Can't stop a process running inside a container
Closed this issue · 1 comments
We had a customer feedback that it failed to execute docker stop
ubuntu@xenial:~$ docker stop test Error response from daemon: Cannot stop container test: Cannot kill container 44b41739970db05a70a203565b8de4101769aed08121fe0e5a1a816c6efc4572: rpc error: code = 7 desc = permission denied
The full log can be found here.
https://gist.github.com/psftw/15a05d2abc6a757397bb85eac7b72f46
According to The bug reporter's comment
He can reproduce this issue on two different test environments. The common factor across these two that blew up were that they had previously installed docker-ce(docker.io or docker-engine, whatever).
So basically, it's apparmor denied error. This default profile(docker-default) is loaded from deb package installed previously instead of snap inside.
http://paste.ubuntu.com/24596743/
Even if the docker-ce is removed, we probably can still produce this issue as the default profile is loaded in cache by apparmor.
Essentially, docker deb and docker snap don't co-exist. The easy way to fix it manually is to
- remove docker-ce deb package
- disable the profile(or a system reboot).
Then this issue gone away. Meanwhile, we need to provide a way for docker-snap to configure the default profile name to avoid profile conflict.
Note: People only run into this situation when they have both docker deb package and snap package installed on their OS. Hence this issue only exists on Classic as on Ubuntu Core 16 it does not support apt-get or deb packages.
Currently, the way to configure the default profile name( e.g docker-default --> docker-default-snap ) requires changes for both docker and snapcore.
"docker-default" is hard-coded as peer name in docker-support interface in snapcore, even if we apply a patch to docker to use "docker-default-snap" as a profile name, "docker stop" command still failed to execute as the peers don't match on both sides.
Renaming the default profile name looks good so far.