Improve Docker AppArmor workaround for LXC

Moves AppArmor workaround to run before Docker installation and enhances the workaround in tools.func by adding an unmount step, updating the systemd service to use sysinit.target, and adding verification of the mount. Provides clearer feedback if the workaround is not active.

install/docker-install.sh

@@ -13,6 +13,10 @@ setting_up_container
 network_check
 update_os
 
+# Apply AppArmor workaround BEFORE installing Docker
+# See: https://github.com/opencontainers/runc/issues/4968
+apply_docker_apparmor_workaround
+
 get_latest_release() {
   curl -fsSL https://api.github.com/repos/"$1"/releases/latest | grep '"tag_name":' | cut -d'"' -f4
 }
@@ -29,9 +33,6 @@ echo -e '{\n  "log-driver": "journald"\n}' >/etc/docker/daemon.json
 $STD sh <(curl -fsSL https://get.docker.com)
 msg_ok "Installed Docker $DOCKER_LATEST_VERSION"
 
-# Apply AppArmor workaround BEFORE installing Docker
-# See: https://github.com/opencontainers/runc/issues/4968
-apply_docker_apparmor_workaround
 # Restart Docker to apply AppArmor workaround (if running in LXC)
 $STD systemctl restart docker
 

misc/tools.func

@@ -55,26 +55,30 @@ apply_docker_apparmor_workaround() {
 
   msg_info "Applying Docker AppArmor workaround for LXC"
 
-  # Apply the mount bind workaround immediately
+  # Method 1: Mount bind /dev/null over AppArmor enabled file
   if [ -f /sys/module/apparmor/parameters/enabled ]; then
+    # Unmount first if already mounted
+    umount /sys/module/apparmor/parameters/enabled 2>/dev/null || true
+    # Apply mount
     mount --bind /dev/null /sys/module/apparmor/parameters/enabled 2>/dev/null || true
   fi
 
-  # Create systemd service for persistence (preferred over rc.local)
+  # Method 2: Create systemd service for persistence
   cat >/etc/systemd/system/docker-apparmor-workaround.service <<'EOF'
 [Unit]
 Description=Docker AppArmor workaround for LXC
 Documentation=https://github.com/opencontainers/runc/issues/4968
 Before=docker.service containerd.service
-ConditionPathExists=/sys/module/apparmor/parameters/enabled
+DefaultDependencies=no
 
 [Service]
 Type=oneshot
+ExecStartPre=-/bin/umount /sys/module/apparmor/parameters/enabled
 ExecStart=/bin/mount --bind /dev/null /sys/module/apparmor/parameters/enabled
 RemainAfterExit=yes
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=sysinit.target
 EOF
 
   # Enable and start the service
@@ -82,7 +86,12 @@ EOF
   $STD systemctl enable docker-apparmor-workaround.service
   $STD systemctl start docker-apparmor-workaround.service 2>/dev/null || true
 
-  msg_ok "Applied Docker AppArmor workaround"
+  # Verify the mount is active
+  if mount | grep -q "on /sys/module/apparmor/parameters/enabled"; then
+    msg_ok "Applied Docker AppArmor workaround"
+  else
+    msg_warn "AppArmor workaround may not be active - please check 'mount | grep apparmor'"
+  fi
 }
 
 # ------------------------------------------------------------------------------