Stopping container signal blocked by AppArmor on Ubuntu

[Gunni]

Description

When a container is stopped, the quit and kill signal get blocked by AppArmor.

Workaround:
The only way I have found to bypass this issue is to disable apparmor for docker by setting environment variable container to any value.

See this for details.

Reproduce

Setup clean version of Ubuntu 23.10

apt update
apt full-upgrade -y
apt install -y docker.io
reboot

Try this multiple times:
time docker stop $(docker run --rm -d nginx)

logs

time="2024-04-15T14:15:26.348745030Z" level=error msg="Error sending stop (signal 3) to container" container=24cf886faaa4577ca06c443aec70d524c1c06ae907c4f0428527a03bacebdd85 error="Cannot kill container 24cf886faaa4577ca06c443aec70d524c1c06ae907c4f0428527a03bacebdd85: unknown error after kill: runc did not terminate successfully: exit status 1: unable to signal init: permission denied\n: unknown"
time="2024-04-15T14:15:26.348793931Z" level=info msg="Container failed to exit within 2s of signal 3 - using the force" container=24cf886faaa4577ca06c443aec70d524c1c06ae907c4f0428527a03bacebdd85
time="2024-04-15T14:15:36.393575597Z" level=error msg="Container failed to exit within 10s of kill - trying direct SIGKILL" container=24cf886faaa4577ca06c443aec70d524c1c06ae907c4f0428527a03bacebdd85 error="context deadline exceeded"

Observe time taken is around 12 seconds.

Now do my workaround linked above, or disable apparmor system wide.

Now try the same again a few times:
time docker stop $(docker run --rm -d nginx)

Observe time taken is only around 1 second.

My workaround is required because it is not possible to modify, edit, view or anything the docker-default apparmor profile, or you can disable AppArmor system wide.

Expected behavior

docker stop should not be blocked by AppArmor.

docker version

docker version

Client:
 Version:           24.0.5
 API version:       1.43
 Go version:        go1.20.7
 Git commit:        24.0.5-0ubuntu1
 Built:             Wed Aug 16 21:32:36 2023
 OS/Arch:           linux/amd64
 Context:           default

Server:
 Engine:
  Version:          24.0.5
  API version:      1.43 (minimum version 1.12)
  Go version:       go1.20.7
  Git commit:       24.0.5-0ubuntu1
  Built:            Wed Aug 16 21:32:36 2023
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.7.2
  GitCommit:        
 runc:
  Version:          1.1.7-0ubuntu2.2
  GitCommit:        
 docker-init:
  Version:          0.19.0
  GitCommit:

docker info

docker info

Client:
 Version:    24.0.5
 Context:    default
 Debug Mode: false

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 1
 Server Version: 24.0.5
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 
 runc version: 
 init version: 
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.5.0-27-generic
 Operating System: Ubuntu 23.10
 OSType: linux
 Architecture: x86_64
 CPUs: 16
 Total Memory: 9.682GiB
 Name: asd
 ID: e2701b79-9f40-4e93-b319-d1dfd97dfe8a
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Additional Info

audit logs

audit: type=1400 audit(1713190524.343:81): apparmor="DENIED" operation="signal" class="signal" profile="docker-default" pid=2537 comm="runc" requested_mask="receive" denied_mask="receive" signal=quit peer="/usr/sbin/runc"
audit: type=1400 audit(1713190526.383:82): apparmor="DENIED" operation="signal" class="signal" profile="docker-default" pid=2544 comm="runc" requested_mask="receive" denied_mask="receive" signal=kill peer="/usr/sbin/runc"

[vvoland]

Can you verify that you can reproduce the issue with the official Docker packages?

docker.io is a Debian/Ubuntu package and is not an upstream package maintained by Docker/Moby project.

[Gunni]

Can you verify that you can reproduce the issue with the official Docker packages?

docker.io is a Debian/Ubuntu package and is not an upstream package maintained by Docker/Moby project.

I have tested using the official Docker package, and can confirm this issue does not exist in that version.

I will report upstream.

Edit: Reported here: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/2063099

[vvoland]

Thank you!