User Namespace fails with Docker Snap - AppArmor profile too restrictive
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
docker (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
This is a summary of my 2 posts:
1. https:/
2. https:/
In brief, I want to activate User Namespace for Docker. Currently using Docker provided as Snap package, it is not possible to use the `userns-remap` option with the default value. AppArmor denies the permission to create a new user.
I went the manual way, creating the user and appropriate UID/GID mapping. But still AppArmor denies reading access to /etc/subuid and /etc/subgid.
So the problem is: User Namespace does not work out of the box.
Solution:
I have edited this file `/var/lib/
After making sure the changes were activated, I got the result (snippet from `sudo docker info` command):
Security Options:
apparmor
seccomp
Profile: default
userns
And running `sudo docker run hello-world` did work as well.
Could you make the change permanent?
Note: it seems that probably after a reboot, snap resetted the AppArmor profile to the default, so breaking my dockerd installation. Therefore there is no really a work around and it requires a proper patch.