Merge pull request #44902 from vvoland/apparmor-check-binary

apparmor: Check if apparmor_parser is available

daemon/apparmor_default.go

@@ -5,9 +5,12 @@ package daemon // import "github.com/docker/docker/daemon"
 
 import (
 	"fmt"
+	"os"
+	"sync"
 
 	"github.com/containerd/containerd/pkg/apparmor"
 	aaprofile "github.com/docker/docker/profiles/apparmor"
+	"github.com/sirupsen/logrus"
 )
 
 // Define constants for native driver
@@ -16,6 +19,11 @@ const (
 	defaultAppArmorProfile    = "docker-default"
 )
 
+var (
+	checkAppArmorOnce   sync.Once
+	isAppArmorAvailable bool
+)
+
 // DefaultApparmorProfile returns the name of the default apparmor profile
 func DefaultApparmorProfile() string {
 	if apparmor.HostSupports() {
@@ -25,7 +33,20 @@ func DefaultApparmorProfile() string {
 }
 
 func ensureDefaultAppArmorProfile() error {
-	if apparmor.HostSupports() {
+	checkAppArmorOnce.Do(func() {
+		if apparmor.HostSupports() {
+			// Restore the apparmor_parser check removed in containerd:
+			// https://github.com/containerd/containerd/commit/1acca8bba36e99684ee3489ea4a42609194ca6b9
+			// Fixes: https://github.com/moby/moby/issues/44900
+			if _, err := os.Stat("/sbin/apparmor_parser"); err == nil {
+				isAppArmorAvailable = true
+			} else {
+				logrus.Warn("AppArmor enabled on system but \"apparmor_parser\" binary is missing, so profile can't be loaded")
+			}
+		}
+	})
+
+	if isAppArmorAvailable {
 		loaded, err := aaprofile.IsLoaded(defaultAppArmorProfile)
 		if err != nil {
 			return fmt.Errorf("Could not check if %s AppArmor profile was loaded: %s", defaultAppArmorProfile, err)