@lucaskanashiro,
I think you are trying top stop the container too soon after it's
created. The container receives SIGTERM from docker before is sets up
signal handlers, and because it's PID 1, the signal is ignored. Runc
then kills it with SIGKILL after 10s.
Try with sleep:
root@cloudimg:~#
Thanks for providing the workaround Tomáš! I can confirm that it works
in Noble, but for me, even using the profile you provided in comment #4,
the command below takes more or less 10 seconds (against 12 seconds when
the containers are killed with SIGKILL):
root@docker-apparmor:~# time docker
I'll copy the workaround I mentioned in #2039294 here:
As a temporary workaround, put the file I have attached to
/etc/apparmor.d/docker-default and load it with "apparmor_parser -Kr
/etc/apparmor.d/docker-default". It will make dockerd skip loading its
builtin profile as docker-default. It will
There's a fix proposed to upstream: https://github.com/moby/moby/pull/47749
The commit message describes the cause.
These bugs have the same cause:
- https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2039294
- https://bugs.launchpad.net/ubuntu/+source/libpod/+bug/2040483
The latter
AppArmor's signal handling is a bit more involved than eg capabilities
or file accesses: both the sender profile and receiver profile need to
have signal rules to allow sending the signal or receiving the signal,
as appropriate.
23.10 and 24.04 LTS have introduced restrictions on unprivileged
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: docker.io (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2063099
Title:
