Ubuntu24.04-Docker-Desktop必须现问题4

系统：Ubunutu 24.04
Docker版本：Docker version 26.1.3, build b72abbb
DockerDesktop版本：v4.30.0

初期问题参考文章地址：
https://www.cnblogs.com/happy68/p/18168484

以下是原文：

1. 安装docker desktop后启动无窗口
   现象： 执行sudo apt install ./docker-desktop-4.29.0-amd64.deb成功安装docker desktop后，无论是在菜单里点击Docker Desktop图标还是执行systemctl --user start docker-desktop均没有窗口出现。
   查看日志：在~/.docker/desktop/log/host/Docker Desktop.stderr.log 中有以下内容：

[2024-04-27T06:39:49.728616797Z] [22344:0427/143949.728566:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/docker-desktop/chrome-sandbox is owned by root and has mode 4755.

解决方法：执行

sudo chown root:root /opt/docker-desktop/chrome-sandbox
sudo chmod 4755 /opt/docker-desktop/chrome-sandbox

然后执行 systemctl --user restart docker-desktop，窗口出现，问题解决。

2. 启动出现 "An unexpected error occurred"或一直显示"Starting the Docker Engine..."
   报错内容：

running engine: waiting for the VM setup to be ready: running filesharing: running virtiofsd for /home:  Error entering sandbox:
DropSupplementalGroups(Os { code: 1, kind: PermissionDenied, message: "Operation not permitted" })

执行sudo dmesg出现以下等内容

[ 2329.792894] audit: type=1400 audit(1714467432.031:190): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=10057 comm="virtiofsd" capability=6  capname="setgid"

解决方法：

echo "==> Disabling Apparmor unprivileged userns mediation"
echo 0 > /proc/sys/kernel/apparmor_restrict_unprivileged_userns

echo "==> Disabling Apparmor unprivileged unconfined mediation"
echo 0 > /proc/sys/kernel/apparmor_restrict_unprivileged_unconfined

以下是原创：

我这里主要解决的是第二个问题：

. 启动出现 "An unexpected error occurred"或一直显示"Starting the Docker Engine..."
报错内容：
running engine: waiting for the VM setup to be ready: running filesharing: running virtiofsd for /home:  Error entering sandbox:
DropSupplementalGroups(Os { code: 1, kind: PermissionDenied, message: "Operation not permitted" })

这个问题是因为上是docker-desktop 获取的权限超出了
unprivileged_userns 规定的权限。
原因是 ubuntu24.04中的 /etc/apparmor.d 目录中没有默认配置对应的文件权限导致的。

# Special profile transitioned to by unconfined when creating an unprivileged
# user namespace.
#
abi <abi/4.0>,
include <tunables/global>

profile unprivileged_userns {
     audit deny capability,
    -----------------这一条-----------------
     audit deny change_profile,

     # allow block to be replaced by allow when x dominance test is fixed
     #allow all,
     allow network,
     allow signal,
     allow dbus,
     allow file rwlkm /**,
     allow unix,
     allow mqueue,
     allow ptrace,
     allow userns,

     # stack children to strip capabilities
     allow pix /** -> &unprivileged_userns ,

     # Site-specific additions and overrides. See local/README for details.
     include if exists <local/unprivileged_userns>
}

使用命令：

sudo dmesg #使用命令可以看到下面的内容，差别不会很大。

[ 4399.656681] audit: type=1400 audit(1717525854.237:1154): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=35535 comm=446F636B6572204465736B746F70 capability=21  capname="sys_admin"

解决方法：
在 /etc/apparmor.d 目录中创建授权文件，我这里用的是 docker-desktop
下面是文件内容

# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"

abi <abi/4.0>,
include <tunables/global>

profile docker-desktop  /opt/docker-desktop/bin/*  flags=(unconfined) {
  userns,
  capability,
  capability chown,
  capability dac_override,
  capability setuid,
  capability setgid,
  capability net_bind_service,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/docker-desktop>
}

写入完成后重启 apparmor

sudo systemctl restart apparmor
#重启docker-desktop
systemctl --user restart docker-desktop

至此问题可以解决。