community-scripts/ProxmoxVED
1
0
Fork 0
mirror of https://github.com/community-scripts/ProxmoxVED.git synced 2026-02-25 05:57:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Improve Docker AppArmor workaround for LXC

Browse Source 
Moves AppArmor workaround to run before Docker installation and enhances the workaround in tools.func by adding an unmount step, updating the systemd service to use sysinit.target, and adding verification of the mount. Provides clearer feedback if the workaround is not active.
This commit is contained in:
CanbiZ
2025-11-07 13:44:57 +01:00
parent 0379c6dbe3
commit 2d42c0b2be
2 changed files with 18 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
misc/tools.func
View File

@@ -55,26 +55,30 @@ apply_docker_apparmor_workaround() {
msg_info "Applying Docker AppArmor workaround for LXC"
# Apply the mount bind workaround immediately
# Method 1: Mount bind /dev/null over AppArmor enabled file
if [ -f /sys/module/apparmor/parameters/enabled ]; then
# Unmount first if already mounted
umount /sys/module/apparmor/parameters/enabled 2>/dev/null || true
# Apply mount
mount --bind /dev/null /sys/module/apparmor/parameters/enabled 2>/dev/null || true
fi
# Create systemd service for persistence (preferred over rc.local)
# Method 2: Create systemd service for persistence
cat >/etc/systemd/system/docker-apparmor-workaround.service <<'EOF'
[Unit]
Description=Docker AppArmor workaround for LXC
Documentation=https://github.com/opencontainers/runc/issues/4968
Before=docker.service containerd.service
ConditionPathExists=/sys/module/apparmor/parameters/enabled
DefaultDependencies=no
[Service]
Type=oneshot
ExecStartPre=-/bin/umount /sys/module/apparmor/parameters/enabled
ExecStart=/bin/mount --bind /dev/null /sys/module/apparmor/parameters/enabled
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
WantedBy=sysinit.target
EOF
# Enable and start the service
@@ -82,7 +86,12 @@ EOF
$STD systemctl enable docker-apparmor-workaround.service
$STD systemctl start docker-apparmor-workaround.service 2>/dev/null || true
msg_ok "Applied Docker AppArmor workaround"
# Verify the mount is active
if mount | grep -q "on /sys/module/apparmor/parameters/enabled"; then
msg_ok "Applied Docker AppArmor workaround"
else
msg_warn "AppArmor workaround may not be active - please check 'mount | grep apparmor'"
fi
}
# ------------------------------------------------------------------------------