Open jfbauer432 opened 11 months ago
github-actions[bot]
commented
11 months ago Hi there! 👋🏼 As you're new to this repo, we'd like to suggest that you read our code of conduct as well as our contribution guidelines. Thanks a bunch for opening your first issue! 🙏
danst0
commented
11 months ago Same here, came after my upgrade to ubuntu 23.10.
piksel
commented
11 months ago Yeah, seems to be related to apparmor permissions. Perhaps @simskij has some insights?
jfbauer432
commented
11 months ago Yeah, seems to be related to apparmor permissions.
Here is a kernel log that happened when watchtower got the error
kernel: [510121.642686] audit: type=1400 audit(1703840408.407:47786): apparmor="DENIED" operation="signal" class="signal" profile="docker-default" pid=1330911 comm="runc" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/sbin/runc"
piksel
commented
11 months ago This bug contains some more info (not on Ubuntu 23.10, so I cannot test it unfortunately): https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2039294
I guess we need to allow watchtower/docker to send signals using an apparmor rule somehow. I have very little experience with apparmor though :/
jfbauer432
commented
11 months ago Looks like this change fixes the issue
diff -u -r /etc/apparmor.d.bak/docker /etc/apparmor.d/docker
--- /etc/apparmor.d.bak/docker 2024-01-05 13:51:22.718451513 -0500
+++ /etc/apparmor.d/docker 2024-01-05 13:59:18.445871143 -0500
@@ -37,4 +37,5 @@
# suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
ptrace (trace,read) peer=docker-default,
+ signal receive set=(term kill) peer="/usr/sbin/runc",
}
and then tell apparmor to reload the modified profile by running
sudo apparmor_parser -r /etc/apparmor.d/docker
danst0
commented
11 months ago I don't have a /etc/apparmor.d/docker profile, according to aa-status I have a docker-default profile, however cannot find that in /etc/apparmor.d/
ps. from my short research I think the correct way would be to create a new profile and pass that to Watchtower as a security option (https://docker-docs.uclv.cu/engine/security/apparmor/)
lukaszzyla
commented
10 months ago same issue here - ubuntu 23.10
Quinten0508
commented
10 months ago Docker automatically generates and loads a default profile for containers named docker-default. On Docker versions 1.13.0 and later, the Docker binary generates this profile in tmpfs and then loads it into the kernel. On Docker versions earlier than 1.13.0, this profile is generated in /etc/apparmor.d/docker instead.
Since the default AppArmor profile is generated dynamically you will not be able to edit it, or (afaik) even read its current contents. Could anyone on an older version share their /etc/apparmor.d/docker so we can use it as template to create a modified AppArmor profile for watchtower?
lukaszzyla
commented
10 months ago No need for that. Just reinstall docker and everything works...
Wysłano z Samsung w Plus Sent from Outlook for Androidhttps://aka.ms/AAb9ysg
From: Quinten @.> Sent: Sunday, January 21, 2024 3:18:53 PM To: containrrr/watchtower @.> Cc: lukaszzyla @.>; Comment @.> Subject: Re: [containrrr/watchtower] Stopping containers doesn't work on Ubuntu 23.10 (Issue #1891)
Docker automatically generates and loads a default profile for containers named docker-default. On Docker versions 1.13.0 and later, the Docker binary generates this profile in tmpfs and then loads it into the kernel. On Docker versions earlier than 1.13.0, this profile is generated in /etc/apparmor.d/docker instead.
Since the default AppArmor profile is generated dynamically you will not be able to edit it, or (afaik) even read its current contents. Could anyone on an older version share their /etc/apparmor.d/docker so we can use it as template to create a modified AppArmor profile for watchtower?
