Restoring Docker in Proxmox LXC after AppArmor update

Домашняя инфраструктура Заметки от Deniom
,
1

:police_car_light: Docker inside LXC issue after runc update (CVE-2025-52881)

After updating the runc package (versions 1.3.2+ and 1.2.7+), many Proxmox users encountered Docker failing to start inside LXC containers.

The error looks like this:


Error response from daemon: failed to create task for container: failed to create shim task:
OCI runtime create failed: runc create failed: unable to start container process:
error during container init: open sysctl net.ipv4.ip_unprivileged_port_start file:
reopen fd 8: permission denied: unknown
Заметка:

Who is affected:
The issue appears on Proxmox / Debian / Ubuntu when Docker is run inside an LXC container, and not directly on the host.

:magnifying_glass_tilted_left: Context and cause

The security update runc changed how file descriptors for procfs are handled.
Combined with enabled AppArmor, this caused Docker inside LXC to no longer be able to access kernel parameters.

Result — failure to initialize the Docker container.

:books: Detailed discussions:

:gear: Why AppArmor patch doesn’t help

In Proxmox for LXC the setting is used:

lxc.apparmor.profile = generated

This means the profile is created automatically when the container starts.
Any changes in /etc/apparmor.d are simply ignored — the profile will be recreated.

As a result, Docker is blocked when trying to access sysctl net.ipv4.ip_unprivileged_port_start.

:puzzle_piece: Temporary workaround (Proxmox LXC)

Предупреждение:

This is a temporary workaround that relaxes AppArmor protection.
Use only until an official patch from Proxmox / LXC / Docker / runc is released.

  1. On the Proxmox host, open your container configuration:
   nano /etc/pve/lxc/<CTID>.conf
  1. Add two lines at the end of the file:
lxc.apparmor.profile: unconfined
lxc.mount.entry: /dev/null sys/module/apparmor/parameters/enabled none bind 0 0
  1. Restart the container:
pct stop <CTID> && pct start <CTID>
  1. Verify:
docker run --rm alpine echo "ok"
Заметка:

/dev/null bind-mount emulates a disabled AppArmor.
Without it Docker will report:
Could not check if docker-default AppArmor profile was loaded: permission denied

:three_o_clock: When to expect a fix

  • The runc team has confirmed the bug and is preparing a fix.
  • LXC and Proxmox developers are discussing an update to the profile generator.
  • Follow progress at:
    GitHub runc #4968
    Proxmox Forum Thread

:speech_balloon: Summary

  • The issue is caused by updates to runc ≥ 1.3.2 / 1.2.7
  • It manifests when running Docker inside LXC
  • Temporary fix:
    lxc.apparmor.profile: unconfined
lxc.mount.entry: /dev/null sys/module/apparmor/parameters/enabled none bind 0 0
  • Permanent solution — wait for the official patch from Proxmox / LXC

:link: Useful links