ec (82cfaa715918eb31665ef270299e1769cc8fd061c6f1b19a77bc3c88edf93ba3)"
Mar 17 00:38:17 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:17.259002905Z" level=info msg="Removing stale endpoint suspicious_dijkstra (a2ce9673b63b1c359bb0e5e97efa5dd046159d2e91006724d69a4009aa673c47)"
Mar 17 00:38:17 rockpi-4cplus systemd[1]: run-docker-netns-72c1d4470e5e.mount: Deactivated successfully.
Mar 17 00:38:17 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:17.485150188Z" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address"
Mar 17 00:38:17 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:17.666442080Z" level=info msg="Loading containers: done."
Mar 17 00:38:17 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:17.732452650Z" level=info msg="Docker daemon" commit=bc3805a graphdriver=overlay2 version=23.0.1
Mar 17 00:38:17 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:17.733325022Z" level=info msg="Daemon has completed initialization"
Mar 17 00:38:17 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:17.805429447Z" level=info msg="[core] [Server #7] Server created" module=grpc
Mar 17 00:38:17 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:38:17.842482948Z" level=info msg="API listen on /run/docker.sock"
Mar 17 00:40:49 rockpi-4cplus sudo[2194]: ben : TTY=pts/0 ; PWD=/home/ben ; USER=root ; COMMAND=/usr/bin/docker run hello-world
Mar 17 00:40:50 rockpi-4cplus systemd[1]: var-lib-docker-overlay2-a83857f63d6a6d2e0bbe432738a01ebd8220aee2ff55323e371492843efd51e9\x2dinit-merged.mount: Deactivated successfully.
Mar 17 00:40:50 rockpi-4cplus kernel: docker0: port 1(vethea138c1) entered blocking state
Mar 17 00:40:50 rockpi-4cplus kernel: docker0: port 1(vethea138c1) entered disabled state
Mar 17 00:40:51 rockpi-4cplus kernel: docker0: port 1(vethea138c1) entered blocking state
Mar 17 00:40:51 rockpi-4cplus kernel: docker0: port 1(vethea138c1) entered forwarding state
Mar 17 00:40:51 rockpi-4cplus kernel: IPv6: ADDRCONF(NETDEV_CHANGE): docker0: link becomes ready
Mar 17 00:40:51 rockpi-4cplus NetworkManager[856]: <info>  [1679013651.0217] device (docker0): carrier: link connected
Mar 17 00:40:51 rockpi-4cplus audit[2291]: AVC apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="unconfined" name="docker-default" pid=2291 comm="runc:[2:INIT]"
Mar 17 00:40:51 rockpi-4cplus kernel: audit: type=1400 audit(1679013651.026:2): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="unconfined" name="docker-default" pid=2291 comm="runc:[2:INIT]"
Mar 17 00:40:51 rockpi-4cplus systemd[1]: docker-a53710e47a6652bae5005e6fba5fedf14a033cfaee91d0b4b3d16f145b2be7db.scope: Deactivated successfully.
Mar 17 00:40:51 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:40:51.086424464Z" level=error msg="stream copy error: reading from a closed fifo"
Mar 17 00:40:51 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:40:51.086425923Z" level=error msg="stream copy error: reading from a closed fifo"
Mar 17 00:40:51 rockpi-4cplus kernel: docker0: port 1(vethea138c1) entered disabled state
Mar 17 00:40:51 rockpi-4cplus kernel: docker0: port 1(vethea138c1) entered disabled state
Mar 17 00:40:51 rockpi-4cplus kernel: docker0: port 1(vethea138c1) entered disabled state
Mar 17 00:40:51 rockpi-4cplus NetworkManager[856]: <info>  [1679013651.1803] device (vethea138c1): released from master device docker0
Mar 17 00:40:51 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:40:51.203132669Z" level=error msg="a53710e47a6652bae5005e6fba5fedf14a033cfaee91d0b4b3d16f145b2be7db cleanup: failed to delete container from containerd: no such container"