— Reply to this email directly, view it on GitHubhttps://github.com/containrrr/watchtower/issues/1891#issuecomment-1902643859, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AI2CO7LPAOPYKVH5AFPILNLYPUPU3AVCNFSM6AAAAABBEMODP6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBSGY2DGOBVHE. You are receiving this because you commented.Message ID: @.***>
danst0
commented
10 months ago Ok, a little bit more context would be great. what did you do? Apt reinstall docker.io did not work.
lukaszzyla
commented
10 months ago Google for it. Basically apt remove packages and apt install them again. Do not remove your volumes and images and everything you already have will still be there afterwards. Sorry i cannot provide you the exact link now but this should be enough sudo apt-get remove docker docker-engine docker.io And then reinstall. Or find a good guide on installing docker from scratch and do it backwards first.
Wysłano z Samsung w Plus Sent from Outlook for Androidhttps://aka.ms/AAb9ysg
From: danst0 @.> Sent: Sunday, January 21, 2024 7:31:24 PM To: containrrr/watchtower @.> Cc: lukaszzyla @.>; Comment @.> Subject: Re: [containrrr/watchtower] Stopping containers doesn't work on Ubuntu 23.10 (Issue #1891)
Ok, a little bit more context would be great. what did you do? Apt reinstall docker.io did not work.
— Reply to this email directly, view it on GitHubhttps://github.com/containrrr/watchtower/issues/1891#issuecomment-1902721429, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AI2CO7JR746KA2YHOWBTCVDYPVNHZAVCNFSM6AAAAABBEMODP6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBSG4ZDCNBSHE. You are receiving this because you commented.Message ID: @.***>
danst0
commented
10 months ago Ok. My install of 23.10 is quite new. Why should that work?Am 21.01.2024 um 22:15 schrieb lukaszzyla @.***>: Google for it.
Basically apt remove packages and apt install them again.
Do not remove your volumes and images and everything you already have will still be there afterwards.
Sorry i cannot provide you the exact link now but this should be enough
sudo apt-get remove docker docker-engine docker.io
And then reinstall.
Or find a good guide on installing docker from scratch and do it backwards first.
Wysłano z Samsung w Plus
Sent from Outlook for Androidhttps://aka.ms/AAb9ysg
From: danst0 @.***>
Sent: Sunday, January 21, 2024 7:31:24 PM
To: containrrr/watchtower @.***>
Cc: lukaszzyla @.>; Comment @.>
Subject: Re: [containrrr/watchtower] Stopping containers doesn't work on Ubuntu 23.10 (Issue #1891)
Ok, a little bit more context would be great. what did you do? Apt reinstall docker.io did not work.
—
Reply to this email directly, view it on GitHubhttps://github.com/containrrr/watchtower/issues/1891#issuecomment-1902721429, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AI2CO7JR746KA2YHOWBTCVDYPVNHZAVCNFSM6AAAAABBEMODP6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBSG4ZDCNBSHE.
You are receiving this because you commented.Message ID: @.***>
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: @.***>
lukaszzyla
commented
10 months ago There is some problem with docker default profile. Happened to me after update. Nevertheless - uninstalling and reinstalling should create new default.profile - at lear that was my thinking after seeing the problem. And it was solved as currently watchtower does the job correctly.
Wysłano z Samsung w Plus Sent from Outlook for Androidhttps://aka.ms/AAb9ysg
From: danst0 @.> Sent: Monday, January 22, 2024 6:03:48 AM To: containrrr/watchtower @.> Cc: lukaszzyla @.>; Comment @.> Subject: Re: [containrrr/watchtower] Stopping containers doesn't work on Ubuntu 23.10 (Issue #1891)
Ok. My install of 23.10 is quite new. Why should that work?Am 21.01.2024 um 22:15 schrieb lukaszzyla @.***>: Google for it.
Basically apt remove packages and apt install them again.
Do not remove your volumes and images and everything you already have will still be there afterwards.
Sorry i cannot provide you the exact link now but this should be enough
sudo apt-get remove docker docker-engine docker.io
And then reinstall.
Or find a good guide on installing docker from scratch and do it backwards first.
Wysłano z Samsung w Plus
Sent from Outlook for Androidhttps://aka.ms/AAb9ysg
From: danst0 @.***>
Sent: Sunday, January 21, 2024 7:31:24 PM
To: containrrr/watchtower @.***>
Cc: lukaszzyla @.>; Comment @.>
Subject: Re: [containrrr/watchtower] Stopping containers doesn't work on Ubuntu 23.10 (Issue #1891)
Ok, a little bit more context would be great. what did you do? Apt reinstall docker.io did not work.
—
Reply to this email directly, view it on GitHubhttps://github.com/containrrr/watchtower/issues/1891#issuecomment-1902721429, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AI2CO7JR746KA2YHOWBTCVDYPVNHZAVCNFSM6AAAAABBEMODP6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBSG4ZDCNBSHE.
You are receiving this because you commented.Message ID: @.***>
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: @.***>
— Reply to this email directly, view it on GitHubhttps://github.com/containrrr/watchtower/issues/1891#issuecomment-1903262858, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AI2CO7PCJ5QGRE62KBKC5BLYPXXLJAVCNFSM6AAAAABBEMODP6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBTGI3DEOBVHA. You are receiving this because you commented.Message ID: @.***>
danst0
commented
10 months ago There is not package docker or docker-engine. reinstall did not work. Still looking for a solution.
lukaszzyla
commented
10 months ago Install Docker Engine on Ubuntu | Docker Docshttps://docs.docker.com/engine/install/ubuntu/
just follow the first commands to uninstall everything. do not forget sudo
for pkg in docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; do sudo apt-get remove $pkg; done
From: danst0 @.> Sent: 23 January 2024 9:01 PM To: containrrr/watchtower @.> Cc: lukaszzyla @.>; Comment @.> Subject: Re: [containrrr/watchtower] Stopping containers doesn't work on Ubuntu 23.10 (Issue #1891)
There is not package docker or docker-engine. reinstall did not work. Still looking for a solution.
— Reply to this email directly, view it on GitHubhttps://github.com/containrrr/watchtower/issues/1891#issuecomment-1906829496, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AI2CO7NH6C7YPEGMANQO423YQAJIVAVCNFSM6AAAAABBEMODP6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBWHAZDSNBZGY. You are receiving this because you commented.Message ID: @.***>
AnthonySchuijlenburg
commented
10 months ago Doing the complete reinstall (but skipping the cleanup of old containers/images/volumes) worked for me.
danst0
commented
10 months ago Complete uninstall, reinstall didn't work here.
lukaszzyla
commented
10 months ago hi, sorry to hear that. This is strange, as we have the similar setup and similar problem. I am also on ubuntu 23.10 and it did the trick for me. are you sure you haven't tried other solutions that could have influenced your setup/config? maybe your problem is also connected to missing apparmor? Can you check sudo apparmor_status ? I can see that watchtower has docker-default profile defined in apparmor_status: 41 processes have profiles defined. 41 processes are in enforce mode. /watchtower (1480) docker-default I am not a specialist in linux but I remember I did install apparmor which I did not have before.
From: danst0 @.> Sent: 24 January 2024 8:54 PM To: containrrr/watchtower @.> Cc: lukaszzyla @.>; Comment @.> Subject: Re: [containrrr/watchtower] Stopping containers doesn't work on Ubuntu 23.10 (Issue #1891)
Complete uninstall, reinstall didn't work here.
— Reply to this email directly, view it on GitHubhttps://github.com/containrrr/watchtower/issues/1891#issuecomment-1908818474, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AI2CO7PJWVOPBBDUIIIL653YQFRHLAVCNFSM6AAAAABBEMODP6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBYHAYTQNBXGQ. You are receiving this because you commented.Message ID: @.***>
danst0
commented
10 months ago root@cassius # apt list apparmor
Auflistung... Fertig
apparmor/mantic,now 4.0.0~alpha2-0ubuntu5 amd64 [installiert]Seems to be.
root@cassius4 /h/# apparmor_status | grep docker
docker-default
/package/admin/s6-2.11.3.2/command/s6-svscan (6499) docker-default
/package/admin/s6-2.11.3.2/command/s6-supervise (6586) docker-default
[...]I can't be of much help here. for me apt list states:
lukasz@chw-homeserver:~$ sudo apt list apparmor
Listing... Done
apparmor/mantic,now 4.0.0~alpha2-0ubuntu5 amd64 [installed,automatic]
`
[installed,automatic] - I have no clue why and if it does make any difference...
KingOperator
commented
10 months ago Hi, it stopped working for me since upgrading to Ubuntu 23.10 too. Reinstall didn't work as well. Tried:
sudo apt remove docker*
sudo apt autoremove
sudo apt install docker.io docker-compose-v2sudo apparmor_status | grep watchtower says: /watchtower (3014113) docker-default
apt list docker* apparmor* -i says:
apparmor/mantic,now 4.0.0~alpha2-0ubuntu5 amd64 [installiert]
docker-compose-v2/mantic,now 2.20.2+ds1-0ubuntu1 amd64 [installiert]
docker.io/mantic,now 24.0.5-0ubuntu1 amd64 [installiert]The file /etc/apparmor.d/docker doesn't exist.
LeGEC
commented
8 months ago As a temporary patch on my system, I disabled the apparmor rules for /usr/sbin/runc
Following the documentation to disable one single apparmor profile (link on help.ubuntu.com: Disable one profile ) :
sudo ln -s /etc/apparmor.d/usr.sbin.runc /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.runcdocker can now send signals to its containers.
re-activating is documented in the next paragraph in the page above:
sudo rm /etc/apparmor.d/disable/usr.sbin.runc
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.runcdocker stop will not be able to send a signal to its containers anymore.
(repost of my comment on the launchpad issue)
note: if anyone has a better fix (something that would only target the action of runc on docker containers for example ?) I'm interested
kprinssu
commented
6 months ago @LeGEC There has been some activity on the Launchpad Issue and the fixes have been merged in the upstream projects (Moby and containerd).
The fix that worked for me is to do the following:
/etc/apparmor.d/docker-default with the following contents:
#include <tunables/global>profile docker-default flags=(attach_disconnected,mediate_deleted) {
network, capability, file, umount,
signal (receive) peer=unconfined,
signal (receive) peer=unconfined,
signal (receive) peer=runc,
signal (send,receive) peer=docker-default,
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9/]}/ w, deny @{PROC}/sys/[^k] w, # deny /proc/sys except /proc/sys/k (effectively /proc/sys/kernel) deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]*} w, # deny everything except shm in /proc/sys/kernel/ deny @{PROC}/sysrq-trigger rwklx, deny @{PROC}/kcore rwklx,
deny mount,
deny /sys/[^f]*/ wklx, deny /sys/f[^s]*/* wklx, deny /sys/fs/[^c]/ wklx, deny /sys/fs/c[^g]*/* wklx, deny /sys/fs/cg[^r]/ wklx, deny /sys/firmware/ rwklx, deny /sys/devices/virtual/powercap/ rwklx, deny /sys/kernel/security/ rwklx,
ptrace (trace,read,tracedby,readby) peer=docker-default, }
2. Tell AppArmor to load the new profile via `apparmor_parser -Kr /etc/apparmor.d/docker-default`
ocampeau
commented
5 months ago I had a similar issue with a bare metal installation of Kubernetes. After upgrading to Ubuntu 23.10, my cluster was in a bad state and rebooting it with kubeadm failed with the same error:
runc did not terminate successfully: exit status 1: unable to signal init: permission deniedMy solution was not only to re-install containerd, which is the CRI I use, but to also delete all container mounts under /var/lib/containerd/k8s/.
Re-installing containerd was not enough. I had to delete all previous containers too.
