Description
The feature docker-in-docker fails to start the docker daemon with the error message
mount: /sys/kernel/security: permission denied.
dmesg(1) may have more information after failed mount system call.
Could not mount /sys/kernel/security.
AppArmor detection and --privileged mode might break.when using a devcontainer with the Docker Desktop Hyper-V backend and having Enhanced Container Isolation enabled.
The container is started using --privileged however there are still some restrictions:
Containers become harder to breach. For example, sensitive system calls are vetted and portions of /proc and /sys are emulated inside the container.
This part of the code that checks for AppArmor stops the start, even though it would otherwise work perfectly fine.
if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security; then
mount -t securityfs none /sys/kernel/security || {
echo >&2 'Could not mount /sys/kernel/security.'
echo >&2 'AppArmor detection and --privileged mode might break.'
}
fiWhen building the container with ECI disabled and then running the built container with it enabled, everything works fine.
I would propose to either add a feature flag to disable the check or remove it altogether, however I am not too sure how many run into issues with running AppArmor inside a devcontainer base container.