Describe the bug Several weeks ago I noticed errors from watchtowe

Install Docker Engine on Ubuntu | Docker Docs<<a href="https://docs.d

Yeah, seems to be related to apparmor permissions. Perhaps <a class="user-mention notr

Looks like this change fixes the issue <div class="snippet-clipboard-content notra

Stopping containers doesn't work on Ubuntu 23.10,about containrrr/watchtower

lukaszzyla commented on May 25, 2024 2

same issue here - ubuntu 23.10

from watchtower.

lukaszzyla commented on May 25, 2024 2

Install Docker Engine on Ubuntu | Docker Docs<https://docs.docker.com/engine/install/ubuntu/> just follow the first commands to uninstall everything. do not forget sudo for pkg in docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; do sudo apt-get remove $pkg; done

…

________________________________ From: danst0 ***@***.***> Sent: 23 January 2024 9:01 PM To: containrrr/watchtower ***@***.***> Cc: lukaszzyla ***@***.***>; Comment ***@***.***> Subject: Re: [containrrr/watchtower] Stopping containers doesn't work on Ubuntu 23.10 (Issue #1891) There is not package docker or docker-engine. reinstall did not work. Still looking for a solution. — Reply to this email directly, view it on GitHub<#1891 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AI2CO7NH6C7YPEGMANQO423YQAJIVAVCNFSM6AAAAABBEMODP6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBWHAZDSNBZGY>. You are receiving this because you commented.Message ID: ***@***.***>

from watchtower.

github-actions commented on May 25, 2024

Hi there! 👋🏼 As you're new to this repo, we'd like to suggest that you read our code of conduct as well as our contribution guidelines. Thanks a bunch for opening your first issue! 🙏

from watchtower.

danst0 commented on May 25, 2024

Same here, came after my upgrade to ubuntu 23.10.

from watchtower.

piksel commented on May 25, 2024

Yeah, seems to be related to apparmor permissions. Perhaps @simskij has some insights?

from watchtower.

jfbauer432 commented on May 25, 2024

Yeah, seems to be related to apparmor permissions.

Here is a kernel log that happened when watchtower got the error

kernel: [510121.642686] audit: type=1400 audit(1703840408.407:47786): apparmor="DENIED" operation="signal" class="signal" profile="docker-default" pid=1330911 comm="runc" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/sbin/runc"

from watchtower.

piksel commented on May 25, 2024

This bug contains some more info (not on Ubuntu 23.10, so I cannot test it unfortunately):
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2039294

I guess we need to allow watchtower/docker to send signals using an apparmor rule somehow. I have very little experience with apparmor though :/

from watchtower.

jfbauer432 commented on May 25, 2024

Looks like this change fixes the issue

diff -u -r /etc/apparmor.d.bak/docker /etc/apparmor.d/docker
--- /etc/apparmor.d.bak/docker  2024-01-05 13:51:22.718451513 -0500
+++ /etc/apparmor.d/docker      2024-01-05 13:59:18.445871143 -0500
@@ -37,4 +37,5 @@
   # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
   ptrace (trace,read) peer=docker-default,
 
+  signal receive set=(term kill) peer="/usr/sbin/runc",
 }

and then tell apparmor to reload the modified profile by running

sudo apparmor_parser -r /etc/apparmor.d/docker

from watchtower.

danst0 commented on May 25, 2024

I don't have a /etc/apparmor.d/docker profile, according to aa-status I have a docker-default profile, however cannot find that in /etc/apparmor.d/

ps. from my short research I think the correct way would be to create a new profile and pass that to Watchtower as a security option (https://docker-docs.uclv.cu/engine/security/apparmor/)

from watchtower.

Quinten0508 commented on May 25, 2024

Docker automatically generates and loads a default profile for containers named docker-default. On Docker versions 1.13.0 and later, the Docker binary generates this profile in tmpfs and then loads it into the kernel. On Docker versions earlier than 1.13.0, this profile is generated in /etc/apparmor.d/docker instead.

