Docker AppArmor Issue on Proxmox VE 9 / Debian 13

Problem

After upgrading from Proxmox VE 8.4 to 9.1 (Debian 12 → Debian 13), Docker builds fail with permission errors:

npm error code EACCES
npm error syscall spawn sh
npm error errno -13
npm error Error: spawn sh EACCES

Or during Next.js builds:

thread '<unnamed>' panicked at failed to create UnixStream:
Os { code: 13, kind: PermissionDenied, message: "Permission denied" }

Root Cause

AppArmor is now enabled by default in Debian 13.

Proxmox VE 9 uses a custom AppArmor version (4.1.1-pmx1) that has compatibility issues with Docker's default profile. The docker-default AppArmor profile blocks Unix socket creation inside containers.

Kernel logs (dmesg) show:

apparmor="DENIED" operation="create" class="net" info="failed protocol match"
error=-13 profile="docker-default" family="unix" sock_type="stream" protocol=0

Solution

Create a permissive docker-default profile that allows all operations in complain mode:

cat > /etc/apparmor.d/docker-default << 'EOF'
abi <abi/4.0>,

profile docker-default flags=(attach_disconnected,mediate_deleted,complain) {
  # Allow all - complain mode logs violations but doesn't block
  capability,
  network,
  file,
  mount,
  umount,
  pivot_root,
  ptrace,
  signal,
  dbus,
  unix,
}
EOF

# Load the profile
apparmor_parser -r /etc/apparmor.d/docker-default

Verify the fix:

# Should show "docker-default (complain)"
cat /sys/kernel/security/apparmor/profiles | grep docker

# Test that Docker works
docker run --rm node:20-alpine npm --version

Persistence

The profile in /etc/apparmor.d/docker-default persists across reboots. AppArmor loads profiles from this directory on boot.

Security Considerations

This fix puts the Docker profile in complain mode, which: - Logs policy violations but doesn't block them - Reduces container isolation slightly - Is acceptable for a homelab environment

For production environments, consider: 1. Running Docker in a VM instead of directly on Proxmox host 2. Waiting for upstream fix from Proxmox/Docker 3. Creating a more restrictive custom profile

References

• Proxmox PVE9 Upgrade AppArmor Error
• AppArmor logs - PVE9
• AppArmor denies dhclient socket

Affected Versions

• Proxmox VE 9.0+ (Debian 13 Trixie)
• Kernel 6.17.x-pve
• Docker 26.x
• AppArmor 4.1.1-pmx1

Symptoms Checklist

• [ ] spawn sh EACCES during npm ci or npm install
• [ ] failed to create UnixStream: Permission denied during builds
• [ ] Works with docker run --privileged but not regular docker
• [ ] dmesg | grep apparmor shows DENIED entries for docker-default
• [ ] Issue started after Proxmox 8 → 9 upgrade