Garfonso
commented
4 months ago @kprinssu Thank you very much for posting the solution here. First, it did not work for me, and I was a bit frustrated because I've been searching for months. I managed to look into the apparmor message about the denial today and saw that for me the peer is not runc but, for some reason, /usr/sbin/runc which seems to make a difference. So I adjusted the line with peer=runc to peer=/usr/sbin/runc.
Yay, finally. :-)
UladzimirTrehubenka
commented
3 months ago The issue: SIGTERM is not catched inside a container (Mint 22). Workaround: sudo systemctl stop apparmor && sudo systemctl disable apparmor && reboot.
Liamlu28
commented
2 months ago It happens on Ubuntu 24.04(Kubeneters 1.30). But I never test on new versions.
ln -s /etc/apparmor.d/runc /etc/apparmor.d/disable/
apparmor_parser -R /etc/apparmor.d/runc
Sommerbo
commented
1 month ago I fixed it by running aa-remove-unknown. For some reason AppArmor's "learning" is pretty junky and sometimes learns very odd things. Or at least that is my take on it.
And to be clear this is an AppArmor flaw/fault, watchtower just happened to trigger it. I am betting reinstalling triggers a cleanup of the AppArmor rules.
ChristophNow
commented
1 month ago I have the same error
4NE3Q
commented
1 week ago The issue seems to be on ubuntu release greater than 22.04. I have created a Kubernetes cluster on ubuntu 24.04 and I'm facint this issue. I do a new deployment and the previous one's pods won't terminate. Logs below if anyone can help me. My Kubernetes is on Ubuntu 24.04.
Warning FailedKillPod 3m48s (x14 over 13m) kubelet error killing pod: [failed to "KillContainer" for "redacted" with KillContainerError: "rpc error: code = Unknown desc = failed to kill container "98837f85dacd8fdce140338e77f0b8cd2439b4c0e9c901d9fc6467c24d428db0": unknown error after kill: runc did not terminate successfully: exit status 1: unable to signal init: permission denied\n: unknown", failed to "KillPodSandbox" for "67d219c5-00dc-4405-840f-148bd60d32d2" with KillPodSandboxError: "rpc error: code = Unknown desc = failed to stop container "98837f85dacd8fdce140338e77f0b8cd2439b4c0e9c901d9fc6467c24d428db0": failed to kill container "98837f85dacd8fdce140338e77f0b8cd2439b4c0e9c901d9fc6467c24d428db0": unknown error after kill: runc did not terminate successfully: exit status 1: unable to signal init: permission denied\n: unknown"]
Garfonso
commented
1 week ago after kill: runc did not terminate successfully: exit status 1: unable to signal init: permission denied
You probably also need to adjust the apparmor profile, like so many of us. Read this post and the linked issue. It explains what you can do.
4NE3Q
commented
1 week ago after kill: runc did not terminate successfully: exit status 1: unable to signal init: permission denied
You probably also need to adjust the apparmor profile, like so many of us. Read this post and the linked issue. It explains what you can do.
I tried that but that didn't help.
JingshanDu
commented
3 days ago I fixed it by running
aa-remove-unknown. For some reason AppArmor's "learning" is pretty junky and sometimes learns very odd things. Or at least that is my take on it. And to be clear this is an AppArmor flaw/fault, watchtower just happened to trigger it. I am betting reinstalling triggers a cleanup of the AppArmor rules.
This quick fix worked for me. Thank you! -- Ubuntu 24.04.1 LTS
Describe the bug
Several weeks ago I noticed errors from watchtower when updating other containers. At first I thought the container was taking too long to exit, so I added a --stop-timeout=60s to the watchtower command, but that didn't help. Looking more info the logs, I see that it gets the error right way after trying to stop the container. This happens when trying to update different containers. I can manually restart then just fine.
Not certain, but this issue might have started after upgrading from Ubuntu 23.04 to Ubuntu 23.10. Or possibly after the most recent watchtower update
Steps to reproduce
Additional context
No response