One reason why apparmor may need to be disabled: Issue: Apparmor prevents docker container stop <HASH> from working - it blocks the signalling init process. From dmesg, we see [156522.040461] audit: type=1400 audit(1555422697.325:338): apparmor="DENIED" operation="signal" profile="docker-default" pid=19232 comm="runc" requested_mask="receive" denied_mask="receive" signal=kill peer="unconfined"
We can shutdown apparmor for now (https://forums.docker.com/t/can-not-stop-docker-container-permission-denied-error/41142/7): Check status: sudo aa-status Shutdown and prevent it from restarting: sudo systemctl disable apparmor.service --now Unload AppArmor profiles: sudo service apparmor teardown Check status: sudo aa-status Some future fixes: https://github.com/moby/moby/issues/36809 ** Bug watch added: github.com/moby/moby/issues #36809 https://github.com/moby/moby/issues/36809 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803476 Title: After reboot, snap-confine has elevated permissions and is not confined but should be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1803476/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs