*** This bug is a duplicate of bug 2065423 ***
https://bugs.launchpad.net/bugs/2065423
** This bug has been marked a duplicate of bug 2065423
Update AppArmor template to allow confined runc to kill containers
--
You received this bug notification because you are a member of Ubuntu
Bugs, w
** Tags added: server-todo
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2063099
Title:
Stopping container signal blocked by AppArmor on Ubuntu
To manage notifications about this bug go to:
https:/
Note that this bug is wrongly targeted to docker.io since this project
now longer keeps track of docker.io package for 22.04/24.04
This is why I reported the bug in docker.io-app instead :
https://bugs.launchpad.net/ubuntu/+source/docker.io-app/+bug/2079006
I invite anyone affected by bug and rep
Weighing in to emphasize the urgency:
− this bug is a surefire way to corrupt user data,
− in a popular infrastructure component (Docker),
− still not fixed a year after it was discovered (bug #2039294 is dated
2023-10-13).
The bug causes a major problem with Docker containers being unable to
gra
I have the same issue on 24.04 LTS
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2063099
Title:
Stopping container signal blocked by AppArmor on Ubuntu
To manage notifications about this bug go to:
containerd seems to have similar issues from Kubernetes... (I need to
check if a bug exists for that as well)
kubelet.go:2049] [failed to "KillContainer" for "ceph-exporter" with
KillContainerError: "rpc error: code = Unknown desc = failed to kill container
\"373f6f3fc02b903a49b6d5e330366944e9c
Reported bug in docker.io-app to make sure it targets the right project
since latest docker.io are maintained there
https://bugs.launchpad.net/ubuntu/+source/docker.io-app/+bug/2079006
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
h
Workaround with docker-default apparmor profile to deploy works (fix in
upstream is somehow identical)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2063099
Title:
Stopping container signal blocked
Upstream fixed the issue 5 month ago and latest noble updates still do
not embed the patch to apparaît default profile.
Not being able to stop a container in a normal condition is a real
regression and prevents anyone using docker from upgrading to noble.
Any plan to fix ?
--
You received this
@lucaskanashiro,
I think you are trying top stop the container too soon after it's
created. The container receives SIGTERM from docker before is sets up
signal handlers, and because it's PID 1, the signal is ignored. Runc
then kills it with SIGKILL after 10s.
Try with sleep:
root@cloudimg:~# tim
Thanks for providing the workaround Tomáš! I can confirm that it works
in Noble, but for me, even using the profile you provided in comment #4,
the command below takes more or less 10 seconds (against 12 seconds when
the containers are killed with SIGKILL):
root@docker-apparmor:~# time docker stop
I'll copy the workaround I mentioned in #2039294 here:
As a temporary workaround, put the file I have attached to
/etc/apparmor.d/docker-default and load it with "apparmor_parser -Kr
/etc/apparmor.d/docker-default". It will make dockerd skip loading its
builtin profile as docker-default. It will a
There's a fix proposed to upstream: https://github.com/moby/moby/pull/47749
The commit message describes the cause.
These bugs have the same cause:
- https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2039294
- https://bugs.launchpad.net/ubuntu/+source/libpod/+bug/2040483
The latter doesn'
AppArmor's signal handling is a bit more involved than eg capabilities
or file accesses: both the sender profile and receiver profile need to
have signal rules to allow sending the signal or receiving the signal,
as appropriate.
23.10 and 24.04 LTS have introduced restrictions on unprivileged
name
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: docker.io (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2063099
Title:
15 matches
Mail list logo
