Ubuntu: failed to start dockerd after installing docker with snap



Question:

I'm running 16.04 (distro=Ubuntu 16.04.1 LTS and kernel=4.4.0-45-generic) and installed docker by the docker snap.

snap install docker  

and here is my snap list.

# snap list  Name               Version   Rev  Developer  Notes  docker             1.11.2-9  56   canonical  -  snapstore-example  0.3       4    noise      -  ubuntu-core        16.04.1   423  canonical  -  

but i was not able to start the docker daemon. what i did

systemctl start snap.docker.dockerd.service  

Error log seems to be with permission.

Nov 30 00:54:20 ubuntu-xenial systemd[1]: Started Service for snap application docker.dockerd.  Nov 30 00:54:20 ubuntu-xenial snap[19148]: grep: /proc/self/mountinfo: Permission denied  Nov 30 00:54:20 ubuntu-xenial snap[19148]: time="2016-11-30T00:54:20.708894420Z" level=fatal msg="can't create unix socket /var/run/docker.sock: permission denied"  Nov 30 00:54:20 ubuntu-xenial systemd[1]: snap.docker.dockerd.service: Main process exited, code=exited, status=1/FAILURE  Nov 30 00:54:20 ubuntu-xenial systemd[1]: snap.docker.dockerd.service: Unit entered failed state.  Nov 30 00:54:20 ubuntu-xenial systemd[1]: snap.docker.dockerd.service: Failed with result 'exit-code'.  Nov 30 00:54:20 ubuntu-xenial systemd[1]: snap.docker.dockerd.service: Service hold-off time over, scheduling restart.  Nov 30 00:54:20 ubuntu-xenial systemd[1]: Stopped Service for snap application docker.dockerd.  Nov 30 00:54:20 ubuntu-xenial systemd[1]: snap.docker.dockerd.service: Start request repeated too quickly.  Nov 30 00:54:20 ubuntu-xenial systemd[1]: Failed to start Service for snap application docker.dockerd.  

and this error to be more specific.

Nov 30 00:54:20 ubuntu-xenial snap[19148]: time="2016-11-30T00:54:20.708894420Z" level=fatal msg="can't create unix socket /var/run/docker.sock: permission denied"

while if i do apt-get install docker.io and try to start docker.service with systemctl start docker.service. it worked well.

any known issue with the docker snap? or did i miss any step. thanks!


Solution:1

after some initial troubleshooting. i was able to find the RC myself. it seems apparmor blocked both grep: /proc/self/mountinfo and creating socket in /var/run/docker.sock

syslog.1:Nov 30 02:18:27 ubuntu-xenial kernel: [ 5359.923039] audit: type=1400 audit(1480472307.476:349): apparmor="DENIED" operation="open" profile="snap.docker.dockerd" name="/proc/19448/mountinfo" pid=19448 comm="umount" requested_mask="r" denied_mask="r" fsuid=0 ouid=0  syslog.1:Nov 30 02:18:27 ubuntu-xenial kernel: [ 5359.923053] audit: type=1400 audit(1480472307.476:350): apparmor="DENIED" operation="open" profile="snap.docker.dockerd" name="/proc/19448/mounts" pid=19448 comm="umount" requested_mask="r" denied_mask="r" fsuid=0 ouid=0  syslog.1:Nov 30 02:38:28 ubuntu-xenial kernel: [ 6560.900141] audit: type=1400 audit(1480473508.452:362): apparmor="DENIED" operation="connect" profile="snap.docker.docker" name="/run/docker.sock" pid=20591 comm="docker" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0  

But why is that. why 16.04 got the default apparmor profile shipped (in /var/lib/snapd/apparmor/profiles/snap.docker.docker) that would block dockerd daemon from starting.


Solution:2

I suspect you are running snapd 2.16ubuntu3 which is what is currently available in 16.04. You can verify with:

$ apt-cache policy snapd  

If that is the case, the problem is that the docker interfaces are not connected on install. By default, some of the snappy interfaces for docker do not auto-connect but snap declarations from the store can be used to auto-connect them. We have snap declarations for docker to auto-connect the interfaces, but 2.16ubuntu3 doesn't know how to use them yet. You have two choices:

  1. install the snapd from xenial-proposed: https://launchpad.net/ubuntu/+source/snapd/2.17.1ubuntu1

  2. manually connect the interfaces. Eg:

$ snap interfaces |grep docker # show the disconnected interfaces  docker:docker-daemon     -  :docker-support          -  :home                    docker  :network                 docker  :network-bind            docker  -                        docker:docker-cli  -                        docker:firewall-control  -                        docker:privileged  -                        docker:support    # connect the interfaces  $ sudo snap connect docker:support ubuntu-core:docker-support  $ sudo snap connect docker:firewall-control ubuntu-core:firewall-control  $ sudo snap connect docker:docker-cli docker:docker-daemon    $ snap interfaces | grep docker # show the connected interfaces  docker:docker-daemon     docker:docker-cli  :docker-support          docker:support  :firewall-control        docker  :home                    docker  :network                 docker  :network-bind            docker  -                        docker:privileged    # restart the daemon  $ sudo service snap.docker.dockerd stop  $ sudo service snap.docker.dockerd start    # verify it worked  $ sudo docker info  Containers: 0   Running: 0   Paused: 0   Stopped: 0  ...  

If you want to use docker privileged containers, then connect that interface with:

$ sudo snap connect docker:privileged ubuntu-core:docker-support  

If you don't want to use 'sudo', then create the docker group and add yourself to it:

$ sudo addgroup docker  $ sudo adduser `id -un` docker  $ newgrp docker    # restart docker so it will make the socket group writable by 'docker'  $ sudo service snap.docker.dockerd stop  $ sudo service snap.docker.dockerd start    $ docker info  Containers: 0   Running: 0   Paused: 0   Stopped: 0  ...  

You can get more information on snappy interfaces here: https://github.com/snapcore/snapd/wiki/Interfaces

As mentioned, the 'snap connect' commands won't be required as soon as snapd 2.17 or higher is installed. It is also on the roadmap to support system groups natively so you won't have to add the group to the system yourself.


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »