Comments (22)
same issue here - ubuntu 23.10
from watchtower.
from watchtower.
Hi there! 👋🏼 As you're new to this repo, we'd like to suggest that you read our code of conduct as well as our contribution guidelines. Thanks a bunch for opening your first issue! 🙏
from watchtower.
Same here, came after my upgrade to ubuntu 23.10.
from watchtower.
Yeah, seems to be related to apparmor permissions. Perhaps @simskij has some insights?
from watchtower.
Yeah, seems to be related to apparmor permissions.
Here is a kernel log that happened when watchtower got the error
kernel: [510121.642686] audit: type=1400 audit(1703840408.407:47786): apparmor="DENIED" operation="signal" class="signal" profile="docker-default" pid=1330911 comm="runc" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/sbin/runc"
from watchtower.
This bug contains some more info (not on Ubuntu 23.10, so I cannot test it unfortunately):
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2039294
I guess we need to allow watchtower/docker to send signals using an apparmor rule somehow. I have very little experience with apparmor though :/
from watchtower.
Looks like this change fixes the issue
diff -u -r /etc/apparmor.d.bak/docker /etc/apparmor.d/docker
--- /etc/apparmor.d.bak/docker 2024-01-05 13:51:22.718451513 -0500
+++ /etc/apparmor.d/docker 2024-01-05 13:59:18.445871143 -0500
@@ -37,4 +37,5 @@
# suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
ptrace (trace,read) peer=docker-default,
+ signal receive set=(term kill) peer="/usr/sbin/runc",
}
and then tell apparmor to reload the modified profile by running
sudo apparmor_parser -r /etc/apparmor.d/docker
from watchtower.
I don't have a /etc/apparmor.d/docker profile, according to aa-status I have a docker-default profile, however cannot find that in /etc/apparmor.d/
ps. from my short research I think the correct way would be to create a new profile and pass that to Watchtower as a security option (https://docker-docs.uclv.cu/engine/security/apparmor/)
from watchtower.
Docker automatically generates and loads a default profile for containers named docker-default. On Docker versions 1.13.0 and later, the Docker binary generates this profile in tmpfs and then loads it into the kernel. On Docker versions earlier than 1.13.0, this profile is generated in /etc/apparmor.d/docker instead.
Since the default AppArmor profile is generated dynamically you will not be able to edit it, or (afaik) even read its current contents. Could anyone on an older version share their /etc/apparmor.d/docker
so we can use it as template to create a modified AppArmor profile for watchtower?
from watchtower.
from watchtower.
Ok, a little bit more context would be great. what did you do? Apt reinstall docker.io did not work.
from watchtower.
from watchtower.
from watchtower.
from watchtower.
There is not package docker or docker-engine. reinstall did not work. Still looking for a solution.
from watchtower.
Doing the complete reinstall (but skipping the cleanup of old containers/images/volumes) worked for me.
from watchtower.
Complete uninstall, reinstall didn't work here.
from watchtower.
from watchtower.
root@cassius # apt list apparmor
Auflistung... Fertig
apparmor/mantic,now 4.0.0~alpha2-0ubuntu5 amd64 [installiert]
Seems to be.
root@cassius4 /h/# apparmor_status | grep docker
docker-default
/package/admin/s6-2.11.3.2/command/s6-svscan (6499) docker-default
/package/admin/s6-2.11.3.2/command/s6-supervise (6586) docker-default
[...]
from watchtower.
I can't be of much help here.
for me apt list states:
lukasz@chw-homeserver:~$ sudo apt list apparmor
Listing... Done
apparmor/mantic,now 4.0.0~alpha2-0ubuntu5 amd64 [installed,automatic]
`
[installed,automatic] - I have no clue why and if it does make any difference...
from watchtower.
Related Issues (20)
- monitor-only requirement HOT 5
- Issue after restarting Docker - Synology NAS HOT 2
- Free disk space threshold HOT 1
- Set a fixed time instead of a timer HOT 6
- Send notification containing Image Label HOT 1
- Telegram notification HOT 3
- Parsed container image ref has no tag HOT 2
- Quoted env variables don't work when containing comma HOT 5
- SMTP timeout error with Outlook email notifications HOT 1
- FR: Multiple Hosts Support HOT 3
- Wont update aio-imaginary HOT 2
- Delete content of config.json upon every restart HOT 1
- API error when using hostname HOT 1
- Watchtower failed to create containers on host network HOT 30
- Clean formatting for email notifications HOT 1
- level=fatal msg="Failed to initialize Shoutrrr notifications: error initializing router services: failed to log in: Too Many Requests\n" HOT 2
- Container with macvlan IP uses wrong IP after recreation HOT 5
- On error print recreate command HOT 4
- Failed to parse int from \"0: strconv.Atoi: parsing \"\\\"0\": invalid syntax" HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from watchtower.