If you’re running GPU workloads or nested Docker inside LXC containers on Proxmox, AppArmor can sometimes cause permission issues. This guide explains how to completely disable AppArmor on the Proxmox host and ensure it’s not active inside containers.
1. Check if AppArmor is active
Run this command on the Proxmox host:
cat /sys/module/apparmor/parameters/enabled
- If it returns Y, AppArmor is active.
- If it returns N, AppArmor is disabled.
You can also check the status inside any container:
aa-status
If you see:
apparmor module is loaded. apparmor filesystem is not mounted.
it means the module exists in the kernel, but AppArmor is not actually active.
2. Temporarily disable AppArmor (until next reboot)
Run on the host:
systemctl stop apparmor systemctl disable apparmor
This stops the AppArmor service, but the kernel module will still be loaded until reboot.
3. Permanently disable AppArmor
To completely disable AppArmor, edit your GRUB configuration file:
nano /etc/default/grub
Find the line starting with:
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
Add apparmor=0 to the parameters, for example:
GRUB_CMDLINE_LINUX_DEFAULT="quiet apparmor=0"
Save the file, then update GRUB and reboot the system:
update-grub reboot
4. Verify AppArmor is disabled
After reboot, confirm that AppArmor is fully disabled:
cat /sys/module/apparmor/parameters/enabled
Output should be:
N
This means AppArmor is no longer active in the kernel.
5. Disable AppArmor per container (optional)
Even if AppArmor is disabled globally, it’s good practice to make sure individual containers aren’t assigned AppArmor profiles.
Edit your container configuration:
nano /etc/pve/lxc/<CTID>.conf
Add or ensure the following line is present:
lxc.apparmor.profile: unconfined
This ensures the container runs completely unconfined.
Summary
apparmor=0disables AppArmor kernel-wide.lxc.apparmor.profile: unconfineddisables it for a specific container.- Seeing “apparmor module is loaded, filesystem not mounted” inside a container is normal and means AppArmor is inactive.
With these steps, your Proxmox host and all LXC containers run without AppArmor restrictions — ideal for Docker, GPU passthrough, and AI workloads.