Can not run docker in ubuntu22.04 container

tomp · November 27, 2025, 8:05am

Its related to a runc CVE fix that exposed a limitation in AppArmor.

github.com/canonical/lxd

Container: Don't bother with sys/proc protections when nesting enabled (from Incus)

main ← tomponline:tp-docker

opened 09:55AM - 11 Nov 25 UTC

tomponline

+6 -0

When nesting is enabled, it's possible for the container to get a clean copy of …/proc or /sys mounted anywhere without AppArmor being able to mediate. So there's little point in trying to apply safety checks on top of the main /proc and /sys. On top of that, we've recently discovered that AppArmor doesn't properly handle file access relative to a file descriptor, causing a bunch of those checks to deny access when they shouldn't. Related to https://github.com/lxc/incus/issues/2623 Fixes https://github.com/canonical/lxd/issues/16902 (cherry picked from commit 1fbe4bffb9748cc3b07aaf5db310d463c1e827d0) License: Apache-2.0

There’s a workaround for this in LXD 6.6 available in the 6/candidate channel and will be rolling
out to 6/stable next week.

For the 5.21/stable LTS channel it will take a bit longer as we are in the process of backporting the fix to that series to include in an interim release.