Ubuntu 24.04 broke Docker inside an LXD container

I have a container where I have been running Docker perfectly well for a long time now and I just upgraded the host OS to Ubuntu 24.04. After this, Docker won’t run even “docker run hello-world” anymore successfully inside my container, just spitting out the following error:

ocker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error jailing process inside rootfs: pivot_root .: permission denied: unknown.
ERRO[0004] error waiting for container:

Why would upgrading to 24.04 break things like this? How do I fix it?

That sounds like the new default restrictions being applied, please see Noble Numbat Release Notes

1 Like

What does snap list show?

Recent versions of LXD turn the new apparmor restrictions off.

Running LXD version 5.21.1-10f4115

Doesn’t appear to be that. I disabled the restriction and I’m still getting the same error.

I didn’t have time to check what was going on earlier, but now that I did, it would seem that AppArmor prevents pivot_root from working. This is, apparently, a new restriction in 24.04 and isn’t affected by the changes mentioned in the release notes.

I know nothing about AppArmor, I dunno how this should be fixed. Besides that, if a user wants to run Docker or something inside a container, they should be able to without having to mess around with AppArmor, IMO, so this should be fixed properly upstream.

Please can you log an issue with your reproducer steps on github. Thanks

Done: Ubuntu 24.04 AppArmor breaks pivot_root inside LXD containers · Issue #13389 · canonical/lxd · GitHub

1 Like