Update tools.func

misc/tools.func

@@ -35,47 +35,54 @@
 # Apply Docker in LXC AppArmor workaround
 # Fixes permission denied errors with containerd.io 1.7.28-2+ and runc 1.3.3
 # See: https://github.com/opencontainers/runc/issues/4968
+#      https://github.com/containerd/containerd/issues/12484
 # Usage: apply_docker_apparmor_workaround
 # ------------------------------------------------------------------------------
 apply_docker_apparmor_workaround() {
-  # Only apply in LXC containers
+  # Only apply in LXC containers (check multiple indicators)
-  if ! grep -q "lxc" /proc/1/cgroup 2>/dev/null && [ ! -f /.dockerenv ] && ! (systemd-detect-virt -c 2>/dev/null | grep -q lxc); then
+  local is_lxc=false
+  if grep -q "lxc" /proc/1/cgroup 2>/dev/null; then
+    is_lxc=true
+  elif systemd-detect-virt -c 2>/dev/null | grep -q lxc; then
+    is_lxc=true
+  elif [ -f /run/systemd/container ] && grep -q lxc /run/systemd/container 2>/dev/null; then
+    is_lxc=true
+  fi
+
+  if [ "$is_lxc" = false ]; then
     return 0
   fi
 
-  # Apply the mount bind workaround
+  msg_info "Applying Docker AppArmor workaround for LXC"
+
+  # Apply the mount bind workaround immediately
   if [ -f /sys/module/apparmor/parameters/enabled ]; then
     mount --bind /dev/null /sys/module/apparmor/parameters/enabled 2>/dev/null || true
   fi
 
-  # Make the workaround persistent across reboots
+  # Create systemd service for persistence (preferred over rc.local)
-  if ! grep -q "mount --bind /dev/null /sys/module/apparmor/parameters/enabled" /etc/rc.local 2>/dev/null; then
+  cat >/etc/systemd/system/docker-apparmor-workaround.service <<'EOF'
-    if [ ! -f /etc/rc.local ]; then
+[Unit]
-      cat >/etc/rc.local <<'RCLOCAL'
+Description=Docker AppArmor workaround for LXC
-#!/bin/bash
+Documentation=https://github.com/opencontainers/runc/issues/4968
-# AppArmor workaround for Docker in LXC
+Before=docker.service containerd.service
-if [ -f /sys/module/apparmor/parameters/enabled ]; then
+ConditionPathExists=/sys/module/apparmor/parameters/enabled
-  mount --bind /dev/null /sys/module/apparmor/parameters/enabled 2>/dev/null || true
+
-fi
+[Service]
-exit 0
+Type=oneshot
-RCLOCAL
+ExecStart=/bin/mount --bind /dev/null /sys/module/apparmor/parameters/enabled
-      chmod +x /etc/rc.local
+RemainAfterExit=yes
-    else
+
-      # Remove existing exit 0 if present
+[Install]
-      sed -i '/^exit 0/d' /etc/rc.local
+WantedBy=multi-user.target
-      # Add workaround if not already present
+EOF
-      if ! grep -q "AppArmor workaround for Docker in LXC" /etc/rc.local; then
+
-        cat >>/etc/rc.local <<'RCLOCAL'
+  # Enable and start the service
-# AppArmor workaround for Docker in LXC
+  $STD systemctl daemon-reload
-if [ -f /sys/module/apparmor/parameters/enabled ]; then
+  $STD systemctl enable docker-apparmor-workaround.service
-  mount --bind /dev/null /sys/module/apparmor/parameters/enabled 2>/dev/null || true
+  $STD systemctl start docker-apparmor-workaround.service 2>/dev/null || true
-fi
+
-RCLOCAL
+  msg_ok "Applied Docker AppArmor workaround"
-      fi
-      # Re-add exit 0 at the end
-      echo "exit 0" >>/etc/rc.local
-    fi
-  fi
 }
 
 # ------------------------------------------------------------------------------