Mar 17 00:40:51 rockpi-4cplus systemd[1]: var-lib-docker-overlay2-a83857f63d6a6d2e0bbe432738a01ebd8220aee2ff55323e371492843efd51e9-merged.mount: Deactivated successfully.
Mar 17 00:41:30 rockpi-4cplus sudo[2354]: ben : TTY=pts/0 ; PWD=/home/ben ; USER=root ; COMMAND=/usr/bin/docker pull hello-world
Mar 17 00:41:36 rockpi-4cplus sudo[2380]: ben : TTY=pts/0 ; PWD=/home/ben ; USER=root ; COMMAND=/usr/bin/docker run hello-world
Mar 17 00:41:37 rockpi-4cplus systemd[1]: var-lib-docker-overlay2-d71c98f987921c05e25a087a01c6e4fe04ba790e6b9a71cd61b6a965dd91c51f\x2dinit-merged.mount: Deactivated successfully.
Mar 17 00:41:37 rockpi-4cplus kernel: docker0: port 1(veth3975e07) entered blocking state
Mar 17 00:41:37 rockpi-4cplus kernel: docker0: port 1(veth3975e07) entered disabled state
Mar 17 00:41:37 rockpi-4cplus kernel: docker0: port 1(veth3975e07) entered blocking state
Mar 17 00:41:37 rockpi-4cplus kernel: docker0: port 1(veth3975e07) entered forwarding state
Mar 17 00:41:37 rockpi-4cplus NetworkManager[856]: <info>  [1679013697.5857] device (docker0): carrier: link connected
Mar 17 00:41:37 rockpi-4cplus audit[2476]: AVC apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="unconfined" name="docker-default" pid=2476 comm="runc:[2:INIT]"
Mar 17 00:41:37 rockpi-4cplus kernel: audit: type=1400 audit(1679013697.602:3): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="unconfined" name="docker-default" pid=2476 comm="runc:[2:INIT]"
Mar 17 00:41:37 rockpi-4cplus systemd[1]: docker-08a2fde8e2ac5043751612449b1950d7ec7a0391b22b252b05edc1de8628ec84.scope: Deactivated successfully.
Mar 17 00:41:37 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:41:37.666672897Z" level=error msg="stream copy error: reading from a closed fifo"
Mar 17 00:41:37 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:41:37.666675397Z" level=error msg="stream copy error: reading from a closed fifo"
Mar 17 00:41:37 rockpi-4cplus kernel: docker0: port 1(veth3975e07) entered disabled state
Mar 17 00:41:37 rockpi-4cplus kernel: docker0: port 1(veth3975e07) entered disabled state
Mar 17 00:41:37 rockpi-4cplus kernel: docker0: port 1(veth3975e07) entered disabled state
Mar 17 00:41:37 rockpi-4cplus NetworkManager[856]: <info>  [1679013697.8091] device (veth3975e07): released from master device docker0
Mar 17 00:41:37 rockpi-4cplus dockerd[1181]: time="2023-03-17T00:41:37.846552627Z" level=error msg="08a2fde8e2ac5043751612449b1950d7ec7a0391b22b252b05edc1de8628ec84 cleanup: failed to delete container from containerd: no such container"
Mar 17 00:41:38 rockpi-4cplus systemd[1]: var-lib-docker-overlay2-d71c98f987921c05e25a087a01c6e4fe04ba790e6b9a71cd61b6a965dd91c51f-merged.mount: Deactivated successfully.

 

Edited March 17, 2023 by benisai

[benisai]

Running the container with these prama seems to work, but why doesnt the normal docker run

 

rockpi-4cplus:~$ sudo docker run --security-opt apparmor=unconfined hello-world

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (arm64v8)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/get-started/

 

Edited March 17, 2023 by benisai

[benisai]

https://stackoverflow.com/questions/75346313/latest-docker-containerd-updates-break-everything-and-all-container-stopped

 

Fix:

apt install apparmor apparmor-utils

apparmor_parser -r -W /path/to/your_profile

apparmor_parser -R /path/to/profile