Proxmov PVE9 Upgrade AppArmor Error

C

croak3569

New Member
Jul 7, 2024
11
2
3
Hi; i'm very new to this but yesterday upgrade Proxmox to PVE9 and everything is working so far. How I am seeing this constantly hit the low.

Any idea what this is and whether its a concern.

Aug 10 00:00:01 pve kernel: audit: type=1400 audit(1754798401.538:4061): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="docker-default" pid=34868 comm="s6-ipcserver-so" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Aug 10 00:00:02 pve kernel: audit: type=1400 audit(1754798402.541:4062): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="docker-default" pid=34880 comm="s6-ipcserver-so" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Aug 10 00:00:03 pve kernel: audit: type=1400 audit(1754798403.545:4063): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="docker-default" pid=34927 comm="s6-ipcserver-so" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Aug 10 00:00:04 pve kernel: audit: type=1400 audit(1754798404.548:4064): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="docker-default" pid=34930 comm="s6-ipcserver-so" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Aug 10 00:00:05 pve kernel: audit: type=1400 audit(1754798405.552:4065): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="docker-default" pid=34936 comm="s6-ipcserver-so" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Aug 10 00:00:06 pve kernel: audit: type=1400 audit(1754798406.556:4066): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="docker-default" pid=34939 comm="s6-ipcserver-so" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Aug 10 00:00:07 pve kernel: audit: type=1400 audit(1754798407.559:4067): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="docker-default" pid=34943 comm="s6-ipcserver-so" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Aug 10 00:00:08 pve kernel: audit: type=1400 audit(1754798408.563:4068): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="docker-default" pid=34945 comm="s6-ipcserver-so" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Aug 10 00:00:09 pve kernel: audit: type=1400 audit(1754798409.567:4069): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="docker-default" pid=34950 comm="s6-ipcserver-so" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Aug 10 00:00:10 pve kernel: audit: type=1400 audit(1754798410.571:4070): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="docker-default" pid=34952 comm="s6-ipcserver-so" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Aug 10 00:00:11 pve kernel: audit: type=1400 audit(1754798411.574:4071): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="docker-default" pid=34954 comm="s6-ipcserver-so" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Aug 10 00:00:12 pve kernel: audit: type=1400 audit(1754798412.578:4072): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="docker-default" pid=35034 comm="s6-ipcserver-so" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Aug 10 00:00:13 pve kernel: audit: type=1400 audit(1754798413.582:4073): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="docker-default" pid=35062 comm="s6-ipcserver-so" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Aug 10 00:00:14 pve kernel: audit: type=1400 audit(1754798414.585:4074): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="docker-default" pid=35064 comm="s6-ipcserver-so" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Aug 10 00:00:15 pve kernel: audit: type=1400 audit(1754798415.588:4075): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="docker-default" pid=35066 comm="s6-ipcserver-so" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Aug 10 00:00:16 pve kernel: audit: type=1400 audit(1754798416.592:4076): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="docker-default" pid=35068 comm="s6-ipcserver-so" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Aug 10 00:00:17 pve kernel: audit: type=1400 audit(1754798417.595:4077): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="docker-default" pid=35072 comm="s6-ipcserver-so" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Aug 10 00:00:18 pve kernel: audit: type=1400 audit(1754798418.598:4078): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="docker-default" pid=35074 comm="s6-ipcserver-so" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
Aug 10 00:00:19 pve kernel: audit: type=1400 audit(1754798419.601:4079): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="docker-default" pid=35076 comm="s6-ipcserver-so" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
 
  • Like
Reactions: Tert0
I encounter the same issue after upgrading to pve9 today. Most docker containers creating network sockets fail and I see the same dmesg that you've pasted.