Since the default AppArmor profile is generated dynamically you will not be able to edit it, or (afaik) even read its current contents. Could anyone on an older version share their /etc/apparmor.d/docker so we can use it as template to create a modified AppArmor profile for watchtower?

from watchtower.

lukaszzyla commented on May 25, 2024

No need for that. Just reinstall docker and everything works... Wysłano z Samsung w Plus Sent from Outlook for Android<https://aka.ms/AAb9ysg>

…

________________________________ From: Quinten ***@***.***> Sent: Sunday, January 21, 2024 3:18:53 PM To: containrrr/watchtower ***@***.***> Cc: lukaszzyla ***@***.***>; Comment ***@***.***> Subject: Re: [containrrr/watchtower] Stopping containers doesn't work on Ubuntu 23.10 (Issue #1891) Docker automatically generates and loads a default profile for containers named docker-default. On Docker versions 1.13.0 and later, the Docker binary generates this profile in tmpfs and then loads it into the kernel. On Docker versions earlier than 1.13.0, this profile is generated in /etc/apparmor.d/docker instead. Since the default AppArmor profile is generated dynamically you will not be able to edit it, or (afaik) even read its current contents. Could anyone on an older version share their /etc/apparmor.d/docker so we can use it as template to create a modified AppArmor profile for watchtower? — Reply to this email directly, view it on GitHub<#1891 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AI2CO7LPAOPYKVH5AFPILNLYPUPU3AVCNFSM6AAAAABBEMODP6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBSGY2DGOBVHE>. You are receiving this because you commented.Message ID: ***@***.***>

from watchtower.

danst0 commented on May 25, 2024

Ok, a little bit more context would be great. what did you do? Apt reinstall docker.io did not work.

from watchtower.

lukaszzyla commented on May 25, 2024

Google for it. Basically apt remove packages and apt install them again. Do not remove your volumes and images and everything you already have will still be there afterwards. Sorry i cannot provide you the exact link now but this should be enough sudo apt-get remove docker docker-engine docker.io And then reinstall. Or find a good guide on installing docker from scratch and do it backwards first. Wysłano z Samsung w Plus Sent from Outlook for Android<https://aka.ms/AAb9ysg>

…

________________________________ From: danst0 ***@***.***> Sent: Sunday, January 21, 2024 7:31:24 PM To: containrrr/watchtower ***@***.***> Cc: lukaszzyla ***@***.***>; Comment ***@***.***> Subject: Re: [containrrr/watchtower] Stopping containers doesn't work on Ubuntu 23.10 (Issue #1891) Ok, a little bit more context would be great. what did you do? Apt reinstall docker.io did not work. — Reply to this email directly, view it on GitHub<#1891 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AI2CO7JR746KA2YHOWBTCVDYPVNHZAVCNFSM6AAAAABBEMODP6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBSG4ZDCNBSHE>. You are receiving this because you commented.Message ID: ***@***.***>

from watchtower.

danst0 commented on May 25, 2024

Ok. My install of 23.10 is quite new. Why should that work?Am 21.01.2024 um 22:15 schrieb lukaszzyla ***@***.***>: Google for it. Basically apt remove packages and apt install them again. Do not remove your volumes and images and everything you already have will still be there afterwards. Sorry i cannot provide you the exact link now but this should be enough sudo apt-get remove docker docker-engine docker.io And then reinstall. Or find a good guide on installing docker from scratch and do it backwards first. Wysłano z Samsung w Plus Sent from Outlook for Android<https://aka.ms/AAb9ysg>

…

________________________________ From: danst0 ***@***.***> Sent: Sunday, January 21, 2024 7:31:24 PM To: containrrr/watchtower ***@***.***> Cc: lukaszzyla ***@***.***>; Comment ***@***.***> Subject: Re: [containrrr/watchtower] Stopping containers doesn't work on Ubuntu 23.10 (Issue #1891) Ok, a little bit more context would be great. what did you do? Apt reinstall docker.io did not work. — Reply to this email directly, view it on GitHub<#1891 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AI2CO7JR746KA2YHOWBTCVDYPVNHZAVCNFSM6AAAAABBEMODP6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBSG4ZDCNBSHE>. You are receiving this because you commented.Message ID: ***@***.***> —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: ***@***.***>

from watchtower.

lukaszzyla commented on May 25, 2024

There is some problem with docker default profile. Happened to me after update. Nevertheless - uninstalling and reinstalling should create new default.profile - at lear that was my thinking after seeing the problem. And it was solved as currently watchtower does the job correctly. Wysłano z Samsung w Plus Sent from Outlook for Android<https://aka.ms/AAb9ysg>

