docker socket：權限被拒絕

我有安裝了 proxmox 5 的家庭伺服器和 docker 容器中的一些服務。直到昨天一切都很好。

我重新啟動了伺服器，所有容器中的所有服務都無法綁定套接字，因為權限被拒絕。我很沮喪…

這裡有一些技術細節

Linux server 4.10.15-1-pve #1 SMP PVE 4.10.15-15 (Fri, 23 Jun 2017 08:57:55 +0200) x86_64 GNU/Linux

Docker version 18.03.0-ce, build 0520e24
docker-compose version 1.20.1, build 5d8c71b

球童 docker-compose.yml

version: '2'
services:
 caddy:
   container_name: caddy
   image: zzrot/alpine-caddy:latest
   restart: unless-stopped
   network_mode: "host"
   environment:
     - PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
   hostname: caddy
   volumes:
     - /etc/localtime:/etc/localtime:ro
     - /mirror/config/caddy-config/certs:/root/.caddy
     - /mirror/config/caddy-config/caddy:/etc/Caddyfile

碼頭工人組成輸出

root@server:~/compose/caddy# docker-compose up
Creating caddy ... done
Attaching to caddy
caddy    | Activating privacy features... done.
caddy    | 2018/03/23 19:55:21 listen tcp :443: socket: permission denied
caddy exited with code 1

mariadb docker-compose.yml

version: '3.1'
services:
 mariadb:
   container_name: mariadb
   image: mariadb
   restart: always
   ports:
     - 3306:3306/udp
     - 3306:3306/tcp
   environment:
     - PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
     - MYSQL_ROOT_PASSWORD=password
   hostname: mariadb
   volumes:
     - /mirror/config/mariadb-config/databases:/var/lib/mysql
     - /mirror/config/custom.cnf:/etc/mysql/conf.d/config-file.cnf
     - /mirror/config/logs:/config/logs

碼頭工人組成輸出

mariadb_1  | 2018-03-23 13:20:36 139659836417920 [Warning] Failed to create a socket for IPv6 '::': errno: 13.
mariadb_1  | 2018-03-23 13:20:36 139659836417920 [Warning] Failed to create a socket for IPv4 '0.0.0.0': errno: 13.
mariadb_1  | 2018-03-23 13:20:36 139659836417920 [ERROR] Can't create IP socket: Permission denied
mariadb_1  | 2018-03-23 13:20:36 139659836417920 [ERROR] Aborting
mariadb_1  |
mariadb_mariadb_1 exited with code 1

這可能是什麼原因？

更新：一些新的細節

kernel: audit: type=1400 audit(1521896913.536:10071): apparmor="DENIED" operation="create" profile="docker-default" pid=16502 comm="mysqld" family="inet" sock_type="dgram" protocol=0 requested_mask="create" denied_

audit[16271]: AVC apparmor="DENIED" operation="create" profile="docker-default" pid=16271 comm="caddy" family="inet" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create"

我已將 security_opt 添加到 docker-compose 並且問題已經消失。

security_opt:
     - apparmor:unconfined

但我不認為這個選項是一個完全正確的問題解決方案。

引用自：https://unix.stackexchange.com/questions/433062