Public bug reported: # Description
In a CIS hardened Ubuntu server 24.04, docker fails to launch a container. The apparmor profile for runc (/etc/apparmor.d/runc) seems not apply for CIS hardened server. The following Apparmor error messages can be found under /var/log/audit/audit.log https://paste.ubuntu.com/p/nPXScJKXXh/ # Versions docker.io: Installed: 26.1.3-0ubuntu1~24.04.1+esm1 apparmor: Installed: 4.0.1really4.0.1-0ubuntu0.24.04.4 # How to produce Attach a pro token and apply CIS hardening level 2 for server. Install docker.io from the main archive. ```bash $ sudo pro attach ${TOKEN} $ sudo pro enable usg $ sudo apt install usg $ sudo usg fix cis_level2_server $ sudo docker run hello-world docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: unable to retrieve OCI runtime error (open /run/containerd/io.containerd.runtime.v2.task/moby/d422496d9c017407f1dec128c6cd0307eac2a3d139540e888acc9b8c00111f10/log.json: no such file or directory): runc did not terminate successfully: exit status 127: unknown $ runc --version runc: error while loading shared libraries: libseccomp.so.2: cannot open shared object file: No such file or directory ``` Putting /usr/sbin/runc to apparmor complain mode will allow docker containers to run. ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Tags: sts -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2111478 Title: docker fails to run in CIS hardened Ubuntu Server Status in apparmor package in Ubuntu: New Bug description: # Description In a CIS hardened Ubuntu server 24.04, docker fails to launch a container. The apparmor profile for runc (/etc/apparmor.d/runc) seems not apply for CIS hardened server. The following Apparmor error messages can be found under /var/log/audit/audit.log https://paste.ubuntu.com/p/nPXScJKXXh/ # Versions docker.io: Installed: 26.1.3-0ubuntu1~24.04.1+esm1 apparmor: Installed: 4.0.1really4.0.1-0ubuntu0.24.04.4 # How to produce Attach a pro token and apply CIS hardening level 2 for server. Install docker.io from the main archive. ```bash $ sudo pro attach ${TOKEN} $ sudo pro enable usg $ sudo apt install usg $ sudo usg fix cis_level2_server $ sudo docker run hello-world docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: unable to retrieve OCI runtime error (open /run/containerd/io.containerd.runtime.v2.task/moby/d422496d9c017407f1dec128c6cd0307eac2a3d139540e888acc9b8c00111f10/log.json: no such file or directory): runc did not terminate successfully: exit status 127: unknown $ runc --version runc: error while loading shared libraries: libseccomp.so.2: cannot open shared object file: No such file or directory ``` Putting /usr/sbin/runc to apparmor complain mode will allow docker containers to run. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2111478/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
