docker system_error ai_generated true

failed to mount overlay: permission denied

ID: docker/overlay2-mount-permission-denied

Also available as: JSON · Markdown · 中文
75%Fix Rate
85%Confidence
1Evidence
2024-03-15First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
Docker 24.0.7 active
Docker 25.0.0 active
Kernel 6.5.0 active

Root Cause

The Docker overlay2 storage driver cannot mount due to insufficient kernel capabilities or SELinux/AppArmor restrictions, often after a kernel update.

generic

中文

Docker overlay2 存储驱动无法挂载,原因是内核能力不足或 SELinux/AppArmor 限制,通常在更新内核后发生。

Official Documentation

https://docs.docker.com/storage/storagedriver/overlayfs-driver/

Workarounds

  1. 85% success Check SELinux context and set boolean: sudo setsebool -P container_manage_cgroup 1 
    Check SELinux context and set boolean: sudo setsebool -P container_manage_cgroup 1
  2. 70% success Switch Docker storage driver to overlay (legacy) or devicemapper as fallback: edit /etc/docker/daemon.json and add 'storage-driver': 'overlay' then restart docker. 
    Switch Docker storage driver to overlay (legacy) or devicemapper as fallback: edit /etc/docker/daemon.json and add 'storage-driver': 'overlay' then restart docker.
  3. 80% success If using AppArmor, check apparmor_status and ensure docker profile is loaded: sudo aa-status | grep docker 
    If using AppArmor, check apparmor_status and ensure docker profile is loaded: sudo aa-status | grep docker

中文步骤

  1. Check SELinux context and set boolean: sudo setsebool -P container_manage_cgroup 1
  2. Switch Docker storage driver to overlay (legacy) or devicemapper as fallback: edit /etc/docker/daemon.json and add 'storage-driver': 'overlay' then restart docker.
  3. If using AppArmor, check apparmor_status and ensure docker profile is loaded: sudo aa-status | grep docker

Dead Ends

Common approaches that don't work:

  1. sudo systemctl restart docker 80% fail

    Restarting docker daemon alone does not fix the underlying filesystem or security context issue.

  2. sudo apt-get remove docker && sudo apt-get install docker 70% fail

    Reinstalling Docker does not address kernel or SELinux configuration changes.

  3. setenforce 0 50% fail

    Disabling SELinux entirely is overkill and may have security implications, but it works temporarily; however, it's not a permanent fix.