Operation Not Permitted

[Itschotsch]

I'm on Ubuntu 22.10, with docker-compose 1.29.2 and Docker 20.10.21, both installed using apt (not snap), on a DigitalOcean server.
I followed the installation instructions at https://docs.mattermost.com/install/install-docker.html exactly.

• For step 4, I copied a fullchain.pem and privkey.pem I already had for the same domain to the specified directory with tthe respective names.
• I skipped the optional step 5.
• For step 6, I deployed using the included NGINX.
  After running sudo docker-compose -f docker-compose.yml -f docker-compose.nginx.yml up (not detached to see the output), I get:

Creating network "mattermost" with the default driver
Creating docker_postgres_1 ... done
Creating docker_mattermost_1 ... done
Creating nginx_mattermost    ... done
Attaching to docker_postgres_1, docker_mattermost_1, nginx_mattermost
mattermost_1  | exec /entrypoint.sh: operation not permitted
postgres_1    | exec /usr/local/bin/docker-entrypoint.sh: operation not permitted
nginx_mattermost | exec /docker-entrypoint.sh: operation not permitted
docker_mattermost_1 exited with code 1
docker_postgres_1 exited with code 1

I restarted the server without any other containers running (ports were free), I tried step 6 without the included NGINX, I ran sudo chmod 777 -R ., I ran everything as root, I searched the web, nothing worked. Is this a bug? Did I do everything correctly? What can I do to make this work?

[ZelnickB]

Same issue here when installing without the included NGINX. @Itschotsch, did you find a fix?

[Itschotsch]

@ZelnickB Sadly not, I never managed to install it. :( I really hope they look at this soon!

[ZelnickB]

I think that I found the problem. Commenting the lines

security_opt:
    - no-new-privileges:true

out of the /docker-compose.yml file (for both services) seems to solve the issue.

I'll open up a PR.

[Itschotsch]

@ZelnickB I can confirm this now works for me too. Thanks!

[LeNguyenGiaBao]

@ZelnickB I have commented the line "- no-new-privileges:true" but the error is also exist. I find the answer here from @yosifkit. The config now is

security_opt:
#   - no-new-privileges:true
  - seccomp:unconfined

for both mattermost and postgresdb

[ZelnickB]

@LeNguyenGiaBao Weird—it worked for me when I tried it.

[mvitale1989]

I am not able to reproduce the issue on an Ubuntu 22.04.5 machine, using Docker 27.3.1.
Are you still facing this issue with a more recent docker release? If so, can you please post the output of docker system info?

[BoldBoimler]

I'm also hitting this on Ubuntu 24.04.1 LTS. Here's my docker status:

Client:
 Version:    27.2.0
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.16.1
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.20.3
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 2
  Running: 0
  Paused: 0
  Stopped: 2
 Images: 2
 Server Version: 27.2.0
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 472731909fa34bd7bc9c087e4c27943f9835f111
 runc version:
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.8.0-1021-aws
 Operating System: Ubuntu Core 22
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 1.866GiB
 Name: ip-10-15-0-134
 ID: fad2a3d1-2794-443e-80a0-cc0d13f37884
 Docker Root Dir: /var/snap/docker/common/var-lib-docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Encountered it whilst setting up Mattermost following these instructions. I needed to comment out lines 9, 10, 32, and 33 to get the container to run, which I know is not a good practice.

Using the docker compose config from the repo at commit e74adf4
Docker Compose version v2.20.3

[mvitale1989]

Hello @BoldBoimler , looking at your output I can see that your Docker was installed using snap (see Docker Root Dir: /var/snap/docker/common/var-lib-docker).
There seems to be an unpatched bug in snap installations of docker, that prevents dockerd from using no-new-privileges due to its AppArmor configuration: https://bugs.launchpad.net/snapd/+bug/1908448

Can you confirm that it's the apparmor configuration that is causing issues for you? You can try bringing up the unmodified docker-compose file, and then look at the output of dmesg | grep apparmor | tail -n20 to see if there's any denied operation.