Docker desktop not starting on Ubuntu 24.04
Table of contents
Open Table of contents
TL;DR
In Ubuntu 24.04 LTS the Apparmor is enabled by default and it is blocking the docker desktop from starting. AppArmor is a security module that can control the granular access to applications.
AppArmor policy is used to selectively control access to unprivileged user namespaces on a per applications basis.
Create a new profile for Docker Desktop
Create a new profile named opt.docker-desktop.bin.com.docker.backend
in the /etc/apparmor.d/
directory and add the following content to the file.
abi <abi/4.0>,
include <tunables/global>
/opt/docker-desktop/bin/com.docker.backend flags=(default_allow) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/opt.docker-desktop.bin.com.docker.backend>
}
Reload the apparmor profile
After creating the profile reload the apparmor profile using the following command.
sudo apparmor_parser -r /etc/apparmor.d/opt.docker-desktop.bin.com.docker.backend
Or you can reload all the apparmor services using the following command.
$ sudo systemctl restart apparmor.service
Start the Docker Desktop
After reloading the apparmor profile you can start the Docker Desktop.
Introduction
I have recently migrated to Ubuntu 24.04 LTS from the older Ubuntu 20.04 LTS. After the migration, I installed Docker Desktop and tried to start it but it was not starting and silently failing. After some investigation, I found that the apparmor is blocking the Docker Desktop from starting.
What is AppArmor
AppArmor is an easy-to-use Linux Security Module implementation that restricts applications’ capabilities and permissions with profiles that are set per program. It provides mandatory access control (MAC) to supplement the more traditional UNIX model of discretionary access control (DAC).
How to check if AppArmor is enabled
In Ubuntu, AppArmor is installed and loaded by default – you can check this by running aa-status
$ sudo aa-status
AppArmor Profiles
AppArmor uses profiles of an application to determine what files and permissions the application requires. Some packages will install their profiles, and additional profiles can be found in the apparmor-profiles
package.
Install AppArmor Profiles
To install the AppArmor profiles package, run the following command:
$ sudo apt install apparmor-profiles
AppArmor profiles have two modes of operation:
- Complaining/Learning: profile violations are permitted and logged. This is useful for testing and developing new profiles.
- Enforced/Confined: enforces profile policy in addition to logging the violation.
Profile
AppArmor profiles are simple text files located in /etc/apparmor.d/
. The files are named after the full path to the executable they profile, replacing /
with .
. For example, the profile for /bin/ping
would be /etc/apparmor.d/bin.ping
.
There are two main types of rules in AppArmor profiles:
- Path entries: detailing which files an application can access in the filesystem.
- Capability entries: determine what privileges a confined process is allowed to use.
An example profile for the ping
command is shown below:
#include <tunables/global>
/bin/ping flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
capability net_raw,
capability setuid,
network inet raw,
/bin/ping mixr,
/etc/modules.conf r,
}
The above can be broken down as follows:
#include <tunables/global>
: Include statements from other files. This allows statements pertaining to multiple applications to be placed in a common file./bin/ping flags=(complain)
: The path to the executable being profiled, with thecomplain
flag.capability net_raw,
: Allows the application access to theCAP_NET_RAW
Posix.1e
capability./bin/ping mixr,
: Allows the application to read and execute access to the/bin/ping
file.
Docker Desktop AppArmor Profile
AppArmor uses a profile to control the access of the application. The profile is located at /etc/apparmor.d/opt.docker-desktop.bin.com.docker.backend
. If the above profile is not present then you can create a new profile with the following content.
Create a new profile named opt.docker-desktop.bin.com.docker.backend
in the /etc/apparmor.d/
directory and add the following content to the file.
abi <abi/4.0>,
include <tunables/global>
/opt/docker-desktop/bin/com.docker.backend flags=(default_allow) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/opt.docker-desktop.bin.com.docker.backend>
}
Reload the apparmor profile
After creating the profile reload the apparmor profile using the following command.
$ sudo apparmor_parser -r /etc/apparmor.d/opt.docker-desktop.bin.com.docker.backend
# OR reload all the apparmor services
$ sudo systemctl restart apparmor.service
Start the Docker Desktop
After reloading the apparmor profile you can start the Docker Desktop.
Conclusion
In Ubuntu 24.04 LTS the apparmor is enabled by default and it is blocking the docker desktop from starting. Apparmor is a security module and can be used to granularly control the access of the applications. AppArmor policy is used to selectively control access to unprivileged user namespaces on a per applications basis.
The above example is for the docker-desktop application. However, you can create a profile for any application that is being blocked by the apparmor.