Login/Register
Docker Containers can not be stopped or removed - permission denied Error
Asked Answered
Solved ruby-on-railsdockerdocker-composedocker-swarm
L

11

93

Issue: Can not stop docker containers, whenever I try to stop containers I get the following Error message,

ERROR: for yattyadocker_web_1  cannot stop container: 1f04148910c5bac38983e6beb3f6da4c8be3f46ceeccdc8d7de0da9d2d76edd8: Cannot kill container 1f04148910c5bac38983e6beb3f6da4c8be3f46ceeccdc8d7de0da9d2d76edd8: rpc error: code = PermissionDenied desc = permission denied

OS Version/build: Ubuntu 16.04 | Docker Version 17.09.0-ce, build afdb6d4 | Docker Compose version 1.17.1, build 6d101fb

Steps to reproduce:

  • Created a rails project with Dockerfile and docker-compose.yml. docker-compose.yml is of version 3.
  • Image is built successfully with either docker build -t <project name> . or docker-compose up --build
  • Containers boots up and runs successfully.
  • Try to stop docker compose with docker-compose down.

What I tried::

  • I have to run sudo service docker restart and then the containers can be removed.
  • Uninstalled docker, removed docker directory and then re installed everything. Still facing same issue.

Note: This configuration was working correctly earlier, but somehow file permissions might have changed and I am seeing this error. I have to run sudo service docker restart and then the containers can be removed. But this is highly inconvenient and I don't know how to troubleshoot this.

Reference Files:

# docker-compose.yml
version: '3'
volumes:
  db-data:
    driver: local
  redis-data:
    driver: local  
services:
  db:
    image: postgres:9.4.1
    volumes:
      - db-data:/var/lib/postgresql/data
    ports:
      - "5432:5432"
    env_file: local_envs.env
  web:
    image: yattya_docker:latest
    command: bundle exec puma -C config/puma.rb
    tty: true
    stdin_open: true
    ports:
      - "3000:3000"
    links:
      - db
      - redis
      - memcached
    depends_on:
      - db
      - redis
      - memcached
    env_file: local_envs.env
  redis:
    image: redis:3.2.4-alpine
    ports:
      # We'll bind our host's port 6379 to redis's port 6379, so we can use
      # Redis Desktop Manager (or other tools) with it:
      - 6379:6379
    volumes:
      # We'll mount the 'redis-data' volume into the location redis stores it's data:
      - redis-data:/var/lib/redis
    command: redis-server --appendonly yes
  memcached:
    image: memcached:1.5-alpine
    ports:
      - "11211:11211"
  clock:
    image: yattya_docker:latest
    command: bundle exec clockwork lib/clock.rb
    links:
      - db
    depends_on:
      - db
    env_file: local_envs.env
  worker:
    image: yattya_docker:latest
    command: bundle exec rake jobs:work
    links: 
      - db
    depends_on: 
      - db
    env_file: local_envs.env

And Dockerfile:

# Dockerfile
FROM ruby:2.4.1

RUN apt-get update && apt-get install -y nodejs --no-install-recommends && rm -rf /var/lib/apt/lists/*

ENV APP_HOME /app
RUN mkdir -p $APP_HOME
WORKDIR $APP_HOME

ADD Gemfile* $APP_HOME/
RUN bundle install

ADD . $APP_HOME

RUN mkdir -p ${APP_HOME}/log
RUN cat /dev/null > "$APP_HOME/log/development.log"

RUN mkdir -p ${APP_HOME}/tmp/cache \
    && mkdir -p ${APP_HOME}/tmp/pids \
    && mkdir -p ${APP_HOME}/tmp/sockets

EXPOSE 3000
Lop answered 10/11, 2017 at 12:55 Comment(7)
Which user does start the containers?Yarber
I start containers on my ubuntu.. docker user created while installing docker must be used for managing containers. I am new to docker.Lop
Did you add your user account to the docker group? sudo usermod -aG docker ${USER} this will allow you to work with docker without sudoChauffeur
@ShawnC is right (at least I suspect). To validate you can run "sudo docker compose" or "sudo docker-compose down".Seam
Yes.. I followed the guide and added docker to group, I can run docker commands without sudo. I am not having problem with docker-compose up, it's just causing trouble while removing or stopping containers.Lop
I'm experiencing the same issue. Ubuntu 10.04, Docker version 17.09.0-ce, build afdb6d4, docker-compose version 1.8.0. Tried re-installing docker-ce with apt-get prune and apt-get autoremove. No luck. Restarting docker service with sudo service docker restart works.Epithalamium
@CharlieVieillard If you have properly set sudo usermod -aG docker ${USER} and still facing issue then You might need to check whether apparmor is working fine or not. I had issues with apparmor, hence I re-installed docker and apparmor. And after restarting laptop the issue was resolved. I think issue is related to github.com/moby/moby/issues/20554Lop
L
15

