Stopping container signal blocked by AppArmor on Ubuntu #47720
Labels
area/packaging
area/security/apparmor
kind/bug
Bugs are bugs. The cause may or may not be known at triage time so debugging may be needed.
status/0-triage
Description
When a container is stopped, the quit and kill signal get blocked by AppArmor.
Workaround:
The only way I have found to bypass this issue is to disable apparmor for docker by setting environment variable
container
to any value.See this for details.
Reproduce
Setup clean version of Ubuntu 23.10
apt update
apt full-upgrade -y
apt install -y docker.io
reboot
Try this multiple times:
time docker stop $(docker run --rm -d nginx)
logs
Observe time taken is around 12 seconds.
Now do my workaround linked above, or disable apparmor system wide.
Now try the same again a few times:
time docker stop $(docker run --rm -d nginx)
Observe time taken is only around 1 second.
My workaround is required because it is not possible to modify, edit, view or anything the docker-default apparmor profile, or you can disable AppArmor system wide.
Expected behavior
docker stop
should not be blocked by AppArmor.docker version
docker version
Client: Version: 24.0.5 API version: 1.43 Go version: go1.20.7 Git commit: 24.0.5-0ubuntu1 Built: Wed Aug 16 21:32:36 2023 OS/Arch: linux/amd64 Context: default Server: Engine: Version: 24.0.5 API version: 1.43 (minimum version 1.12) Go version: go1.20.7 Git commit: 24.0.5-0ubuntu1 Built: Wed Aug 16 21:32:36 2023 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.7.2 GitCommit: runc: Version: 1.1.7-0ubuntu2.2 GitCommit: docker-init: Version: 0.19.0 GitCommit:
docker info
docker info
Additional Info
audit logs
The text was updated successfully, but these errors were encountered: