One reason why apparmor may need to be disabled:
Issue:
Apparmor prevents
docker container stop <HASH>
from working - it blocks the signalling init process. From dmesg, we see
[156522.040461] audit: type=1400 audit(1555422697.325:338):
apparmor="DENIED" operation="signal" profile="docker-default" pid=19232
comm="runc" requested_mask="receive" denied_mask="receive" signal=kill
peer="unconfined"
We can shutdown apparmor for now
(https://forums.docker.com/t/can-not-stop-docker-container-permission-denied-error/41142/7):
Check status:
sudo aa-status
Shutdown and prevent it from restarting:
sudo systemctl disable apparmor.service --now
Unload AppArmor profiles:
sudo service apparmor teardown
Check status:
sudo aa-status
Some future fixes:
https://github.com/moby/moby/issues/36809
** Bug watch added: github.com/moby/moby/issues #36809
https://github.com/moby/moby/issues/36809
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1803476
Title:
After reboot, snap-confine has elevated permissions and is not
confined but should be
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1803476/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
