Can't stop container in rootless mode

[notalexnot]

Hey!

I'm using DokuWiki in rootless mode, which works great now, without any file reading/writing problems, but I've encountered that I cannot stop the container without having to use docker kill or restarting the Docker daemon.

If I run docker stop dokuwiki I get the error: Error response from daemon: cannot stop container: dokuwiki: permission denied. Sadly, this means that I can't update the container without having to forcefully kill it nor use Watchtower with it.

The container has the usual processes of any container and the users: root and www-data that other containers I run also have without causing any problems.

I don't seem to be able to get any logs showing errors and the permissions don't look too weird, so I'm not sure where to look, but I suspect the owner of some process may be at fault.

I'd be glad if you could help me with this, in case it's fixable. Thanks for reading and for this good project! (it's the only wiki I can run with almost zero issues) :)

[splitbrain]

what's the exact command you're starting the container with?

[notalexnot]

I use docker compose up -d and I don't use the flag user: 1000:1000 in my compose file, since it caused file permission issues

[splitbrain]

what's your exact compose file then? and as which user (uid) are you running docker compose?

[notalexnot]

This is my docker-compose.yml:

services:
  dokuwiki:
    container_name: dokuwiki
    image: dokuwiki/dokuwiki:stable
    restart: 'unless-stopped'
    networks:
      - default
    #user: "1000:1000"
    ports:
      - "8080:8080"
    environment:
      PHP_TIMEZONE: America/Monterrey
      PUID: 1000
      PGID: 1000

    volumes:
      - ./storage:/storage:rw

networks:
  default:
    external: true
    name: proxynet

I'm running the container as my user: 1000 and group: 1000 also.

[splitbrain]

Using exactly that config (except that I commented the "external: true") for the network it seems to work just fine for me:

$ docker compose up -d
[+] Running 2/2
 ✔ Network proxynet    Created                                                                                           0.1s 
 ✔ Container dokuwiki  Started                                                                                           0.5s 
$ docker compose ps
NAME       IMAGE                      COMMAND                  SERVICE    CREATED          STATUS         PORTS
dokuwiki   dokuwiki/dokuwiki:stable   "/dokuwiki-entrypoin…"   dokuwiki   10 seconds ago   Up 9 seconds   80/tcp, 0.0.0.0:8080->8080/tcp, :::8080->8080/tcp
$ docker compose stop
[+] Stopping 1/1
 ✔ Container dokuwiki  Stopped                                                                                           1.3s 
$ id
uid=1000(andi) gid=100(users) groups=100(users),7(lp),14(uucp),50(games),90(network),91(video),92(audio),93(optical),94(floppy),95(storage),96(scanner),97(input),98(power),108(vboxusers),142(docker),1000(android),1001(roccat)
$ docker --version
Docker version 27.0.3, build 7d4bcd863a

[notalexnot]

Hmm, I'll try to recreate the container from scratch to see if there is a conflict with my previous configurations

[notalexnot]

Tried again and it didn't work. I also cannot delete the storage directory that is created, but the container can write and read in there perfectly.

I thought about the Docker daemon and the rootlesskit being misconfigured or bugged, but I don't have problems with other containers. Is there other way for me to get logs or more information to try to find the cause?

[splitbrain]

I think your premise is wrong. When you uncomment the user line, the container will start as root. Apache will drop privileges to UID:GID 33:33 then. This might cause the issue of you not being able to stop it, since your ID is a different one than 33. Adjust the user to match your own ID:GID.