Docker Desktop: Difference between revisions
Created page with "(Intro needed about Docker Desktop) == Docker Desktop not working on Ubuntu 24.04 == Docker Desktop apparently has a problem running on Ubuntu 24.04 (and Kubuntu 24.04) You can tell because when you launch Docker Desktop, nothing happens (the dockerd daemon does not start, and the GUI does not appear). You can also tell because if you try to do anything from the command line (e.g. <code>docker run hello-world</code>), or otherwise involve Docker, you will get the..." |
m there is no reason to include the '=' in the grep needle |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 2: | Line 2: | ||
== Docker Desktop not working on Ubuntu 24.04 == | == Docker Desktop not working on Ubuntu 24.04 == | ||
Docker Desktop apparently has a problem running on Ubuntu 24.04 (and Kubuntu 24.04) | Docker Desktop apparently has a problem running on Ubuntu 24.04 (and Kubuntu 24.04). If you encounter this issue, it is most likely (99.9%?) because Ubuntu made security configuration changes in 2023 for AppArmor. We'll get to the "why" this problem exists in a bit when we cover how to fix it. First, let's focus on identifying the problem. | ||
You can tell because when you launch Docker Desktop, nothing happens | You can tell you have a problem because when you launch Docker Desktop, nothing happens. The dockerd daemon does not start, and the GUI does not appear. | ||
You can also tell because if you try to do anything from the command line (e.g. <code>docker run hello-world</code>), or otherwise involve Docker, you will get the familiar 'Is the docker daemon running?' error output. | You can also tell because if you try to do anything from the command line (e.g. <code>docker run hello-world</code>), or otherwise involve Docker, you will get the familiar 'Is the docker daemon running?' error output. | ||
=== Docker diagnose === | |||
You can get a more accurate picture of your system status with | You can get a more accurate picture of your system status with | ||
| Line 102: | Line 103: | ||
</poem> | </poem> | ||
== Fix Docker Desktop on Ubuntu == | |||
Confine the Docker Desktop application with its own AppArmor profile<ref>https://askubuntu.com/questions/1511725/ubuntu-24-04-docker-desktop-is-not-starting/1519662#1519662:~:text=Create%20a%20default_allow%20AppArmor%20profile</ref>: | |||
Edit (create) <code>/etc/apparmor.d/local/docker-desktopkend</code> | |||
with contents<pre> | |||
abi <abi/4.0>, | |||
include <tunables/global> | |||
/opt/docker-desktop/bin/com.docker.backend flags=(default_allow) { | |||
userns, | |||
# Site-specific additions and overrides. See local/README for details. | |||
include if exists <local/opt.docker-desktop.bin.com.docker.backend> | |||
} | |||
</pre>Restart the AppArmor service | |||
<code>sudo systemctl restart apparmor.service</code> | |||
You should now be able to run Docker Desktop, and run the diagnose command, and it will continue to work after rebooting too. Going forward, I suppose the AppArmor profile for Docker Desktop will be included in the distribution so that users will not need to do anything. | |||
=== Why does this problem exist? === | |||
'''[https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces Unprivileged User namespace restrictions]''' were [https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#p-99950-unprivileged-user-namespace-restrictions introduced in Ubuntu 24.04] because the developers (and Canonical) want to take a "security by default" posture. | |||
A lot of people on the internet will tell you the solution is to turn off the security feature. That is the wrong approach. That approach is reminiscent of the people who disable RedHat's SELinux (Security Enhanced Linux) because it's too hard to learn to use the security features or simply do not care about operating a secure system. | |||
== Seccomp security profiles for Docker == | |||
Secure computing mode (<code>seccomp</code>) is a Linux kernel feature. You can use it to restrict the actions available within the container. The <code>seccomp()</code> system call operates on the seccomp state of the calling process. You can use this feature to restrict your application's access.<ref>https://docs.docker.com/engine/security/seccomp/</ref> | |||
This feature is available only if Docker has been built with <code>seccomp</code> and the kernel is configured with <code>CONFIG_SECCOMP</code> enabled. To check if your kernel supports <code>seccomp</code>, grep through your boot configuration file such as <code>/boot/config-6.8.0-51-generic</code> | |||
<code>$ grep CONFIG_SECCOMP /boot/config-$(uname -r)</code> | |||
(output should show CONFIG_SECCOMP=y) | |||
The default seccomp profile for Docker Desktop is in the '''Moby''' project https://github.com/moby/moby/blob/master/profiles/seccomp/default.json | |||
You can show your current profile with | |||
<code>docker info --format '<nowiki>{{ .SecurityOptions }}</nowiki>'</code> | |||
Mine shows <tt>[name=seccomp,profile=unconfined name=cgroupns]</tt> | |||
When starting Docker Daemon, you can pass it an option for the profile to use: <code>dockerd --seccomp-profile <path_to_seccomp_profile></code> <ref>https://stackoverflow.com/questions/77001300/warning-daemon-is-not-using-the-default-seccomp-profile</ref> | |||
{{References}} | |||
[[Category:Virtualization]] | [[Category:Virtualization]] | ||
[[Category:DevOps]] | [[Category:DevOps]] | ||
[[Category:Kubernetes]] | [[Category:Kubernetes]] | ||
Latest revision as of 14:48, 14 January 2025
(Intro needed about Docker Desktop)
Docker Desktop not working on Ubuntu 24.04[edit]
Docker Desktop apparently has a problem running on Ubuntu 24.04 (and Kubuntu 24.04). If you encounter this issue, it is most likely (99.9%?) because Ubuntu made security configuration changes in 2023 for AppArmor. We'll get to the "why" this problem exists in a bit when we cover how to fix it. First, let's focus on identifying the problem.