I was able to fix the issue. Apparmor service in ubuntu was not working normally due to some unknown issue. The problem was similar to the issue reported in moby project https://github.com/moby/moby/issues/20554.

The /etc/apparmor.d/tunables folder was empty, and https://github.com/mlaventure suggested to purge/reinstall apparmor to get it to the initial state.

So I reinstalled apparmor, and after restarting the problem was solved.

Hope this helps.

Lop answered 16/11, 2017 at 18:30 Comment(1)
Further details on docker hub forum: forums.docker.com/t/…Outguard
L
273

I installed Docker from the snap package and after a while I decided to move to apt repository installation.

I was facing the same problem and using sudo aa-remove-unknown worked for me.

So no reinstallation of Apparmor was needed.

Lilith answered 14/5, 2019 at 15:56 Comment(12)
This is the correct non-nuclear answer. Installing Docker as a snap adds a bunch of AppArmor profiles, that conflict with and apt installation. This happened to me by accident, as I was looking for a convenient method of installing everything Docker. Opted for an apt installation in the end, as it gave me more control and is more up-to-date.Klemens
Perfect answer !!Allysonalma
using sudo aa-remove-unknown causing my mysql workbench does not work and shows error: Failed to Query AppArmor Policy: No such file or directory. edit: all apps installed with snap don't workDeraign
I restarted my computer and the apps installed with snap has gone .. any idea ?Deraign
Still working through this, but for me, this did indeed appear to cause problems with at least some snaps.Heathendom
I was able to get my snaps back working with: "sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/*" Thanks to jdstrand, forum.snapcraft.io/t/…Heathendom
This seemed to work, however, after a reboot, the problem was back.Avast
I got the same problem like @Avast . The problem is back after restart. Have anyone solved this one completely ?Steak
@Steak I was able to solve it for me. Please see my answer here.Avast
Plus https://mcmap.net/q/261254/-docker-containers-can-not-be-stopped-or-removed-permission-denied-error AFAIR.Avast
I'm a noob. For future people trying to use sudo aa-remove-unknown be careful how you use it because it ended removing some libraries necessary for other programsCavalierly
Apps installed with the snap will not start after thatHae
M
120

For anyone that does not wish to completely purge AppArmor.

Check status: sudo aa-status

Shutdown and prevent it from restarting: sudo systemctl disable apparmor.service --now

Unload AppArmor profiles: sudo service apparmor teardown

Check status: sudo aa-status

You should now be able to stop/kill containers.

Metre answered 15/8, 2018 at 1:45 Comment(5)
Attention! Some apps won't start after thatSidoney
Be aware, any solution containing apparmor will break snap and all the packages installed via snap and even after that I still have problem with running and killing pods on kubernetes.Erde
I followed the steps described above. Now some of my apps don't start anymore. How can I fix that?Phellem
@Phellem I have the same issue. IntelliJ stopped working. I managed to temporary fix it. Using sudo apt purge snapd && sudo apt install snapd solved the issue. But it I guess it purges the apps that weren't starting. IntelliJ, in my case. So, I had to install it again. But once you reboot the system, you have to repeat the process. Did you manage to find a permanent solution?Herbherbaceous
If I remember it right, I disabled AppArmor as described in the solution above, then reinstalled Docker and reenabled AppArmor afterwards with sudo systemctl enabled apparmor and sudo systemctl start apparmor.Phellem
I
36

A direct fix to the problem is executing bash in the container to be killed and directly calling kill there. An example:

host$ docker exec -it <container-name> sh
container$ ps
PID   USER     TIME  COMMAND
    1 root      0:00 {entrypoint.sh} /bin/sh /entrypoint.sh
   16 root      0:00 {entrypoint.sh} /bin/sh /entrypoint.sh
   24 root      0:00 sh
   31 root      0:00 ps
container$ kill 1

To check that the container was killed, run docker ps. This is a useful alternative to the solution reinstalling apparmor as this will also remove snapd.

Insider answered 13/1, 2019 at 12:6 Comment(4)
this does not work, it just list sh and ps processes in my cases (from a docker-compose file)Osteoarthritis
I can confirm that this works. I also believe that this should be the accepted answer as this doesn't have any risks for your host system.Democritus
We had a different situation where ps showed that process 1 was running bash. We had to kill -9 1 instead of just kill 1. That worked to stop the container.Chophouse
I have tried to run "kill -9 1", where "1" is the process id, but it stays. What else can I do ?Hypoderma
L
15

I was able to fix the issue. Apparmor service in ubuntu was not working normally due to some unknown issue. The problem was similar to the issue reported in moby project https://github.com/moby/moby/issues/20554.

The /etc/apparmor.d/tunables folder was empty, and https://github.com/mlaventure suggested to purge/reinstall apparmor to get it to the initial state.

So I reinstalled apparmor, and after restarting the problem was solved.

Hope this helps.

Lop answered 16/11, 2017 at 18:30 Comment(1)
Further details on docker hub forum: forums.docker.com/t/…Outguard
S
12

In my case the issue was that I had conflicting docker installations: docker itself from the official docker-ce package , but docker-compose from the Ubuntu snap package.

Installing correctly docker-compose from the official github (instructions here) did the trick. I also followed the Linux post-install instructions and it may have helped as well (to run docker as a non-root user)

I just left AppArmor alone here - I did not touch it.

Stutz answered 8/1, 2019 at 9:20 Comment(1)
Had the same issue. I saw that Docker was installed through snap: snap list and used sudo snap remove docker to remove it firstShep
P
3

it just simple resolves work for me

 sudo snap remove docker
Pathological answered 10/11, 2017 at 12:55 Comment(0)
P
2

OS: Ubuntu 22.04 LTS docker version: 20.10.17, build 100c701 docker-compose version: 1.29.2

I faced the same issue and tried following,

  1. sudo systemctl disable apparmor.service --now
  2. sudo service apparmor teardown
  3. sudo aa-remove-unknown
  4. reboot

These solutions didn't work for me. This issue happens because of a security feature of linux kernal, apparmor.

We can disable it by running docker daemon as a non-root user(Rootless mode), Execute following commands,

Solution:

  1. curl -fsSL https://get.docker.com/rootless | sh | FORCE_ROOTLESS_INSTALL=1
  2. export PATH=/home/user-directory/bin:$PATH

docker-compose down or docker rm, will work

Publicness answered 12/8, 2022 at 11:11 Comment(0)
E
1

I had trouble with this for so long so first I realized I had to terminate the network that the container was one. So I followed all the steps for that. But I was still getting permission denied. Then just did

sudo docker inspect portainer

And in the "State" -> "Pid", I then used the Pid with

sudo kill

Edieedification answered 23/4, 2023 at 2:48 Comment(0)
M
0

for me

Problem: Error response from daemon: cannot stop container: 0b21a3532fe2: permission denied (base) ubuntu@ip-10-0-0-46:~/serverless$

Solution:

sudo service docker stop sudo service docker start

then stop all again

docker stop $(docker ps -aq)

if want to remove it then

docker rm $(docker ps -aq)

Mullion answered 24/1 at 15:42 Comment(2)
This does not really answer the question. If you have a different question, you can ask it by clicking Ask Question. To get notified when this question gets new answers, you can follow this question. Once you have enough reputation, you can also add a bounty to draw more attention to this question. - From ReviewStirling
As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center.Individually
D
0

I was getting the same "Permission denied" and was not able to stop the container using docker kill, or by exec'ing into the container and killing the running processes as proposed, or by using AppArmor.

However, this worked for me. If you don't mind removing the container, then force removing the offending container will also stop it:

sudo docker rm <container-id> -f
Dream answered 29/1 at 12:36 Comment(0)
T
0

I found a solution in: https://medium.com/devops-technical-notes-and-manuals/how-to-solve-cannot-kill-docker-container-permission-denied-error-message-e3af7ccb7e29

just executed this command :~$ sudo aa-remove-unknown

, after that all worked fine and I was able to start/stop and remove containers.

Takeshi answered 11/4 at 19:49 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.