meta data for this page
apparmor profile
Issue
No network connectivity from container. Journal shows:
audit: type=1400 audit(1634036792.582:254): apparmor="DENIED" operation="create" profile="docker-default" pid=32133 comm="ping" family="inet" sock_type="dgram" protocol=17 requested_mask="create" denied_mask="create"
Reason: default docker-default
app armor profile is applied. File doesn't exists in /etc/apparmor.d/
so it cannot be disabled.
To workaround this issue, needs to create file:
- /etc/apparmor.d/docker-default
#include <tunables/global> profile docker-default flags=(attach_disconnected, mediate_deleted) { #include <abstractions/base> ptrace peer=@{profile_name}, network, capability, file, umount, deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) # deny write to files not in /proc/<number>/** or /proc/sys/** deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w, deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel) deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/ deny @{PROC}/sysrq-trigger rwklx, deny @{PROC}/kcore rwklx, deny @{PROC}/mem rwklx, deny @{PROC}/kmem rwklx, deny mount, deny /sys/[^f]*/** wklx, deny /sys/f[^s]*/** wklx, deny /sys/fs/[^c]*/** wklx, deny /sys/fs/c[^g]*/** wklx, deny /sys/fs/cg[^r]*/** wklx, deny /sys/firmware/** rwklx, deny /sys/kernel/security/** rwklx, }
and then switch profile to complain mode or disable it (aa-disable docker-default
)