You can tell you have a problem because when you launch Docker Desktop, nothing happens. The dockerd daemon does not start, and the GUI does not appear.
You can also tell because if you try to do anything from the command line (e.g. docker run hello-world), or otherwise involve Docker, you will get the familiar 'Is the docker daemon running?' error output.
Docker diagnose[edit]
You can get a more accurate picture of your system status with
/opt/docker-desktop/bin/com.docker.diagnose check
Starting diagnostics [2025-01-14T13:48:38.013167057Z][com.docker.diagnose.ipc] b6c35505-diagnose -> <HOME>/.docker/desktop/backend.sock BackendAPI [2025-01-14T13:48:38.016784371Z][com.docker.diagnose.ipc] (32855441) b6c35505-diagnose C->S BackendAPI POST /idle/make-busy [2025-01-14T13:48:38.018660245Z][com.docker.diagnose.ipc][W] (32855441) b6c35505-diagnose C<-S NoResponse POST /idle/make-busy (2.916439ms): Post "http://ipc/idle/make-busy": dial unix <HOME>/.docker/desktop/backend.sock: connect: connection refused [2025-01-14T13:48:39.015923682Z][com.docker.diagnose.ipc] (32855441-2) b6c35505-diagnose C->S BackendAPI GET /idle [2025-01-14T13:48:39.016907056Z][com.docker.diagnose.ipc][W] (32855441-2) b6c35505-diagnose C<-S NoResponse GET /idle (1.019838ms): Get "http://ipc/idle": dial unix <HOME>/.docker/desktop/backend.sock: connect: connection refused [PASS] DD0039: are KVM user permissions configured? [PASS] DD0018: does the host support virtualization? [FAIL] DD0001: is the application running? Docker is not running [FAIL] DD0017: can a VM be started? vm has not started: vm has not started [FAIL] DD0016: is the LinuxKit VM running? prereq failed: is the application running? [FAIL] DD0004: is the Docker engine running? prereq failed: is the LinuxKit VM running? [PASS] DD0015: are the binary symlinks installed? [FAIL] DD0031: does the Docker API work? prereq failed: is the Docker engine running? [PASS] DD0013: is the $PATH ok? [PASS] DD0034: is Context set to a Docker Desktop context? [FAIL] DD0003: is the Docker CLI working? prereq failed: is the Docker engine running? [FAIL] DD0038: is the connection to Docker working? prereq failed: is the Docker engine running? [FAIL] DD0014: are the backend processes running? prereq failed: is the LinuxKit VM running? [FAIL] DD0007: is the backend responding? prereq failed: are the backend processes running? [FAIL] DD0009: is the vpnkit API responding? prereq failed: are the backend processes running? [FAIL] DD0010: is the Docker API proxy responding? prereq failed: are the backend processes running? [FAIL] DD0030: is the image access management authorized? prereq failed: is the Docker engine running? [PASS] DD0037: is the virtiofs setup correct? [PASS] DD0036: is the credentials store configured correctly? [PASS] DD0033: does the host have Internet access? [PASS] DD0039: are KVM user permissions configured? [PASS] DD0018: does the host support virtualization? [WARN] DD0001: is the application running? Docker is not running [WARN] DD0017: can a VM be started? vm has not started: vm has not started [WARN] DD0016: is the LinuxKit VM running? prereq failed: is the application running? [WARN] DD0004: is the Docker engine running? prereq failed: is the LinuxKit VM running? [PASS] DD0015: are the binary symlinks installed? [WARN] DD0031: does the Docker API work? prereq failed: is the Docker engine running? [WARN] DD0032: do Docker networks overlap with host IPs? prereq failed: does the Docker API work?
