# 覆盖层挂载失败：权限被拒绝

- **ID:** `docker/overlay2-mount-permission-denied`
- **领域:** docker
- **类别:** system_error
- **验证级别:** ai_generated
- **修复率:** 75%

## 根因

Docker overlay2 存储驱动无法挂载，原因是内核能力不足或 SELinux/AppArmor 限制，通常在更新内核后发生。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| Docker 24.0.7 | active | — | — |
| Docker 25.0.0 | active | — | — |
| Kernel 6.5.0 | active | — | — |

## 解决方案

1. ```
   Check SELinux context and set boolean: sudo setsebool -P container_manage_cgroup 1
   ```
2. ```
   Switch Docker storage driver to overlay (legacy) or devicemapper as fallback: edit /etc/docker/daemon.json and add 'storage-driver': 'overlay' then restart docker.
   ```
3. ```
   If using AppArmor, check apparmor_status and ensure docker profile is loaded: sudo aa-status | grep docker
   ```

## 无效尝试

- **sudo systemctl restart docker** — Restarting docker daemon alone does not fix the underlying filesystem or security context issue. (80% 失败率)
- **sudo apt-get remove docker && sudo apt-get install docker** — Reinstalling Docker does not address kernel or SELinux configuration changes. (70% 失败率)
- **setenforce 0** — Disabling SELinux entirely is overkill and may have security implications, but it works temporarily; however, it's not a permanent fix. (50% 失败率)