failed to start dockerd after installing docker with snap
Solution 1
after some initial troubleshooting. i was able to find the RC myself. it seems apparmor blocked both grep: /proc/self/mountinfo and creating socket in /var/run/docker.sock
syslog.1:Nov 30 02:18:27 ubuntu-xenial kernel: [ 5359.923039] audit: type=1400 audit(1480472307.476:349): apparmor="DENIED" operation="open" profile="snap.docker.dockerd" name="/proc/19448/mountinfo" pid=19448 comm="umount" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
syslog.1:Nov 30 02:18:27 ubuntu-xenial kernel: [ 5359.923053] audit: type=1400 audit(1480472307.476:350): apparmor="DENIED" operation="open" profile="snap.docker.dockerd" name="/proc/19448/mounts" pid=19448 comm="umount" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
syslog.1:Nov 30 02:38:28 ubuntu-xenial kernel: [ 6560.900141] audit: type=1400 audit(1480473508.452:362): apparmor="DENIED" operation="connect" profile="snap.docker.docker" name="/run/docker.sock" pid=20591 comm="docker" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
But why is that. why 16.04 got the default apparmor profile shipped (in /var/lib/snapd/apparmor/profiles/snap.docker.docker) that would block dockerd daemon from starting.
Solution 2
I suspect you are running snapd 2.16ubuntu3 which is what is currently available in 16.04. You can verify with:
$ apt-cache policy snapd
If that is the case, the problem is that the docker interfaces are not connected on install. By default, some of the snappy interfaces for docker do not auto-connect but snap declarations from the store can be used to auto-connect them. We have snap declarations for docker to auto-connect the interfaces, but 2.16ubuntu3 doesn't know how to use them yet. You have two choices:
install the snapd from xenial-proposed: https://launchpad.net/ubuntu/+source/snapd/2.17.1ubuntu1
manually connect the interfaces. Eg:
$ snap interfaces |grep docker # show the disconnected interfaces
docker:docker-daemon -
:docker-support -
:home docker
:network docker
:network-bind docker
- docker:docker-cli
- docker:firewall-control
- docker:privileged
- docker:support
# connect the interfaces
$ sudo snap connect docker:support ubuntu-core:docker-support
$ sudo snap connect docker:firewall-control ubuntu-core:firewall-control
$ sudo snap connect docker:docker-cli docker:docker-daemon
$ snap interfaces | grep docker # show the connected interfaces
docker:docker-daemon docker:docker-cli
:docker-support docker:support
:firewall-control docker
:home docker
:network docker
:network-bind docker
- docker:privileged
# restart the daemon
$ sudo service snap.docker.dockerd stop
$ sudo service snap.docker.dockerd start
# verify it worked
$ sudo docker info
Containers: 0
Running: 0
Paused: 0
Stopped: 0
...
If you want to use docker privileged containers, then connect that interface with:
$ sudo snap connect docker:privileged ubuntu-core:docker-support
If you don't want to use 'sudo', then create the docker group and add yourself to it:
$ sudo addgroup docker
$ sudo adduser `id -un` docker
$ newgrp docker
# restart docker so it will make the socket group writable by 'docker'
$ sudo service snap.docker.dockerd stop
$ sudo service snap.docker.dockerd start
$ docker info
Containers: 0
Running: 0
Paused: 0
Stopped: 0
...
You can get more information on snappy interfaces here: https://github.com/snapcore/snapd/wiki/Interfaces
As mentioned, the 'snap connect' commands won't be required as soon as snapd 2.17 or higher is installed. It is also on the roadmap to support system groups natively so you won't have to add the group to the system yourself.
Related videos on Youtube
04 : 15
08 : 55
03 : 36
10 : 57
02 : 59
01 : 56
Xin Ma
Updated on September 18, 2022Comments
-
Xin Ma almost 2 years
I'm running 16.04 (distro=
Ubuntu 16.04.1 LTSand kernel=4.4.0-45-generic) and installed docker by the docker snap.snap install dockerand here is my snap list.
# snap list Name Version Rev Developer Notes docker 1.11.2-9 56 canonical - snapstore-example 0.3 4 noise - ubuntu-core 16.04.1 423 canonical -but i was not able to start the docker daemon. what i did
systemctl start snap.docker.dockerd.serviceError log seems to be with permission.
Nov 30 00:54:20 ubuntu-xenial systemd[1]: Started Service for snap application docker.dockerd. Nov 30 00:54:20 ubuntu-xenial snap[19148]: grep: /proc/self/mountinfo: Permission denied Nov 30 00:54:20 ubuntu-xenial snap[19148]: time="2016-11-30T00:54:20.708894420Z" level=fatal msg="can't create unix socket /var/run/docker.sock: permission denied" Nov 30 00:54:20 ubuntu-xenial systemd[1]: snap.docker.dockerd.service: Main process exited, code=exited, status=1/FAILURE Nov 30 00:54:20 ubuntu-xenial systemd[1]: snap.docker.dockerd.service: Unit entered failed state. Nov 30 00:54:20 ubuntu-xenial systemd[1]: snap.docker.dockerd.service: Failed with result 'exit-code'. Nov 30 00:54:20 ubuntu-xenial systemd[1]: snap.docker.dockerd.service: Service hold-off time over, scheduling restart. Nov 30 00:54:20 ubuntu-xenial systemd[1]: Stopped Service for snap application docker.dockerd. Nov 30 00:54:20 ubuntu-xenial systemd[1]: snap.docker.dockerd.service: Start request repeated too quickly. Nov 30 00:54:20 ubuntu-xenial systemd[1]: Failed to start Service for snap application docker.dockerd.and this error to be more specific.
Nov 30 00:54:20 ubuntu-xenial snap[19148]: time="2016-11-30T00:54:20.708894420Z" level=fatal msg="can't create unix socket /var/run/docker.sock: permission denied"while if i do
apt-get install docker.ioand try to start docker.service withsystemctl start docker.service. it worked well.any known issue with the docker snap? or did i miss any step. thanks!
-
kcpr over 3 yearsOh, thank You! Moving
/var/run/docker.socktruly helped me start the Dockerd withsudo /usr/bin/snap run docker.dockerd. Before that, when trying to start a container, I have been only getting "Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?".
