Cannot install docker on fresh Ubuntu 17 Server, docker is missing permissions to operate in /var/lib/docker
By Joseph Russell •
I followed this guide to install docker on a new Ubuntu 17 server. However, I cannot get docker to run.
Installing docker via sudo apt-get install docker-ce yields:
...
Created symlink /etc/systemd/system/ → /lib/systemd/system/docker.service.
Created symlink /etc/systemd/system/ → /lib/systemd/system/docker.socket.
Job for docker.service failed because the control process exited with error code.
See "systemctl status docker.service" and "journalctl -xe" for details.
invoke-rc.d: initscript docker, action "start" failed.
● docker.service - Docker Application Container Engine Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled) Active: activating (auto-restart) (Result: exit-code) since Mon 2017-10-16 08:57:52 UTC; 8ms ago Docs: Process: 7325 ExecStart=/usr/bin/dockerd -H fd:// (code=exited, status=1/FAILURE) Main PID: 7325 (code=exited, status=1/FAILURE) CPU: 49msChecking sudo journalctl -u docker gives
Oct 16 08:57:51 vm1 systemd[1]: docker.service: Failed to reset devices.list: Operation not permitted
Oct 16 08:57:51 vm1 systemd[1]: Starting Docker Application Container Engine...
Oct 16 08:57:51 vm1 dockerd[7325]: time="2017-10-16T08:57:51.743612657Z" level=info msg="libcontainerd: new containerd process, pid: 7335"
Oct 16 08:57:52 vm1 dockerd[7325]: time="2017-10-16T08:57:52.816490740Z" level=warning msg="failed to rename /var/lib/docker/tmp for background deletion: rename /var/lib/docker/tmp /var/lib/docker/tmp-old
Oct 16 08:57:52 vm1 dockerd[7325]: time="2017-10-16T08:57:52.816839404Z" level=error msg="Could not check if docker-default AppArmor profile was loaded: open /sys/kernel/security/apparmor/profiles: permis
Oct 16 08:57:52 vm1 dockerd[7325]: Error starting daemon: couldn't create plugin manager: error setting plugin manager root to private: permission denied
Oct 16 08:57:52 vm1 systemd[1]: docker.service: Main process exited, code=exited, status=1/FAILURE
Oct 16 08:57:52 vm1 systemd[1]: Failed to start Docker Application Container Engine.
Oct 16 08:57:52 vm1 systemd[1]: docker.service: Unit entered failed state.
Oct 16 08:57:52 vm1 systemd[1]: docker.service: Failed with result 'exit-code'.
Oct 16 08:57:53 vm1 systemd[1]: docker.service: Service hold-off time over, scheduling restart.
Oct 16 08:57:53 vm1 systemd[1]: Stopped Docker Application Container Engine.
Oct 16 08:57:53 vm1 systemd[1]: docker.service: Failed to reset devices.list: Operation not permitted
Oct 16 08:57:53 vm1 systemd[1]: Starting Docker Application Container Engine...
Oct 16 08:57:53 vm1 dockerd[7369]: time="2017-10-16T08:57:53.224145403Z" level=info msg="libcontainerd: new containerd process, pid: 7390"
Oct 16 08:57:54 vm1 dockerd[7369]: time="2017-10-16T08:57:54.241186206Z" level=error msg="Could not check if docker-default AppArmor profile was loaded: open /sys/kernel/security/apparmor/profiles: permis
Oct 16 08:57:54 vm1 dockerd[7369]: Error starting daemon: couldn't create plugin manager: error setting plugin manager root to private: permission deniedWhat I find weird is the line failed to rename /var/lib/docker/tmp as if docker has no permissions to work in its image directory /var/lib/docker.
Any idea what is wrong or how to fix this? Thanks!
Edit
I was able to install an older version of docker: docker-ce_17.03.2~ce-0~ubuntu-xenial_amd64.deb.
But now running an image like sudo docker run hello-world fails with
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
5b0f327be733: Extracting [==================================================>] 974 B/974 B
docker: failed to register layer: ApplyLayer exit status 1 stdout: stderr: permission denied.1 Answer
It could be a AppArmor profile issue. Recheck unfiltered journalctl/dmesg for apparmor messages.
You can find more debug instructions here.
