This error occurs when Docker cannot load its default AppArmor security profile. The fix typically involves installing the apparmor package, restarting the AppArmor service, or running containers with AppArmor disabled.
When Docker starts a container, it applies security profiles to restrict what the container can do on the host system. AppArmor (Application Armor) is a Linux security module that Docker uses by default on Ubuntu and Debian-based systems. Docker automatically generates and loads a profile called `docker-default` into the kernel. This profile restricts dangerous operations like mounting filesystems, accessing sensitive host paths, or using raw network sockets. When Docker cannot load this profile, it refuses to start containers to maintain security. This error commonly appears after upgrading Docker versions, when the `apparmor` package is missing, when Docker runs inside LXC/LXD containers, or when the AppArmor service has issues during boot.
First, verify whether AppArmor is running and what profiles are loaded:
sudo aa-statusIf this command returns "apparmor module is not loaded", AppArmor may be disabled in your kernel. If the command is not found, the apparmor-utils package needs to be installed.
On Debian/Ubuntu systems, install the required AppArmor packages:
sudo apt update
sudo apt install apparmor apparmor-utilsAfter installation, restart Docker:
sudo systemctl restart dockerTry running a container again to verify the fix.
If AppArmor is installed but profiles aren't loading, restart the service:
sudo systemctl restart apparmor
sudo systemctl restart dockerVerify the profiles are now loaded:
sudo aa-status | grep dockerIf you need containers running immediately while troubleshooting, you can disable AppArmor for specific containers:
docker run --security-opt apparmor=unconfined -it alpine:latestFor Docker Compose, add to your service:
services:
myservice:
image: myimage
security_opt:
- apparmor:unconfinedWarning: This reduces container security. Use only as a temporary workaround.
If the profile exists but isn't loaded, you can reload it manually:
sudo apparmor_parser -r -W /etc/apparmor.d/dockerIf the docker profile file doesn't exist, restart Docker to regenerate it:
sudo systemctl restart dockerThen verify with:
sudo aa-status | grep docker-defaultSometimes Docker starts before AppArmor finishes loading profiles. Ensure AppArmor starts before Docker:
sudo systemctl enable apparmor
sudo systemctl restart apparmor
sudo systemctl restart dockerYou can check the boot order with:
systemctl list-dependencies docker.service### Running Docker Inside LXC/LXD Containers
When running Docker inside LXC/LXD containers, the nested AppArmor profiles can conflict. You have several options:
1. Uninstall AppArmor from the inner container (not the host):
sudo apt remove apparmor2. Configure the LXC container for nesting:
lxc config set <container> security.nesting true3. Relax AppArmor restrictions for container-base:
sudo sed -i.old '/deny \/sys/ s/^/#/g' /etc/apparmor.d/abstractions/lxc/container-base
sudo apparmor_parser -r /etc/apparmor.d/lxc-containers### Docker Version Upgrade Issues
Docker version 23.0.0 changed how AppArmor profiles are handled. If you upgraded from 20.10.x to 23.x, you may need to:
1. Reinstall the apparmor packages
2. Clear Docker's cached state: sudo rm -rf /var/lib/docker/tmp/*
3. Restart both services
### Debugging AppArmor Denials
Check system logs for AppArmor denials:
sudo dmesg | grep apparmor
sudo journalctl -k | grep apparmorFor detailed audit messages:
sudo ausearch -m AVC,USER_AVC -ts recent | grep docker### Permanently Disabling AppArmor for Docker
If AppArmor is causing persistent issues and you understand the security implications, you can disable it:
sudo aa-disable /etc/apparmor.d/dockerOr add to Docker daemon configuration (/etc/docker/daemon.json):
{
"security-opts": ["apparmor=unconfined"]
}Note: This reduces container isolation security. Consider rootless Docker as an alternative.
### Ubuntu 24.04+ Considerations
Ubuntu 24.04 enables restricted unprivileged user namespaces by default. If using rootless Docker, ensure you have the docker-ce-rootless-extras package installed, which includes the necessary AppArmor profile for rootlesskit.
image operating system "linux" cannot be used on this platform
How to fix 'image operating system linux cannot be used on this platform' in Docker
manifest unknown: manifest unknown
How to fix 'manifest unknown' in Docker
cannot open '/etc/passwd': Permission denied
How to fix 'cannot open: Permission denied' in Docker
Error response from daemon: failed to create the ipvlan port
How to fix 'failed to create the ipvlan port' in Docker
toomanyrequests: Rate exceeded for anonymous users
How to fix 'Rate exceeded for anonymous users' in Docker Hub