Tough task: Everytime I try to stop or kill a running container, I get permission denied as an error response from Daemon.

I just started learning how to use docker by using a Ubuntu18.04 VM. I was running a container for the first time. I was not able to stop it but at least it was running. Now, after I tried to run another image "furtuas/daisitory:image_available_first_ms", everything got worse. Two containers are running, I can't stop non of them. I tried to restart docker but the containers are still running with the difference that localhost is not working anymore. Maybe it happened bc I ran on the same host like the one before

I am not familiar with docker, ubuntu, terminal etc. I would appreciate detailed answers for beginners

$ docker info
Containers: 2
 Running: 2
 Paused: 0
 Stopped: 0
Images: 8
Server Version: 18.09.1
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9754871865f7fe2f4e74d43e2fc7ccd237edcbce
runc version: 96ec2177ae841256168fcf76954f7177af9446eb
init version: fec3683
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.15.0-43-generic
Operating System: Ubuntu 18.04.1 LTS
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 3.83GiB
Name: dai-2
ID: ULKT:IYPB:L6GI:VQWG:FZQX:J6G6:OWOU:DP5M:KQFC:PWBJ:HEMA:VDIT
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Username: icoe
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine

WARNING: No swap limit support




$ docker version
Client:
 Version:           18.09.1
 API version:       1.39
 Go version:        go1.10.6
 Git commit:        4c52b90
 Built:             Wed Jan  9 19:35:31 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          18.09.1
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.10.6
  Git commit:       4c52b90
  Built:            Wed Jan  9 19:02:44 2019
  OS/Arch:          linux/amd64
  Experimental:     false





$ docker images
REPOSITORY                      TAG                        IMAGE ID            CREATED             SIZE
furtuas/daisitory     image_available_first_ms   64b3943856a0        6 days ago          660MB
icoe/dockerimageavailable   first_ms                   64b3943856a0        6 days ago          660MB
dockerimageavailable            latest                     64b3943856a0        6 days ago          660MB
my-maven                        latest                     704b027074fb        6 days ago          660MB
dockerimagedetails              latest                     2da0a7987c2a        6 days ago          643MB
dockerimage                     latest                     af97e6623a8c        6 days ago          643MB
maven                           latest                     3bc97dc2e7ba        3 weeks ago         832MB
java                            8                          d23bdf5b1b1b        2 years ago         643MB





$ docker ps
CONTAINER ID        IMAGE                                                  COMMAND                  CREATED             STATUS              PORTS                    NAMES
66c6c49a95f4        furtuas/daisitory:image_available_first_ms   "java -jar /car-pool…"   3 hours ago         Up 3 hours                                   first_ms_test
8e0646cc95f8        704b027074fb                                           "java -jar /car-pool…"   6 days ago          Up 6 days           0.0.0.0:8080->8080/tcp   container_available





$ docker stop first_ms_test 
Error response from daemon: cannot stop container: first_ms_test: Cannot kill container 66c6c49a95f499abeb62b1c02e7e9b8ce1739709bb2140ba7b1a61094a9d16f7: unknown error after kill: runc did not terminate sucessfully: container_linux.go:387: signaling init process caused "permission denied"
: unknown




$ docker container rm -f first_ms_test 
Error response from daemon: Could not kill running container 66c6c49a95f499abeb62b1c02e7e9b8ce1739709bb2140ba7b1a61094a9d16f7, cannot remove - Cannot kill container 66c6c49a95f499abeb62b1c02e7e9b8ce1739709bb2140ba7b1a61094a9d16f7: unknown error after kill: runc did not terminate sucessfully: container_linux.go:387: signaling init process caused "permission denied"
: unknown

Please help.

$ docker ps -a
CONTAINER ID        IMAGE                                                  COMMAND                  CREATED             STATUS              PORTS                    NAMES
66c6c49a95f4        furtuas/daisitory:image_available_first_ms   "java -jar /car-pool…"   3 hours ago         Up 3 hours                                   first_ms_test
8e0646cc95f8        704b027074fb                                           "java -jar /car-pool…"   6 days ago          Up 6 days           0.0.0.0:8080->8080/tcp   container_available

After logout the VM, still the same response:

$ docker stop 66c6c49a95f4
Error response from daemon: cannot stop container: 66c6c49a95f4: Cannot kill container 66c6c49a95f499abeb62b1c02e7e9b8ce1739709bb2140ba7b1a61094a9d16f7: unknown error after kill: runc did not terminate sucessfully: container_linux.go:387: signaling init process caused "permission denied"
: unknown

I solved it but I am not sure why. I think I solved it by restarting the VM and restart docker with these commands

Flush changes: $ sudo systemctl daemon-reload
Restart Docker: $ sudo systemctl restart docker

This Answer has helped me in solving this problem

Execute sudo aa-remove-unknown

Once it is successfully executed, docker stop command will work.

I solved it but I am not sure why. I think I solved it by restarting the VM and restart docker with these commands

Flush changes: $ sudo systemctl daemon-reload
Restart Docker: $ sudo systemctl restart docker

Use trick:

sudo killall docker-containerd-shim

to free the docker from stopped container stuck like this

Have you tried docker stop <container-id> or docker kill <container-id> ?

Note: Use docker ps -a to get container IDs

Also, are you using sudo or logged as root?

It is possible this was cause by Ubuntu's security and in particular apparmor

In that case, you should have added to the docker run the --security-opt apparmor:unconfined. This seems preferable to removing apparmor.

e.g. try:

docker run --security-opt apparmor:unconfined -ti ubuntu bash

then try to docker stop and see it works!

as described here check if the entrypoint script has the shebang starting with:

#!/bin/bash -xe

the system will prevent the container to stop. In order to fix this change your entrypoint script without the "e"

#!/bin/bash -x

I was not able to stop the container so i just Restarted containerd service and it worked -> sudo systemctl restart containerd

nothing of these commands works just reboot the host works but that means all running containers stopped and I need a solution for that if someone can help note:--security-opt apparmor:unconfined makes the host not working and the docker commands stop working and I had to rebuild the other containers

I had the same problem. There was some conflicts with the apparmor service. On Ubuntu I could resolve this by reinstall the apparmor:

- sudo apt-get purge apparmor
- sudo apt-get install apparmor
- sudo /etc/init.d/apparmor start