Debian package lists apparmor as recommended, but doesn't work without it

[markus-k]

The docker-ce Debian package lists apparmor as a recommended dependency. But since the last update (23.0.0), docker does not work without apparmor.

On a freshly provisioned Debian 11 VM which does not have apparmor preinstalled (which is the case for Hetzner Cloud VMs), after installing Docker as documented:

# docker run --rm -ti debian bash
Unable to find image 'debian:latest' locally
latest: Pulling from library/debian
1e4aec178e08: Pull complete
Digest: sha256:43ef0c6c3585d5b406caa7a0f232ff5a19c1402aeb415f68bcd1cf9d10180af8
Status: Downloaded newer image for debian:latest
docker: Error response from daemon: AppArmor enabled on system but the docker-default profile could not be loaded: running `apparmor_parser apparmor_parser --version` failed with output:
error: exec: "apparmor_parser": executable file not found in $PATH.
ERRO[0004] error waiting for container: context canceled

After installing the apparmor-package in this VM, running docker containers works as expected.

So either Docker should not require apparmor by default, or list it as a required dependency in the debian package.

[tianon]

From https://www.debian.org/doc/debian-policy/ch-relationships.html#binary-dependencies-depends-recommends-suggests-enhances-pre-depends:

Recommends

This declares a strong, but not absolute, dependency.

The Recommends field should list packages that would be found together with this one in all but unusual installations.

That being said, see also moby/moby#44902 and moby/moby#44942 (which should be released very very soon).

[neersighted]

See moby/moby#44970 (comment) for the latest; we're waiting on a containerd release to fix the root cause.

[thaJeztah]

This should be resolved now, but we're considering making this an explicit opt-out (instead of silently ignoring). No changes were made yet though (still to be discussed).