Skip to content

Docker desktop not starting in Ubuntu 24.04 LTS

Posted on:November 1, 2024 at 05:19 PM

tp.web.random_picture

Docker desktop not starting on Ubuntu 24.04

Table of contents

Open Table of contents

TL;DR

In Ubuntu 24.04 LTS the Apparmor is enabled by default and it is blocking the docker desktop from starting. AppArmor is a security module that can control the granular access to applications.

AppArmor policy is used to selectively control access to unprivileged user namespaces on a per applications basis.

Create a new profile for Docker Desktop

Create a new profile named opt.docker-desktop.bin.com.docker.backend in the /etc/apparmor.d/ directory and add the following content to the file.

abi <abi/4.0>,

include <tunables/global>

/opt/docker-desktop/bin/com.docker.backend flags=(default_allow) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/opt.docker-desktop.bin.com.docker.backend>
}

Reload the apparmor profile

After creating the profile reload the apparmor profile using the following command.

sudo apparmor_parser -r /etc/apparmor.d/opt.docker-desktop.bin.com.docker.backend

Or you can reload all the apparmor services using the following command.

$ sudo systemctl restart apparmor.service

Start the Docker Desktop

After reloading the apparmor profile you can start the Docker Desktop.

Introduction

I have recently migrated to Ubuntu 24.04 LTS from the older Ubuntu 20.04 LTS. After the migration, I installed Docker Desktop and tried to start it but it was not starting and silently failing. After some investigation, I found that the apparmor is blocking the Docker Desktop from starting.

What is AppArmor

AppArmor is an easy-to-use Linux Security Module implementation that restricts applications’ capabilities and permissions with profiles that are set per program. It provides mandatory access control (MAC) to supplement the more traditional UNIX model of discretionary access control (DAC).

How to check if AppArmor is enabled

In Ubuntu, AppArmor is installed and loaded by default – you can check this by running aa-status

$ sudo aa-status

AppArmor Profiles

AppArmor uses profiles of an application to determine what files and permissions the application requires. Some packages will install their profiles, and additional profiles can be found in the apparmor-profiles package.

Install AppArmor Profiles

To install the AppArmor profiles package, run the following command:

$ sudo apt install apparmor-profiles

AppArmor profiles have two modes of operation:

Profile

AppArmor profiles are simple text files located in /etc/apparmor.d/. The files are named after the full path to the executable they profile, replacing / with .. For example, the profile for /bin/ping would be /etc/apparmor.d/bin.ping.

There are two main types of rules in AppArmor profiles:

An example profile for the ping command is shown below:

#include <tunables/global>
/bin/ping flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>

  capability net_raw,
  capability setuid,
  network inet raw,

  /bin/ping mixr,
  /etc/modules.conf r,
}

The above can be broken down as follows:

Docker Desktop AppArmor Profile

AppArmor uses a profile to control the access of the application. The profile is located at /etc/apparmor.d/opt.docker-desktop.bin.com.docker.backend. If the above profile is not present then you can create a new profile with the following content.

Create a new profile named opt.docker-desktop.bin.com.docker.backend in the /etc/apparmor.d/ directory and add the following content to the file.

abi <abi/4.0>,

include <tunables/global>

/opt/docker-desktop/bin/com.docker.backend flags=(default_allow) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/opt.docker-desktop.bin.com.docker.backend>
}

Reload the apparmor profile

After creating the profile reload the apparmor profile using the following command.

$ sudo apparmor_parser -r /etc/apparmor.d/opt.docker-desktop.bin.com.docker.backend
# OR reload all the apparmor services
$ sudo systemctl restart apparmor.service

Start the Docker Desktop

After reloading the apparmor profile you can start the Docker Desktop.

Conclusion

In Ubuntu 24.04 LTS the apparmor is enabled by default and it is blocking the docker desktop from starting. Apparmor is a security module and can be used to granularly control the access of the applications. AppArmor policy is used to selectively control access to unprivileged user namespaces on a per applications basis.

The above example is for the docker-desktop application. However, you can create a profile for any application that is being blocked by the apparmor.

References