…

________________________________ From: danst0 ***@***.***> Sent: Monday, January 22, 2024 6:03:48 AM To: containrrr/watchtower ***@***.***> Cc: lukaszzyla ***@***.***>; Comment ***@***.***> Subject: Re: [containrrr/watchtower] Stopping containers doesn't work on Ubuntu 23.10 (Issue #1891) Ok. My install of 23.10 is quite new. Why should that work?Am 21.01.2024 um 22:15 schrieb lukaszzyla ***@***.***>: Google for it. Basically apt remove packages and apt install them again. Do not remove your volumes and images and everything you already have will still be there afterwards. Sorry i cannot provide you the exact link now but this should be enough sudo apt-get remove docker docker-engine docker.io And then reinstall. Or find a good guide on installing docker from scratch and do it backwards first. Wysłano z Samsung w Plus Sent from Outlook for Android<https://aka.ms/AAb9ysg>

________________________________ From: danst0 ***@***.***> Sent: Sunday, January 21, 2024 7:31:24 PM To: containrrr/watchtower ***@***.***> Cc: lukaszzyla ***@***.***>; Comment ***@***.***> Subject: Re: [containrrr/watchtower] Stopping containers doesn't work on Ubuntu 23.10 (Issue #1891) Ok, a little bit more context would be great. what did you do? Apt reinstall docker.io did not work. — Reply to this email directly, view it on GitHub<#1891 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AI2CO7JR746KA2YHOWBTCVDYPVNHZAVCNFSM6AAAAABBEMODP6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBSG4ZDCNBSHE>. You are receiving this because you commented.Message ID: ***@***.***> —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: ***@***.***> — Reply to this email directly, view it on GitHub<#1891 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AI2CO7PCJ5QGRE62KBKC5BLYPXXLJAVCNFSM6AAAAABBEMODP6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBTGI3DEOBVHA>. You are receiving this because you commented.Message ID: ***@***.***>

from watchtower.

danst0 commented on May 25, 2024

There is not package docker or docker-engine. reinstall did not work. Still looking for a solution.

from watchtower.

AnthonySchuijlenburg commented on May 25, 2024

Doing the complete reinstall (but skipping the cleanup of old containers/images/volumes) worked for me.

from watchtower.

danst0 commented on May 25, 2024

Complete uninstall, reinstall didn't work here.

from watchtower.

lukaszzyla commented on May 25, 2024

hi, sorry to hear that. This is strange, as we have the similar setup and similar problem. I am also on ubuntu 23.10 and it did the trick for me. are you sure you haven't tried other solutions that could have influenced your setup/config? maybe your problem is also connected to missing apparmor? Can you check sudo apparmor_status ? I can see that watchtower has docker-default profile defined in apparmor_status: 41 processes have profiles defined. 41 processes are in enforce mode. /watchtower (1480) docker-default I am not a specialist in linux but I remember I did install apparmor which I did not have before.

…

________________________________ From: danst0 ***@***.***> Sent: 24 January 2024 8:54 PM To: containrrr/watchtower ***@***.***> Cc: lukaszzyla ***@***.***>; Comment ***@***.***> Subject: Re: [containrrr/watchtower] Stopping containers doesn't work on Ubuntu 23.10 (Issue #1891) Complete uninstall, reinstall didn't work here. — Reply to this email directly, view it on GitHub<#1891 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AI2CO7PJWVOPBBDUIIIL653YQFRHLAVCNFSM6AAAAABBEMODP6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBYHAYTQNBXGQ>. You are receiving this because you commented.Message ID: ***@***.***>

from watchtower.

danst0 commented on May 25, 2024

root@cassius # apt list apparmor
Auflistung... Fertig
apparmor/mantic,now 4.0.0~alpha2-0ubuntu5 amd64  [installiert]

Seems to be.

root@cassius4 /h/# apparmor_status | grep docker
   docker-default
   /package/admin/s6-2.11.3.2/command/s6-svscan (6499) docker-default
   /package/admin/s6-2.11.3.2/command/s6-supervise (6586) docker-default
[...]

from watchtower.

lukaszzyla commented on May 25, 2024

I can't be of much help here.
for me apt list states:

lukasz@chw-homeserver:~$ sudo apt list apparmor
Listing... Done
apparmor/mantic,now 4.0.0~alpha2-0ubuntu5 amd64 [installed,automatic]
`
[installed,automatic] - I have no clue why and if it does make any difference...

from watchtower.

Stopping containers doesn't work on Ubuntu 23.10 about watchtower HOT 22 OPEN

Comments (22)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent