I have been wrestling with problem of running the docker snap on a Dell 5100 IoT Edge Gateway. I have another Dell Gateway – the 3001 – that does NOT face this issue.
Here are the steps that I carried out on the Dell 5100 Gateway:
Installed the Docker Snap, here is the output of 'snap list':
admin@localhost:~$ snap list
Name Version Rev Developer Notes
bluez 5.44-2 84 canonical -
core 16.04.1 394 canonical -
docker 17.03.1-ce-1 124 docker-inc -
modem-manager 1.6.2-5 82 canonical -
network-manager 1.2.2-10.2 166 canonical -
snapweb 0.26.1 207 canonical -
stlouis 16.04-1.13 11 canonical -
stlouis-kernel 4.4.0-77-1 19 canonical -
tpm2 1.0-4 18 canonical -
uefi-fw-tools 1.4.1-0.7.2+git 7 canonical -
After installing I ran the command stated in docker.help to enable the right snap interfaces:
sudo snap connect docker:home :home
Output of the 'snap interfaces' command after running the command in #2 above.
$ snap interfaces | grep docker
:docker-support docker:privileged,docker:support
:firewall-control docker
:home docker
:network docker,snapweb,tpm2,uefi-fw-tools
:network-bind docker,snapweb,tpm2
docker:docker-daemon docker:docker-cli
admin@localhost:~$
I then checked the apparmor status for docker using the following command:
Unlike what I see in the 3001 Output for the same command, docker-default is missing:
$ sudo aa-status | grep docker
snap.docker.compose
snap.docker.docker
snap.docker.dockerd
snap.docker.help
snap.docker.dockerd (1582)
snap.docker.dockerd (1627)
Here is the OUTPUT from the Dell 3001 gateway for the apparmor status and the snap list:
The big difference between the 3001 and 5100 is the OS version – I am very new to Ubuntu Core and cannot figure out why docker-default is missing in the apparmor status. I have rebooted, factory-restored and tried many other thing. The problem that manifests is as follows:
I am able to pull an image, and that works, I used the following command:
sudo docker pull eclipse-mosquitto:1.4.10
The image gets pulled, but when I try to run it:
$ sudo docker run -d -p 1883:1883 -p 9001:9001 --name mqtt -t eclipse-mosquitto:1.4.10
d11e29c04064ea3c546c6c9141abae73508dd2cc98492860accb4461af40b661
docker: Error response from daemon: AppArmor enabled on system but the docker-default profile could not be loaded...
I also tried to run it with the no confinement policy, then I get an oci runtime error:
$ sudo docker run -d --security-opt apparmor=noconfinement -p 1883:1883 -p 9001:9001 --name mqtt -t
eclipse-mosquitto:1.4.10
fe501196f9ac0d27e82b43069aafee4c806d80c1ae9ce363040b96996d74f963
docker: Error response from daemon: oci runtime error: container_linux.go:247: starting container process caused
"process_linux.go:258: applying cgroup configuration for process caused \"mkdir /var/lib/snapd/hostfs/sys/fs/cgroup/cpuset/docker: permission denied\"".
Note that the same steps on the Dell 3001 Gateway do not have these two issues outlined above.
Best Answer
First, apologies for not receiving any reply to your very important issue. As a note to others who may run into this same issue, the main crux of the issue was that the core snap on the 3001 where docker would run successfully was at a newer core snap version, whereas on the 5100, the core snap was stuck at the same outdated version that shipped with the factory Ubuntu Core image. The outdated version had an issue that made receiving newer versions of the core snap not function correctly. The issue has been resolved on the Ubuntu Store side so that this older core snap can be updated to the latest validated version, so this particular issue should not affect anyone else.
Also, for future reference, I'd like to point you to the snapcraft.io forums where everything snaps and Ubuntu Core are discussed.