From 2d42c0b2be1e6d057771001fa41c4f8b71e6374a Mon Sep 17 00:00:00 2001
From: CanbiZ <47820557+MickLesk@users.noreply.github.com>
Date: Fri, 7 Nov 2025 13:44:57 +0100
Subject: [PATCH] Improve Docker AppArmor workaround for LXC

Moves AppArmor workaround to run before Docker installation and enhances the workaround in tools.func by adding an unmount step, updating the systemd service to use sysinit.target, and adding verification of the mount. Provides clearer feedback if the workaround is not active.
---
 install/docker-install.sh |  7 ++++---
 misc/tools.func           | 19 ++++++++++++++-----
 2 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/install/docker-install.sh b/install/docker-install.sh
index e8e922cc5..8edde48bc 100644
--- a/install/docker-install.sh
+++ b/install/docker-install.sh
@@ -13,6 +13,10 @@ setting_up_container
 network_check
 update_os
 
+# Apply AppArmor workaround BEFORE installing Docker
+# See: https://github.com/opencontainers/runc/issues/4968
+apply_docker_apparmor_workaround
+
 get_latest_release() {
   curl -fsSL https://api.github.com/repos/"$1"/releases/latest | grep '"tag_name":' | cut -d'"' -f4
 }
@@ -29,9 +33,6 @@ echo -e '{\n  "log-driver": "journald"\n}' >/etc/docker/daemon.json
 $STD sh <(curl -fsSL https://get.docker.com)
 msg_ok "Installed Docker $DOCKER_LATEST_VERSION"
 
-# Apply AppArmor workaround BEFORE installing Docker
-# See: https://github.com/opencontainers/runc/issues/4968
-apply_docker_apparmor_workaround
 # Restart Docker to apply AppArmor workaround (if running in LXC)
 $STD systemctl restart docker
 
diff --git a/misc/tools.func b/misc/tools.func
index 2143efc13..7165617a8 100644
--- a/misc/tools.func
+++ b/misc/tools.func
@@ -55,26 +55,30 @@ apply_docker_apparmor_workaround() {
 
   msg_info "Applying Docker AppArmor workaround for LXC"
 
-  # Apply the mount bind workaround immediately
+  # Method 1: Mount bind /dev/null over AppArmor enabled file
   if [ -f /sys/module/apparmor/parameters/enabled ]; then
+    # Unmount first if already mounted
+    umount /sys/module/apparmor/parameters/enabled 2>/dev/null || true
+    # Apply mount
     mount --bind /dev/null /sys/module/apparmor/parameters/enabled 2>/dev/null || true
   fi
 
-  # Create systemd service for persistence (preferred over rc.local)
+  # Method 2: Create systemd service for persistence
   cat >/etc/systemd/system/docker-apparmor-workaround.service <<'EOF'
 [Unit]
 Description=Docker AppArmor workaround for LXC
 Documentation=https://github.com/opencontainers/runc/issues/4968
 Before=docker.service containerd.service
-ConditionPathExists=/sys/module/apparmor/parameters/enabled
+DefaultDependencies=no
 
 [Service]
 Type=oneshot
+ExecStartPre=-/bin/umount /sys/module/apparmor/parameters/enabled
 ExecStart=/bin/mount --bind /dev/null /sys/module/apparmor/parameters/enabled
 RemainAfterExit=yes
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=sysinit.target
 EOF
 
   # Enable and start the service
@@ -82,7 +86,12 @@ EOF
   $STD systemctl enable docker-apparmor-workaround.service
   $STD systemctl start docker-apparmor-workaround.service 2>/dev/null || true
 
-  msg_ok "Applied Docker AppArmor workaround"
+  # Verify the mount is active
+  if mount | grep -q "on /sys/module/apparmor/parameters/enabled"; then
+    msg_ok "Applied Docker AppArmor workaround"
+  else
+    msg_warn "AppArmor workaround may not be active - please check 'mount | grep apparmor'"
+  fi
 }
 
 # ------------------------------------------------------------------------------