Ubuntu
docker.io package

docker can't stop containers because of apparmor

Bug #1821540 reported by Stephen Buergler
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
docker.io (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Docker can't stop containers because it can't send a signal to it because of apparmor. There is also a spelling mistake in the error message.

$ docker stop 35
Error response from daemon: cannot stop container: 35: Cannot kill container 352331e095ca6de50eefaaa4ff3a2b81f056daf71ccb1e2b70a19ea4c1832f5a: unknown error after kill: docker-runc did not terminate sucessfully: container_linux.go:387: signaling init process caused "permission denied"
: unknown
$ dmesg
[1092035.379443] audit: type=1400 audit(1553460324.354:286): apparmor="DENIED" operation="signal" profile="docker-default" pid=15466 comm="docker-runc" requested_mask="receive" denied_mask="receive" signal=kill peer="unconfined"

$ lsb_release -rd
Description: Ubuntu 18.04.2 LTS
Release: 18.04

$ apt-cache policy docker.io
docker.io:
  Installed: 18.09.2-0ubuntu1~18.04.1
  Candidate: 18.09.2-0ubuntu1~18.04.1
  Version table:
 *** 18.09.2-0ubuntu1~18.04.1 500
        500 http://us.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages
        100 /var/lib/dpkg/status
     18.06.1-0ubuntu1.2~18.04.1 500
        500 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 Packages
     17.12.1-0ubuntu1 500
        500 http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages

Revision history for this message
Michael Hudson-Doyle (mwhudson) wrote :

Hi, this works for me in very simple testing. Can you post a full reproducer?

Changed in docker.io (Ubuntu):
status: New → Incomplete
Revision history for this message
Stephen Buergler (sixcorners) wrote :

I think the change in this commit isn't in my app armor profile.
https://github.com/moby/moby/commit/4822fb1e2423d88cdf0ad5d039b8fd3274b05401
What does yours look like?
$ cat /etc/apparmor.d/docker

#include <tunables/global>

profile docker-default flags=(attach_disconnected,mediate_deleted) {

  #include <abstractions/base>

  network,
  capability,
  file,
  umount,

  deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
  # deny write to files not in /proc/<number>/** or /proc/sys/**
  deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
  deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
  deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/
  deny @{PROC}/sysrq-trigger rwklx,
  deny @{PROC}/mem rwklx,
  deny @{PROC}/kmem rwklx,
  deny @{PROC}/kcore rwklx,

  deny mount,

  deny /sys/[^f]*/** wklx,
  deny /sys/f[^s]*/** wklx,
  deny /sys/fs/[^c]*/** wklx,
  deny /sys/fs/c[^g]*/** wklx,
  deny /sys/fs/cg[^r]*/** wklx,
  deny /sys/firmware/efi/efivars/** rwklx,
  deny /sys/kernel/security/** rwklx,

  # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
  ptrace (trace,read) peer=docker-default,

}

Revision history for this message
Stephen Buergler (sixcorners) wrote :

It's working now. I'm not sure why.

Revision history for this message
Michael Hudson-Doyle (mwhudson) wrote :

Glad it's working now and that's for coming back to report it.

Changed in docker.io (Ubuntu):
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.