Please note the following 6 warnings:
1 : The check: is the application running?
Produced the following warning: Docker is not running
Is the Docker Desktop application running?
2 : The check: can a VM be started?
Produced the following warning: vm has not started: vm has not started
The Docker engine runs inside a Linux VM. Therefore we must be able to start Virtual Machines.
3 : The check: is the LinuxKit VM running?
Produced the following warning: prereq failed: is the application running?
The Docker engine runs inside a Linux VM. Therefore the VM must be running.
4 : The check: is the Docker engine running?
Produced the following warning: prereq failed: is the LinuxKit VM running?
The Docker engine manages all containers and images on the host. Check the dockerd.log to see why it failed to start.
5 : The check: does the Docker API work?
Produced the following warning: prereq failed: is the Docker engine running?
If the Docker API is not available from the host then Docker Desktop will not work correctly.
6 : The check: do Docker networks overlap with host IPs?
Produced the following warning: prereq failed: does the Docker API work?
If the subnet used by a Docker network overlaps with an IP used by the host, then containers
won't be able to contact the overlapping IP addresses.
Try configuring the IP address range used by networks: in your docker-compose.yml.
See https://docs.docker.com/compose/compose-file/compose-file-v2/#ipv4_address-ipv6_address
Please investigate the following 2 issues:
1 : The test: can a VM be started?
Failed with: vm has not started: vm has not started
The Docker engine runs inside a Linux VM. Therefore we must be able to start Virtual Machines.
2 : The test: is the application running?
Failed with: Docker is not running
Is the Docker Desktop application running?
Fix Docker Desktop on Ubuntu[edit]
Confine the Docker Desktop application with its own AppArmor profile[1]:
Edit (create) /etc/apparmor.d/local/docker-desktopkend
with contents
abi <abi/4.0>,
include <tunables/global>
/opt/docker-desktop/bin/com.docker.backend flags=(default_allow) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/opt.docker-desktop.bin.com.docker.backend>
}
Restart the AppArmor service
sudo systemctl restart apparmor.service
You should now be able to run Docker Desktop, and run the diagnose command, and it will continue to work after rebooting too. Going forward, I suppose the AppArmor profile for Docker Desktop will be included in the distribution so that users will not need to do anything.
Why does this problem exist?[edit]
Unprivileged User namespace restrictions were introduced in Ubuntu 24.04 because the developers (and Canonical) want to take a "security by default" posture.
A lot of people on the internet will tell you the solution is to turn off the security feature. That is the wrong approach. That approach is reminiscent of the people who disable RedHat's SELinux (Security Enhanced Linux) because it's too hard to learn to use the security features or simply do not care about operating a secure system.
Seccomp security profiles for Docker[edit]
Secure computing mode (seccomp) is a Linux kernel feature. You can use it to restrict the actions available within the container. The seccomp() system call operates on the seccomp state of the calling process. You can use this feature to restrict your application's access.[2]
This feature is available only if Docker has been built with seccomp and the kernel is configured with CONFIG_SECCOMP enabled. To check if your kernel supports seccomp, grep through your boot configuration file such as /boot/config-6.8.0-51-generic
$ grep CONFIG_SECCOMP /boot/config-$(uname -r)
(output should show CONFIG_SECCOMP=y)
The default seccomp profile for Docker Desktop is in the Moby project https://github.com/moby/moby/blob/master/profiles/seccomp/default.json
You can show your current profile with
docker info --format '{{ .SecurityOptions }}'
Mine shows [name=seccomp,profile=unconfined name=cgroupns]
When starting Docker Daemon, you can pass it an option for the profile to use: dockerd --seccomp-profile <path_to_seccomp_profile> [3]
References[edit]
- ↑ https://askubuntu.com/questions/1511725/ubuntu-24-04-docker-desktop-is-not-starting/1519662#1519662:~:text=Create%20a%20default_allow%20AppArmor%20profile
- ↑ https://docs.docker.com/engine/security/seccomp/
- ↑ https://stackoverflow.com/questions/77001300/warning-daemon-is-not-using-the-default-seccomp-profile