To reproduce
Bash: 
~ ❯ docker run nginx
...
2025/08/24 13:14:58 [notice] 1#1: start worker processes
2025/08/24 13:14:58 [alert] 1#1: socketpair() failed while spawning "worker process" (13: Permission denied)
2025/08/24 13:14:58 [alert] 1#1: socketpair() failed while spawning "worker process" (13: Permission denied)
2025/08/24 13:14:58 [alert] 1#1: socketpair() failed while spawning "worker process" (13: Permission denied)
2025/08/24 13:14:58 [alert] 1#1: socketpair() failed while spawning "worker process" (13: Permission denied)
While dmesg shows the following

Bash: 
~ ❯ sudo dmesg | tail             
[ 4616.792130] audit: type=1400 audit(1756041424.213:20020): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="docker-default" pid=291344 comm="s6-ipcserver-so" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
[ 4617.795540] audit: type=1400 audit(1756041425.216:20021): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="docker-default" pid=291352 comm="s6-ipcserver-so" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
[ 4618.798868] audit: type=1400 audit(1756041426.220:20022): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="docker-default" pid=291360 comm="s6-ipcserver-so" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
[ 4619.801414] audit: type=1400 audit(1756041427.222:20023): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="docker-default" pid=291389 comm="s6-ipcserver-so" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none

Once I disable the apparmor profile it works
Bash: 
~ ❯ docker run --security-opt apparmor=unconfined nginx
...
2025/08/24 13:15:48 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1073741816:1073741816
2025/08/24 13:15:48 [notice] 1#1: start worker processes
2025/08/24 13:15:48 [notice] 1#1: start worker process 30
2025/08/24 13:15:48 [notice] 1#1: start worker process 31
2025/08/24 13:15:48 [notice] 1#1: start worker process 32
2025/08/24 13:15:48 [notice] 1#1: start worker process 33

This can be applied by adding the following to the docker-compose.yml (credits to this page)
YAML: 
nginx:
    image: nginx:latest
    security_opt:
      - apparmor=unconfined

I doubt that this is a recommended setting though and I hope for other proposals for a structural fix.
 
Last edited:
  • Like
Reactions: Buggy7
That's docker problem versus apparmor, not PVE related. Debian 12 didn't have active apparmor, but debian 13 has it by default. I encountered the same problem with giltab-runner + docker. Profile docker-default is created by docker service on the fly, so you have two options:

1] apparmor=unconfined
2] create own apparmor profile for docker

Security hint: running docker on PVE isn't secure, use VM for docker.
 
Hi czechsys,

I tried to verify if this is indeed purely Debian related. So I installed Debian 13 in a VM and installed docker as described in the official docs. The version of all relevant packages are identical between my 'broken' PVE instance and the clean Debian 13 VM. Running docker run nginx works flawlessly in the VM, but shows the issues described above when started from PVE.

I noticed a difference though between my Debian VM and the PVE instance

PVE
Bash: 
~ ❯ apt list --installed | grep -i apparmor
apparmor/stable,now 4.1.1-pmx1 amd64 [installed]
libapparmor1/stable,now 4.1.1-pmx1 amd64 [installed]

Debian 13 VM
Bash: 
schmyd@debian:~$ apt list --installed | grep -i apparmor
apparmor/stable,now 4.1.0-1 amd64 [installed,automatic]
libapparmor1/stable,now 4.1.0-1 amd64 [installed]

So PVE uses a different version. Running apt policy apparmor yields
Code: 
apparmor:
  Installed: 4.1.1-pmx1
  Candidate: 4.1.1-pmx1
  Version table:
 *** 4.1.1-pmx1 500
        500 http://download.proxmox.com/debian/pve trixie/pve-no-subscription amd64 Packages
        100 /var/lib/dpkg/status
     4.1.0-1 500
        500 http://ftp.de.debian.org/debian trixie/main amd64 Packages

I am aware that native docker isn't officially supported. I am still curious if there are any explanation or recommendations for this, given that the issue seems to be PVE related.
 
You must log in or register to reply here.
Top Bottom