Improve Docker AppArmor workaround for LXC

Moves AppArmor workaround to run before Docker installation and enhances the workaround in tools.func by adding an unmount step, updating the systemd service to use sysinit.target, and adding verification of the mount. Provides clearer feedback if the workaround is not active.
2025-11-07 13:44:57 +01:00 · 2025-11-07 13:44:57 +01:00 · 2d42c0b2be
commit 2d42c0b2be
parent 0379c6dbe3
2 changed files with 18 additions and 8 deletions
--- a/install/docker-install.sh
+++ b/install/docker-install.sh
@ -13,6 +13,10 @@ setting_up_container
 network_check
 update_os

+# Apply AppArmor workaround BEFORE installing Docker
+# See: https://github.com/opencontainers/runc/issues/4968
+apply_docker_apparmor_workaround
+
 get_latest_release() {
  curl -fsSL https://api.github.com/repos/"$1"/releases/latest | grep '"tag_name":' | cut -d'"' -f4
 }
@ -29,9 +33,6 @@ echo -e '{\n  "log-driver": "journald"\n}' >/etc/docker/daemon.json
 $STD sh <(curl -fsSL https://get.docker.com)
 msg_ok "Installed Docker $DOCKER_LATEST_VERSION"

-# Apply AppArmor workaround BEFORE installing Docker
-# See: https://github.com/opencontainers/runc/issues/4968
-apply_docker_apparmor_workaround
 # Restart Docker to apply AppArmor workaround (if running in LXC)
 $STD systemctl restart docker

--- a/misc/tools.func
+++ b/misc/tools.func
@ -55,26 +55,30 @@ apply_docker_apparmor_workaround() {

  msg_info "Applying Docker AppArmor workaround for LXC"

-  # Apply the mount bind workaround immediately
+  # Method 1: Mount bind /dev/null over AppArmor enabled file
  if [ -f /sys/module/apparmor/parameters/enabled ]; then
+    # Unmount first if already mounted
+    umount /sys/module/apparmor/parameters/enabled 2>/dev/null || true
+    # Apply mount
    mount --bind /dev/null /sys/module/apparmor/parameters/enabled 2>/dev/null || true
  fi

-  # Create systemd service for persistence (preferred over rc.local)
+  # Method 2: Create systemd service for persistence
  cat >/etc/systemd/system/docker-apparmor-workaround.service <<'EOF'
 [Unit]
 Description=Docker AppArmor workaround for LXC
 Documentation=https://github.com/opencontainers/runc/issues/4968
 Before=docker.service containerd.service
-ConditionPathExists=/sys/module/apparmor/parameters/enabled
+DefaultDependencies=no

 [Service]
 Type=oneshot
+ExecStartPre=-/bin/umount /sys/module/apparmor/parameters/enabled
 ExecStart=/bin/mount --bind /dev/null /sys/module/apparmor/parameters/enabled
 RemainAfterExit=yes

 [Install]
-WantedBy=multi-user.target
+WantedBy=sysinit.target
 EOF

  # Enable and start the service
@ -82,7 +86,12 @@ EOF
  $STD systemctl enable docker-apparmor-workaround.service
  $STD systemctl start docker-apparmor-workaround.service 2>/dev/null || true

-  msg_ok "Applied Docker AppArmor workaround"
+  # Verify the mount is active
+  if mount | grep -q "on /sys/module/apparmor/parameters/enabled"; then
+    msg_ok "Applied Docker AppArmor workaround"
+  else
+    msg_warn "AppArmor workaround may not be active - please check 'mount | grep apparmor'"
+  fi
 }

 # ------------------------------------------------------------------------------