Docker Desktop: Difference between revisions
Created page with "(Intro needed about Docker Desktop) == Docker Desktop not working on Ubuntu 24.04 == Docker Desktop apparently has a problem running on Ubuntu 24.04 (and Kubuntu 24.04) You can tell because when you launch Docker Desktop, nothing happens (the dockerd daemon does not start, and the GUI does not appear). You can also tell because if you try to do anything from the command line (e.g. <code>docker run hello-world</code>), or otherwise involve Docker, you will get the..." |
add intro |
||
| (5 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
'''[[Docker]]''' '''Desktop''' is a convenient GUI application to manage the Docker Engine on your host operating system. | |||
Because starting Docker Desktop will automatically set the context in use, you probably need to start Docker Desktop in order to get the correct behavior out of your docker setup on a Linux workstation rather than having a systemwide docker-ce install also. | |||
If you want to run Docker Engine in 'rootless' mode, see the [https://rootlesscontaine.rs/getting-started/docker/ Rootless Containers project] and don't use Docker Desktop (or at least know when and how to use each separately.) | |||
Meanwhile, [[Minikube]], which is for [[Kubernetes]], has sections for both 'regular' and 'rootless' docker [https://minikube.sigs.k8s.io/docs/drivers/docker/#Rootless%20Docker in their docs] | |||
== Docker Desktop not working on Ubuntu 24.04 == | == Docker Desktop not working on Ubuntu 24.04 == | ||
Docker Desktop apparently has a problem running on Ubuntu 24.04 (and Kubuntu 24.04) | Docker Desktop apparently has a problem running on Ubuntu 24.04 (and Kubuntu 24.04). If you encounter this issue, it is most likely (99.9%?) because Ubuntu made security configuration changes in 2023 for AppArmor. We'll get to the "why" this problem exists in a bit when we cover how to fix it. First, let's focus on identifying the problem. | ||
You can tell because when you launch Docker Desktop, nothing happens | You can tell you have a problem because when you launch Docker Desktop, nothing happens. The dockerd daemon does not start, and the GUI does not appear. | ||
You can also tell because if you try to do anything from the command line (e.g. <code>docker run hello-world</code>), or otherwise involve Docker, you will get the familiar 'Is the docker daemon running?' error output. | You can also tell because if you try to do anything from the command line (e.g. <code>docker run hello-world</code>), or otherwise involve Docker, you will get the familiar 'Is the docker daemon running?' error output. | ||
=== Docker diagnose === | |||
You can get a more accurate picture of your system status with | You can get a more accurate picture of your system status with | ||
| Line 102: | Line 109: | ||
</poem> | </poem> | ||
== Fix Docker Desktop on Ubuntu == | |||
Confine the Docker Desktop application with its own AppArmor profile<ref>https://askubuntu.com/questions/1511725/ubuntu-24-04-docker-desktop-is-not-starting/1519662#1519662:~:text=Create%20a%20default_allow%20AppArmor%20profile</ref>: | |||
Edit (create) <code>/etc/apparmor.d/local/docker-desktopkend</code> | |||
with contents<pre> | |||
abi <abi/4.0>, | |||
include <tunables/global> | |||
/opt/docker-desktop/bin/com.docker.backend flags=(default_allow) { | |||
userns, | |||
# Site-specific additions and overrides. See local/README for details. | |||
include if exists <local/opt.docker-desktop.bin.com.docker.backend> | |||
} | |||
</pre>Restart the AppArmor service | |||
<code>sudo systemctl restart apparmor.service</code> | |||
You should now be able to run Docker Desktop, and run the diagnose command, and it will continue to work after rebooting too. Going forward, I suppose the AppArmor profile for Docker Desktop will be included in the distribution so that users will not need to do anything. | |||
=== Why does this problem exist? === | |||
'''[https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces Unprivileged User namespace restrictions]''' were [https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#p-99950-unprivileged-user-namespace-restrictions introduced in Ubuntu 24.04] because the developers (and Canonical) want to take a "security by default" posture. | |||
A lot of people on the internet will tell you the solution is to turn off the security feature. That is the wrong approach. That approach is reminiscent of the people who disable RedHat's SELinux (Security Enhanced Linux) because it's too hard to learn to use the security features or simply do not care about operating a secure system. | |||
== Seccomp security profiles for Docker == | |||
Secure computing mode (<code>seccomp</code>) is a Linux kernel feature. You can use it to restrict the actions available within the container. The <code>seccomp()</code> system call operates on the seccomp state of the calling process. You can use this feature to restrict your application's access.<ref>https://docs.docker.com/engine/security/seccomp/</ref> | |||
This feature is available only if Docker has been built with <code>seccomp</code> and the kernel is configured with <code>CONFIG_SECCOMP</code> enabled. To check if your kernel supports <code>seccomp</code>, grep through your boot configuration file such as <code>/boot/config-6.8.0-51-generic</code> | |||
<code>$ grep CONFIG_SECCOMP /boot/config-$(uname -r)</code> | |||
(output should show CONFIG_SECCOMP=y) | |||
The default seccomp profile for Docker Desktop is in the '''Moby''' project https://github.com/moby/moby/blob/master/profiles/seccomp/default.json | |||
You can show your current profile with | |||
<code>docker info --format '<nowiki>{{ .SecurityOptions }}</nowiki>'</code> | |||
Mine shows <tt>[name=seccomp,profile=unconfined name=cgroupns]</tt> | |||
When starting Docker Daemon, you can pass it an option for the profile to use: <code>dockerd --seccomp-profile <path_to_seccomp_profile></code> <ref>https://stackoverflow.com/questions/77001300/warning-daemon-is-not-using-the-default-seccomp-profile</ref> | |||
{{References}} | |||
[[Category:Virtualization]] | [[Category:Virtualization]] | ||
[[Category:DevOps]] | [[Category:DevOps]] | ||
[[Category:Kubernetes]] | [[Category:Kubernetes]] | ||