Description
When a container is stopped, the quit and kill signal get blocked by AppArmor.
Workaround:
The only way I have found to bypass this issue is to disable apparmor for docker by setting environment variable container to any value.
See this for details.
Reproduce
Setup clean version of Ubuntu 23.10
apt update
apt full-upgrade -y
apt install -y docker.io
reboot
Try this multiple times:
time docker stop $(docker run --rm -d nginx)
logs
time="2024-04-15T14:15:26.348745030Z" level=error msg="Error sending stop (signal 3) to container" container=24cf886faaa4577ca06c443aec70d524c1c06ae907c4f0428527a03bacebdd85 error="Cannot kill container 24cf886faaa4577ca06c443aec70d524c1c06ae907c4f0428527a03bacebdd85: unknown error after kill: runc did not terminate successfully: exit status 1: unable to signal init: permission denied\n: unknown"
time="2024-04-15T14:15:26.348793931Z" level=info msg="Container failed to exit within 2s of signal 3 - using the force" container=24cf886faaa4577ca06c443aec70d524c1c06ae907c4f0428527a03bacebdd85
time="2024-04-15T14:15:36.393575597Z" level=error msg="Container failed to exit within 10s of kill - trying direct SIGKILL" container=24cf886faaa4577ca06c443aec70d524c1c06ae907c4f0428527a03bacebdd85 error="context deadline exceeded"
Observe time taken is around 12 seconds.
Now do my workaround linked above, or disable apparmor system wide.
Now try the same again a few times:
time docker stop $(docker run --rm -d nginx)
Observe time taken is only around 1 second.
My workaround is required because it is not possible to modify, edit, view or anything the docker-default apparmor profile, or you can disable AppArmor system wide.
Expected behavior
docker stop should not be blocked by AppArmor.
docker version
docker version
Client:
Version: 24.0.5
API version: 1.43
Go version: go1.20.7
Git commit: 24.0.5-0ubuntu1
Built: Wed Aug 16 21:32:36 2023
OS/Arch: linux/amd64
Context: default
Server:
Engine:
Version: 24.0.5
API version: 1.43 (minimum version 1.12)
Go version: go1.20.7
Git commit: 24.0.5-0ubuntu1
Built: Wed Aug 16 21:32:36 2023
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.7.2
GitCommit:
runc:
Version: 1.1.7-0ubuntu2.2
GitCommit:
docker-init:
Version: 0.19.0
GitCommit:
docker info
docker info
Client:
Version: 24.0.5
Context: default
Debug Mode: false
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 1
Server Version: 24.0.5
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version:
runc version:
init version:
Security Options:
apparmor
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.5.0-27-generic
Operating System: Ubuntu 23.10
OSType: linux
Architecture: x86_64
CPUs: 16
Total Memory: 9.682GiB
Name: asd
ID: e2701b79-9f40-4e93-b319-d1dfd97dfe8a
Docker Root Dir: /var/lib/docker
Debug Mode: false
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Additional Info
audit logs
audit: type=1400 audit(1713190524.343:81): apparmor="DENIED" operation="signal" class="signal" profile="docker-default" pid=2537 comm="runc" requested_mask="receive" denied_mask="receive" signal=quit peer="/usr/sbin/runc"
audit: type=1400 audit(1713190526.383:82): apparmor="DENIED" operation="signal" class="signal" profile="docker-default" pid=2544 comm="runc" requested_mask="receive" denied_mask="receive" signal=kill peer="/usr/sbin/runc"
Description
When a container is stopped, the quit and kill signal get blocked by AppArmor.
Workaround:
The only way I have found to bypass this issue is to disable apparmor for docker by setting environment variable
containerto any value.See this for details.
Reproduce
Setup clean version of Ubuntu 23.10
apt updateapt full-upgrade -yapt install -y docker.iorebootTry this multiple times:
time docker stop $(docker run --rm -d nginx)logs
Observe time taken is around 12 seconds.
Now do my workaround linked above, or disable apparmor system wide.
Now try the same again a few times:
time docker stop $(docker run --rm -d nginx)Observe time taken is only around 1 second.
My workaround is required because it is not possible to modify, edit, view or anything the docker-default apparmor profile, or you can disable AppArmor system wide.
Expected behavior
docker stopshould not be blocked by AppArmor.docker version
docker version
Client: Version: 24.0.5 API version: 1.43 Go version: go1.20.7 Git commit: 24.0.5-0ubuntu1 Built: Wed Aug 16 21:32:36 2023 OS/Arch: linux/amd64 Context: default Server: Engine: Version: 24.0.5 API version: 1.43 (minimum version 1.12) Go version: go1.20.7 Git commit: 24.0.5-0ubuntu1 Built: Wed Aug 16 21:32:36 2023 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.7.2 GitCommit: runc: Version: 1.1.7-0ubuntu2.2 GitCommit: docker-init: Version: 0.19.0 GitCommit:docker info
docker info
Additional Info
audit logs